What do the different ANSSI qualifications/certifications mean?

In an increasingly connected world, cyber security plays an essential role in protecting your communications and data. Cyber attacks can have devastating consequences, both economically and in terms of national security. It is in this context that France's National Agency for the Security of Information Systems (ANSSI) plays a crucial role in protection and regulation. Since its creation, numerous standards have been deployed, but it is sometimes difficult to navigate them. In this article, we will clarify the notion of certification and qualification as issued by ANSSI, to help you choose approved solutions. 

The National Agency for the Security of Information Systems

The National Agency for the Security of Information Systems (ANSSI) plays an essential role in protecting and defending cyberspace in France. Its main mission is to ensure the security of information systems for the State, organizations and citizens. To this end, it is responsible for preventing computer attacks, detecting emerging threats, and responding quickly and efficiently to incidents. ANSSI also draws up recommendations, standards and best practices for cyber security, encouraging the adoption of appropriate protection measures at all levels. Working closely with public and private players, ANSSI raises user awareness on cyber security issues and anticipates technological developments and new threats. With its cutting-edge expertise and concrete actions, ANSSI is making a significant contribution to the overall improvement of cyber security in France, strengthening user confidence in the use of digital technologies. Its aim is to meet 3 objectives: 

• Regulatory: comply with national or European regulations requiring the use of solutions that guarantee a proven level of robustness;
• Contractual: meet the needs of public and private sector clients who require the solutions they use to have ANSSI-approved security;
• Commercial: enable product or service suppliers, and the end-users of their solutions, to stand out from their competition by ensuring a certain level of robustness.

To this end, ANSSI has set up qualification and certification procedures to assess and approve cyber security products, services and service providers that meet its standards and requirements. 

The ANSSI certification

A certification is an attestation of a product's degree of robustness, established through a conformity analysis and penetration tests carried out by a third-party evaluator under ANSSI supervision, according to a blue print and a baseline suited to user security requirements and considering technological advances. It can encompass various cyber security and other digital solutions with security features. Examples include network products such as VPNs and firewalls, smart cards, hardware security modules (HSMs), secure execution environments (TEEs), as well as products for operational systems...

As a user, choosing a certified product ensures that certified features offer a proven level of security, enabling resistance to attacks of a specified level. For developers of digital solutions, certification of their product opens the way to numerous cyber security markets, both in France and internationally. This strengthens their credibility and gives them access to a wider customer base by demonstrating the verified security level of their products.

The First Level Security Certification 

Different types of certifications are available in France. First of all, there is the First Level Security Certification (CSPN), introduced by ANSSI to offer an alternative to Common Criteria (CC) evaluations, by assessing a product's resistance to moderate-level attacks. CSPN is generally less exhaustive than the CC certification and focuses more on product analysis. It consists of tests carried out under strict time and load conditions (generally 2 months, 25 to 35 man-days).

Common Criteria 

Then there is the Common Criteria (CC) certification, an internationally recognized standard based on multilateral agreements. CC enable different levels of product security assurance to be achieved, taking into account the product's design characteristics, its development process and its resistance to specific attacks. The higher the level of assurance targeted, the more precise the evidence required, and the greater the effort required to assess it. 

By default, the Common Criteria propose 7 levels of evaluation assurance. Each level has its own assessment tasks, which can be roughly divided into two phases of compliance and vulnerability analysis:

• EAL1: functionally tested/resistant to a script-kiddie attacker.
• EAL2: structurally tested/resistant to a low-level attacker.
• EAL3: methodically tested and verified/resistant to a low-level attacker.
• EAL4: methodically designed, tested and verified/resistant to a moderate-level attacker.
• EAL5: semi-formally designed and tested/resistant to a medium-level attacker.
• EAL6: semi-formally verified design and system tested/resistant to a high-level attacker.
• EAL7: design formally verified and system tested/resistant to a high-level attacker.

The choice between these two types of certifications depends on the applicant’s situation, specific needs and expectations regarding the level of security required for the product to meet the challenges and needs of the industries and markets. 

The assessment process

Assessment for certification is based on two key components. The first component is a compliance analysis, aimed at verifying that security features are implemented according to the expectations defined in the security target, and comply with standards and evaluation criteria. This analysis encompasses various aspects such as implementation, configuration management and control by the developer, security of the development environment, and functional testing. The second component is a vulnerability analysis, based on the results of the compliance analysis. Its aim is to ensure that it is not possible to bypass or defeat the security features of the product (TOE) for a pre-established level of skill and resources of a potential attacker. This stage includes an assessment of potential vulnerabilities associated to the product's implementation, architecture or use, and also includes targeted penetration tests to reinforce the security of the certified product.

The evaluation process is carried out by a private laboratory, the Information Technology Security Assessment Center (CESTI), which must be accredited to ISO/IEC 17025 by COFRAC and approved by ANSSI for CC and CSPN evaluations. 

