CPSTIC: The State’s Technical Guarantee to Protect Critical Systems

Protecting critical infrastructure, public bodies, and entities subject to the National Security Scheme (ENS) and the NIS2 Directive is not optional, it is a strategic necessity. In this context, the Catalogue of ICT Security Products and Services (CPSTIC), managed by the National Cryptologic Center (CCN), part of the National Intelligence Center (CNI), stands as a state-level reference that certifies, evaluates, and validates technological products and services according to the highest cybersecurity standards.

What is CPSTIC and Why Is It Key?

CPSTIC is an official and technical (non-commercial) catalogue listing ICT solutions that have passed rigorous evaluation, verification, and certification processes according to ENS requirements (under Royal Decree 311/2022) and international standards such as Common Criteria. Listed products are classified by security levels (Basic, Medium, High) and are deemed suitable for:

• Classified systems (Law 9/1968).
• Systems handling sensitive or confidential information.
• Critical infrastructures and essential services covered by NIS2.
• Public bodies and projects with regulatory compliance requirements.

The catalogue’s goal is to ensure that both public administrations and private companies can confidently identify which technological solutions offer real guarantees of protection, traceability, interoperability, and secure integration.

Evaluation and Certification Process

Inclusion in the CPSTIC is neither automatic nor superficial. Manufacturers must submit their products to a comprehensive process involving:

1. Formal Application and Technical Evaluation: Conducted by CCN-accredited laboratories under schemes like LINCE or Common Criteria. Everything from architecture and design to penetration testing is analyzed to evaluate resilience against real-world threats.
2. Certification and Classification: If compliant, the product is granted “approved” or “qualified” status depending on its suitability for high-security environments.
3. Inclusion and Maintenance in CPSTIC: Listed solutions undergo periodic reviews, ensuring they remain up-to-date and continuously improved.

Categories Covered by CPSTIC

The catalogue encompasses software, hardware, and security services. Key categories include:

• Network security products (firewalls, VPNs, IDS/IPS).
• Authentication and access control systems.
• Identity management platforms.
• Encryption, monitoring, and auditing solutions.
• Professional cybersecurity services (consulting, auditing, SOC, etc.).

Practical Advantages of Choosing CPSTIC Products

For CISOs, IT managers, and compliance teams, implementing CPSTIC-listed solutions such as Endurance offers immediate benefits:

• Reduced effort for technical justification: There’s no need to prove the product’s security from scratch—it has already been evaluated by the CCN.
• Automatic compliance with contractual requirements: In many public projects, the use of CPSTIC products is mandatory.
• Ongoing support and evolution: Listed products must stay updated, ensuring solid and sustainable protection.

Endurance: Verified as a PAM Solution

Among the solutions included in CPSTIC, Endurance by Cosmikal stands out, validated as a Privileged Access Management (PAM) tool. Its inclusion confirms technical alignment with ENS principles, demonstrating its resistance to cyberattacks, isolation capabilities, and complete traceability.

What Technically Sets Endurance Apart?

Endurance introduces a distinct approach that goes beyond traditional access control by incorporating additional layers of hardening, encryption, and monitoring:

1. Complete Isolation of the Protected System: Uses encrypted VDI-based hardened remote desktop architecture. Only mouse, keyboard, video, and audio events reach the user’s endpoint—eliminating risks like direct commands, file transfers, or covert access.
2. Encrypted Vault: IT/OT access credentials are injected from a centrally managed vault and never travel to the client. Encrypted in transit and at rest, even administrators cannot access the keys.
3. Connection Broker: Acts as a secure intermediary enforcing access policies, multi-factor authentication, session time limits, etc., while offering real-time traceability.
4. Audit: All sessions are recorded and stored, allowing exact reconstructions for compliance audits or investigations.
5. ENS/NIS2 Compatibility: Endurance is designed to support compliance with multiple regulatory articles thanks to its access control, privilege management, role segregation, resilience, and traceability features.

Conclusion

CPSTIC is not just a database, it is a high-level, state validated technical catalogue. The inclusion of Endurance confirms its compliance with the most demanding standards of security, traceability, and resilience. This makes Endurance an ideal tool for securing access to IT/OT assets, from SCADA and IoT environments to telecom or energy infrastructures, with official verified and state recognized guarantees.

Check Endurance in the CPSTIC here.