Activities - Activity 2

Internal Capability Development

Training materials

What is this activity about?

The aim of this activity is to develop and enhance the capabilities of the participants of the project for them to effectively undertake the conformity assessment activities as set out in the Cybersecurity Act. The activity involves the following parties: 

• Digital Security Authority (DSA) and the National Cyber Security Centre (NCSC) as National Cybersecurity Certification Authorities (NCCA) 

• Kypriaki Eteria Pistopoiisis Ltd (KEP), NSAI and Red Alert Labs (RAL) as a Conformity Assessment Bodies (CAB)

• Product vendors involved in the cybersecurity certification process. 

What are the tasks involved?

• Delivery of pre-existing training program from the B4C project (Action 2019-EU-IA-0109) to NSAI. This training program will help NSAI to understand its role and responsibilities and apply the principles of the cybersecurity certification process end to end. It will cover: 

• Introduction to the Cybersecurity Act, ISO 17065, ISO 17025, CAB certification processes step by step, NAB accreditation processes step by step, NCCA authorization processes step by step  

• Introduction to Common Criteria (EUCC scheme)  

• Introduction to Eurosmart IoT device certification. 

• Development of additional training material to cover the EU cloud services (EUCS) certification scheme and related cloud certification schemes and security management frameworks, cybersecurity auditing of CABs and vendors. The training will cover: 

• Introduction to Cloud Security: Cloud Services Definition, Typical Cloud infrastructure, Domain of activity, Market statistics, Cloud Services examples, Large attack surface and Cloud Service security risk analysis 

• Introduction to the EU Cloud Service scheme:  Different stakeholders’ problems, Trusting the Cloud: 

• Importance of certification schemes

• Need for a new certification scheme (C5, SecNumCloud) 

• Security assurance levels for Cloud market verticals

• Beneficiaries of Cloud certification schemes, Roles & responsibilities (comparison with CC and CSA)

• Defining the Target of evaluation, Key definitions, Overview of certification procedure

• Key benefits of the certification scheme

• EU Cloud Service Certification scheme comparison

• Certification Process from A-Z

• Security Requirements (SR): SR definition, Stakeholder & Risk Owner, Cloud Services Lifecycle, Terms and definition, Operational Environment, How to create Security Requirements? 

• Evaluation Procedure: Evaluation Input, Security Assurance Description, Attack potential Certification procedure 

• Delivery of additional training material developed previously to all partners 

• Develop and deliver a complete training program covering the following topics: 

• Introduction to Secure Development Life-Cycle Processes (SDLC) and Applicable Frameworks 

• Overview on existing platforms and related tools automating parts of this process (e.g. IoTinspector, Acunetix, All4Tec, Katalon, CCtoolbox) ISO 17067-Fundamentals of product certification and guidelines for product certification schemes 

• Process flow design methods, techniques and basic building blocks  

• Semantics of the shapes and how best to use them  

• Best practices to support the implementation of Activity 5, presenting some of the tools and platforms used during security by design and certification processes.  

What are the benefits for stakeholders?

Developing capabilities for NCCAs, NABs and CABs with regards to the implementation of the EU cybersecurity certification framework in line with the Cybersecurity Act. Raising awareness about the amongst cloud service providers about the regulatory requirements involved in the cybersecurity certification process. 

Additionally, the results of this activity can be reused in other EU member states who wish to build their capabilities towards the establishment of the cybersecurity certification ecosystem in their countries.