The ANSSI qualification

A qualification is the recommendation by the French government that a particular cyber security product (or service) is tested and approved by ANSSI. All cyber security products and services, particularly those that meet the needs of government agencies and Operators of Vital Importance (OIVs), are eligible for qualification. Qualification of a product or service by ANSSI is recognized in France and, under certain regulatory frameworks, in Europe. 

This endorsement certifies that these products or services comply with the regulatory, technical and security requirements laid down by ANSSI, thereby ensuring their robustness and the competence of the service provider.

Assessing a product's robustness involves testing its ability to withstand computer attacks, taking into account the specified context of use and threat level. Similarly, assessing the competence of a service provider demonstrates its ability to identify and control threats and risks, to meet the requirements of business standards.

Another important aspect of the qualification is the assessment of confidence. This involves assessing the supplier's ability to meet a set of commitments to ANSSI over the long term. For products, this can include confidentiality and data protection, as well as the correction of vulnerabilities. For services, this may include maintaining the skills of the service provider.

As a user of qualified products or services, you can rest assured that you are choosing solutions that have been tested for security and trustworthiness. You benefit from government-recommended products, used by the French administration, operators of vital importance and organizations in the most sensitive industries.

For products, there are three levels of qualification:

• Elementary level: The product must withstand an attacker with basic technical skills and limited resources.
• Standard level: The product must withstand an attacker with advanced technical skills and significant resources.
• Reinforced level: The product must withstand an attacker with sophisticated technical skills and unlimited resources, as well as State-sponsored and/or criminal groups.

Services eligible for qualification must match the families identified to meet regulatory requirements:

• Cyber defense service providers:

- Information Systems Security Audit Providers (PASSI)

- Security Incident Detection Service Providers (PDIS)

- Security Incident Response Service Providers (PRIS)

• Cloud computing service providers (SecNumCloud).
• Digital trust service providers:

- Electronic Certification Service Providers (PSCE)

- Electronic Time-stamping Service Providers (PSHE)

- Electronic Signature and Seal Validation Service Providers

- Electronic Signature and Seal Storage Service Providers

- Electronic registered mail service providers

The assessment process 

ANSSI - qualification_solutions_visa_securite_anssi

To qualify, the supplier of cyber security products or services must submit an application to ANSSI, either electronically or by post. ANSSI carefully examines complete applications and bids that meet the needs of the public sector and Operators of Vital Importance (OIV).

If the supplier's offer is deemed eligible, the supplier is then asked to propose an "evaluation contract" to ANSSI, defining the framework and conditions for the evaluation of the product or service. Once ANSSI has approved the contract, the supplier can begin the assessments. The product or service then obtains the status "in the process of qualification" and the supplier is authorized to promote it.

Evaluations are carried out by an ANSSI-approved evaluation center, which tests the robustness of the product or the competence of the service provider in accordance with the terms of the evaluation contract. The supplier must also ensure that it meets its commitments in terms of evaluation conditions and deadlines. The results of these assessments are then submitted to ANSSI, which may request additional assessments if necessary.

The qualification decision depends on the results of the evaluations and their compliance with the robustness and confidence criteria defined by ANSSI. According to these criteria, ANSSI specifies the secure uses of the product or service, and the conditions to be met. As part of the follow-up process, the supplier must maintain the robustness of its solution and maintain confidence by meeting its long-term commitments.

What is the validity of a qualification?

The validity of the qualification depends on the conditions and any restrictions set out in the qualification decision. As part of the follow-up process, the supplier must inform ANSSI of any significant change concerning the sponsor or the product or service supplier. These changes may include transfer of ownership, changes in legal structure, loss of national defense secrecy clearance for the business or persons involved in the qualified offer, end of sales, corrective maintenance activities, user support, etc. Depending on the regulatory framework, qualification is granted for a maximum period of 2 to 3 years. During this period of validity, ANSSI determines a level of recommendation for the qualified offer, which evolves over time and reflects the guidelines for use and acquisition established by ANSSI. Once this period of validity has ended, simplified renewal of the qualification is possible. In order to do this, the supplier must commit once again, present an impact analysis including all modifications and corrections made since the initial qualification, and, if necessary, undergo additional assessments. Similarly, simplified qualification of new versions of already-qualified products is possible, using an equivalent process.

How to acquire a qualified solution?

To acquire a qualified solution, those in charge of purchasing products or services related to information systems security can refer to two resources made available by ANSSI:

1. The Buying Guide for Qualified Security Products and Trusted Services : This guide is published on the ANSSI website, and provides essential information to help managers find the right offer for their IT security needs.

2. The Qualified Solutions Catalogue: Also available on the ANSSI website, this catalog lists the products and services that have been qualified, providing a complete list of trusted solutions.

Managers can check these resources on the ANSSI website to identify and select the products or services that best meet their information systems security requirements.

To be noted, if you are looking for ANSSI qualified partner for critical environments concerning cyber services for either audits, detection or incident response, Thales is one of them.