ANSSI’s security visas: what are they and which one is right for you?

By Arnaud Dufournet

Not all cybersecurity solutions are the same when it comes to efficiency and trustworthiness. It is precisely to set apart the most robust solutions that the French National Cybersecurity Agency (ANSSI) evaluates them and issues so-called security visas every year. In 2021, the agency issued 255 of these qualifications and certifications. However, it’s not always easy to understand what they are and decide which one is right for you. Some even go so far as to say that these visas do not make the decision-making process any easier.

Vulnerabilities are on a constant rise

On average, organizations deploy dozens of cybersecurity solutions to protect their networks and information systems. At the same time, the number of vulnerabilities detected keeps rising. Log4shell—the vulnerability that struck fear into CSIOs in December 2021—is still on everyone’s mind. The number of new CVE identifiers that MITRE publishes could be up to 35% higher than in 2021 according to the 2022 Telemetry Report published by Trustwave SpiderLabs.

VPN software has its share of vulnerabilities. Three SSL VPNs were already among the top 10 vulnerabilities in 2020, a ranking based on severity that ANSSI establishes every year.

The top 10 from 2021, published this past February, once again includes a VPN whose vulnerability allowed attackers to modify certain files in view of installing backdoors and subsequently erasing their traces. Persistent command injection and remote code execution (RCE) are the most common types of vulnerabilities listed in CVEs.

For a software editor, having your product evaluated by an accredited laboratory with a view to obtaining a security visa from ANSSI is a good way to stand out and provide users with quality guarantees.

Understanding the security visas that ANSSI issues

The first thing to know about the visas ANSSI issues is that there are two types: certifications and qualifications. The purpose of these visas is to provide an easy way to identify the most reliable and recognized cybersecurity solutions based on an evaluation performed by an accredited laboratory according to a disciplined and proven methodology.

A certification demonstrates the robustness of a product that has been subjected to a compliance analysis and penetration tests conducted by a third-party evaluator under ANSSI’s authority. There are two certification schemes: Common Criteria (CC) certification and First Level Security Certification (Certification de Sécurité de Premier Niveau or CSPN). CC certification is an internationally recognized standard based on multilateral recognition agreements. The Common Criteria are broken down into seven Evaluation Assurance Levels (EALs) pertaining to the product’s security. EAL1 comprises functional tests and tests to determine resistance to a basic level attacker. EAL7 consists in a formal verification of the solution’s design as well as a test to determine resistance to a high-level attacker. It should be noted that the assurance level can also be increased by adding additional evaluation tasks. In this case, a “+” will be added to the level, for example EAL4+. To provide an alternative to CC evaluations, which can take up to 18 months, ANSSI has set up a CSPN. It isn’t as exhaustive, focuses on product analysis, and consists of tests carried out with time and workload constraints (25 to 35 man-days).

It should also be noted that a certification is only valid for a given version of a product. Certification may be extended to minor product updates carried out within the scope of a certificate maintenance, but major updates to a product imply that it will have to be evaluated again.

The second type of visa is a qualification. It is the French State’s recommendation of tried and tested cybersecurity products or services that have been approved by ANSSI. This type of visa confirms that the solution complies with the regulatory, technical, and security requirements that ANSSI promotes. In this case, the evaluation demonstrates the product’s robustness as confirmed by a certification, the service provider’s competence, and the solution provider’s commitment to comply with trust criteria. It is only granted for a maximum period of two to three years depending on the regulatory framework. Furthermore, there are three levels of qualification: basic, standard, and enhanced.

Yet another subtlety is that it’s possible to ask ANSSI for an approval with the qualification. When an information system (IS) handles sensitive data, the security devices that protect it must receive an ANSSI approval. The various approvals depend on the type and level of sensitivity of the information concerned. For example, the approvals available for ISs in the Defence sector are Restricted (Diffusion Restreinte – DR) or Secret (Secret Défense – SD). NATO approval is for combined information systems and EU approval for information systems used in EU institutions.

Is the Great Resignation looming over cybersecurity as well? Action is needed quickly to give CISOs the means to regain control and carry out their work—which is so critical to the survival of an organization.

Whose needs do the visas meet?

The main question you should ask yourself is whether your French branch is restricted by regulations, such as the Network and Information Security (NIS) Directive at the European level or the General Security Database (Référentiel Général de Sécurité – RGS) and the Act on Military Spending Bill Programming (Loi de Programmation Militaire – LPM) in France. If this is the case, then you must turn to a cybersecurity solution that has been qualified by a cybersecurity agency, such as ANSSI in France (see our use case on Restricted information). If your information system handles sensitive data, then the qualified solution you require must additionally come with an approval.

However, if your organization is not concerned by the regulations mentioned above and you still want robust solutions, especially to comply with the GDPR, you can use certified solutions to raise the security level of your IS.

For organizations that have subsidiaries abroad, it is interesting to know that the Common Criteria standard is recognized in a certain number of countries.

The CC certification is recognized by 13 European countries (including France, Germany, Italy, Spain, and the United Kingdom) that have signed the Agreement on Mutual Recognition (SOG-IS agreement). In turn, the Common Criteria Recognition Arrangement (CCRA) allows mutual recognition with other non-European states, such as the United States, Canada, India, and Israel.

TheGreenBow’s certification process

For more than 20 years, TheGreenBow has been helping its customers manage privacy, sovereignty, and security issues at the highest level. This is why we have fully integrated the certification and qualification of our products by ANSSI into our development strategy. In 2013, TheGreenBow became the first European VPN software provider to obtain the EAL3+ Common Criteria certification as well as NATO Restricted and EU Restricted approval for its Windows VPN Client. TheGreenBow has also obtained additional visas for its Windows and Linux clients. A new version of the Windows VPN Client is currently undergoing a qualification process with ANSSI.

We apply a consistent level of standards to the development of all our software and not only to versions for which we aim to obtain a security visa. Many critical market operators, including Dassault Aviation and the French Ministry of the Interior, trust TheGreenBow’s VPN clients for their robustness and reliability.

To find out more about our VPN clients, visit our online store.

You can also try them free of charge for 30 days by visiting this page on our website.