As the national authority for the security and defense of information systems, ANSSI guides users in their choice of solutions. It thus issues Security Visas making it easy to identify reliable solutions that are recognized as such following an assessment carried out by approved laboratories.
To do this, it has a:
The creation of new security certification schemes
Technological and market developments, the maturity of the players in the perception of risks and the proposals for certification of substantial and basic levels appearing in the European Commission’s draft regulation on security certification underline the need to create new security certification schemes.
They would complement the systems currently operated by ANSSI, in particular to certify service providers, or products subject to weaker security requirements.
Several private or institutional players are likely to position themselves in these new segments. Faced with these inevitable changes, ANSSI should determine its position, support the coherent and orderly implementation of these new practices, and change the framework of its activity as needed.
Call for expressions of interest
ANSSI is launching a call for expressions of interest to consult players who wish to position themselves on substantial and basic level security certification and operate it in France.
Goals : identify these actors and collect their recommendations in terms of:
- conditions of notification by a national authority, in addition to their accreditation by the French Accreditation Committee (COFRAC), depending on the levels;
- conditions of attachment of an actor to several national authorities and opportunities for international development;
- identification of the relevant assessment activities to be carried out, according to the levels, in relation to the other conformity assessment activities that would already be in force on the same ranges of offers;
- skills expected for the assessment tests;
- mode of supervision of activities to ensure consistency in the work performed, and adequate handling of anomalies;
- protection of activities related to security assessment and certification;
- means of harmonizing risk analysis, assessment and certification methods and practices;
- support for the rise in power of actors by ANSSI and the existing ecosystem (CESTI), and determination of relevant information that could be exchanged (guides, vulnerabilities for example) with ANSSI in the operation of a scheme;
- tools that would automate activities, and skills needed to develop and operate these tools.
How to contribute?
1. Make yourself known
Do you plan to develop an activity related to security certification? Do you work for a certification or evaluation body, are you a developer of security evaluation test benches?
Make yourself known to ANSSI before September 7, 2018 (contact: philippe.blot[at]ssi.gouv.fr).
2. Participate in the information point(s)
ANSSI will organize a collective information point at the end of August on the European work in progress, and will answer all your questions.
If this proves useful, the agency will organize a second one at the end of November.
3. Submit your recommendations
You will be able to transmit, alone or with others, your recommendations for the end of 2018, by submitting an interim report to ANSSI if you wish.
In February 2019, ANSSI will return its analysis to you, based on the recommendations received, and the resulting actions.