Activities - Activity 5

Process & Flow Modelling

for efficiency in the certification & evaluation process

 

What is this activity about?

The aim of this activity is to establish a reference model architecture that can be adopted by technological means (e.g. process management platforms) to execute recurring certification process tasks, leading to minimised costs, increased efficiency and streamlined processes.

What are the tasks involved?

  • Evaluation of existing modelling methods, platforms and/or technologies. Identification and selection of the design modelling notations  to be used for designing the various modules. 

  • Define the internal module certification subprocesses carried out by a CABs, NCCAs, NABs and vendors/consultants. All relevant Objects and Attributes required by peer modules will also be defined. As a result, the interfaces of this module will be designed, depicting its inputs. Outputs to be available to vendors and/or peer modules. 

  • Definition of mapping of all Inputs and Outputs of peer modules (All Stakeholders), aiming for an end to end certification flow. All modules developed in the other tasks will be aligned/mapped in terms of their input and output capabilities in a way that the end to end certification process flow can be achieved in a unified flow ecosystem. 

Technical brief

1)  NCCA module model

Although each stakeholder can start developing their capabilities independently, the NCCA is responsible for supervising the implementation and maintenance of EU schemes nationally within EU member countries. As such, the process starts here. The NCCA is also responsible for monitoring and authorizing CABs, as well as handling complaints under certain conditions specified in each scheme.  

Other responsibilities of the NCCA include enforcing the obligations of ICT products manufacturers/service providers, monitoring the developments in the field of cybersecurity, and cooperating with other NCCAs through peer reviews and other activities. The NCCA will report on its activity annually to ENISA.

The NCCA interacts with the CAB and vendors as part of authorization and with the NAB as part of monitoring compliance of CABs.

2)  NAB module Model

The NAB is responsible for the accreditation of CABs and monitoring their compliance with accreditation requirements.

3)  CAB module model

The CAB performs evaluation and certification activities for ICT products, processes, or services. Under certain conditions, that differ based on the scheme, accredited CABs must be authorized by NCCA.

The methodologies and requirements for the evaluation and certification of ICT products, processes or services are defined in the different schemes.

Certificates of EU scheme compliant ICT products, processes or services will be published in a centralized platform maintained by ENISA.

4) Product manufacturer/service provider

ICT product manufacturers or service providers will be able to avail themselves of conformity self-assessment or 3rd party conformity assessment from CABs, depending on the scheme they apply for.

This reference model provides higher level view of the activities and interactions involved as part of cybersecurity certifications. However, further developments are required to obtain a fully functional reference model that will support ICT products, processes and services cybersecurity certifications as envisaged in the Cybersecurity Act. This will only be possible when the schemes, such as the EUCS, are finalised and published by ENISA, providing the full set of requirements and obligations involved as part of cybersecurity certifications.