The use of certified or qualified solutions is both a demonstration of trustworthiness and an assurance of a proven level of security for the strategic information of the most sensitive companies and organisations. But the difference between certification and qualification is not always apparent. So let’s unpack this subject a little…
There are many cybersecurity solutions out there. However, not all of them provide the same level of effectiveness, robustness or – crucially – confidence. That’s why the French cybersecurity agency (ANSSI) recommends “using products and services that meet security and trust requirements”.
What are the promises behind the headlines?
Behind the unassuming titles of “certification” and “qualification” lie a number of subtleties and distinctions. In both approaches, the assessment is made in response to a predefined level of skills and resources for a given attacker (i.e. the attacker's cyber-threat potential).
Strictly speaking, certification attests that a product offers a certain level of security; whereas qualification attests to the product’s compliance with regulatory, organisational, administrative or technical requirements. This qualification acts as a powerful recommendation for use, demonstrating the level of trust placed in the product and vendor in question. In other words, “certification attests to a given level of security chosen by the solution vendor,” explains Sébastien Viou, Stormshield Director of Cybersecurity and Product Management. “Qualification means complying with a specific need and specific requirements – in this case, from government bodies.”
More specifically, the term “certification” refers both to national certifications (such as the French Certification de Sécurité de Premier Niveau - CSPN) and to international certifications (such as Common Criteria - CC). These Common Criteria certifications are in turn broken down into seven Evaluation Assurance Levels from EAL1 to EAL7, gradually increasing in complexity. In this paper, the term “qualification” refers to France’s ANSSI qualification, which is divided into three levels for security products (basic, standard and enhanced), each representing a degree of resistance to cyberattacks. At basic level, the product must demonstrate its ability to defend itself against a cyberattacker with rudimentary technical skills and limited resources. At standard level, the cyberattacker is assumed to have more advanced technical skills and greater resources. At enhanced level, the attacker's technical skills are more sophisticated, with unlimited resources and potentially state support, or the backing of criminal groups.
However, “it’s not as simple as saying that qualification is always better than certification,” explains Sébastien Viou: “That will depend on the level of the two labels you’re seeking to compare. However, when issues of French national sovereignty are at stake, qualification will always be more reassuring than Common Criteria certification to an ‘organisation of vital importance’ (OIV).”
What are the assessment methods?
Certification and qualification therefore have different objectives: while a solution vendor can point to certification when promoting the robustness of its product, qualification is used to certify that the product can be used in a specific environment.
This difference is rooted in the assessment cycle for the two labels. In the case of certification, whether at international level (CC, Common Criteria) or national level (CSPN, Certification de Sécurité de Premier Niveau), the assessment process followed as part of certification aims to demonstrate the product’s robustness against cyberattacks – or, in other words, that the product's security functions satisfy the expectations defined in the security target. This security target complies with protection profiles, standard models of security objectives and requirements. However, it is also possible to define an ad hoc security target that adheres more closely to the scope of protection expected by an end user. In the case of qualification, the process is divided into two stages: assessment of robustness (as with certification) and assessment of compliance with specific specifications. And starting from this first robustness assessment phase, qualification differs from certification in that the security target is set jointly by the solution vendor and the ANSSI qualification office. This means assessing confidence in the vendor’s ability to meet its commitments in terms of confidentiality, protection of user data, correction of vulnerabilities and source code quality (such as compliance of the cryptographic component of the code with ANSSI guidelines). This evaluation, using pentest sessions and code analysis, can even include the solution administration tool. All of which adds weight to the principle of digital sovereignty.
Unlike certification, which is an attestation of a level of requirement in its design, qualification is a formal recommendation by a government agency for a specific security product or service that “resists computer attacks in line with a defined context of use and threat level.”
When should you choose a qualified product?
This is a simple question for the largest companies to answer, as the various regulations governing their activities require them to use trusted, sovereign security solutions. The ANSSI specifications address this requirement: organisations whose activities fall within the scope of three French and European regulations – the Référentiel général de sécurité (RGS), the eIDAS regulation and the Loi de programmation militaire (LPM) planning law – must use a qualified cybersecurity product.
More recently, the European NIS2 directive puts the spotlight on supply chain players (subcontractors and service providers) with access to critical infrastructure. In view of these supply chain attack risks, it should be remembered that the qualification of a cybersecurity product includes an audit of the solution vendor’s production chain. And while we await the forthcoming application of the NIS2 directive, we can draw inspiration from the existing NIS1 recommendations. The Recommendations for the protection of critical information systems set out the various sections of the chapter relating to the protection of essential service operator (ESO) networks: security of architecture, security of administration, management of identities and access, and maintenance in secure conditions. Above all, it provides a context for applying the recommendations. In the Use of trusted products and services section, it is “strongly recommended to give preference to products that have obtained ANSSI security approval - and in particular those that have obtained a qualification – where such exist.”
If your activity is not covered by a legislative framework, there are no mandatory security products, but ANSSI recommends using at least one certified cybersecurity product. This is because non-sovereign cybersecurity poses a number of risks: espionage, interruption of service continuity and dependence on foreign solutions. Nevertheless, the use of a qualified cybersecurity product remains good general practice for improving your cybersecurity. Qualification is synonymous not only with confidence in a cybersecurity product, but also with an audit of the entire company. Choosing a qualified cybersecurity product guarantees that you are implementing appropriate sovereign solutions used by the French government, operators of vital importance (OIV) and companies in the most sensitive sectors.
In conclusion, it's important to bear in mind that all certifications and qualifications are different, and that requirement levels will vary from one label to another. But most importantly, the choice of a label or certification should begin with a clear definition of your needs and an analysis of the relevance of the security target. And above all, even if the certification or qualification process is a long one, it is vitally important to update qualified or certified versions. But that’s a story for another day…
