MSS Certification

About certification

A managed security service (MSS) can be defined as a service provided to a third party consisting of carrying out or providing assistance for activities related to cybersecurity risk management, such as incident management, penetration testing, security audits, and consulting related to technical assistance, including specific expertise.

Managed security services are provided by managed security service providers, as defined in Article 6, point 40, of Directive (EU) 2022/2555 of the European Parliament and of the Council, assisting entities in their efforts to prevent, detect, respond to, and recover from incidents.

Consequently, on the one hand, an organization providing MSS must be able to demonstrate its operational capabilities, as well as its technical competence in relation to the MSS it provides in the field of cybersecurity, ensuring that these They will be of quality; and on the other hand, the means used by the organization to provide the SSG must meet the necessary security requirements that also guarantee that they are protected and reliable to perform their work safely for the entity itself and for those who contract its services.

Therefore, it is necessary to address both approaches: the mandatory minimum operational capabilities and technical competencies, as well as the protection of the organization's own resources and the information/assets they manage. This approach provides validation of the efficiency of service operations, as well as the fact that they can be carried out in a sufficiently secure manner and in accordance with current regulations.

Rationalizing the required resources, without prejudice to the sought-after and enforceable protection, the systems and other resources that support the aforementioned services must have Certification of Conformity with the National Security Scheme (RD 311/2022, of May 3) for the MEDIUM category or higher or, failing that, demonstrate the appropriate adoption of a minimum set of 36 security measures (listed in section 5.1 of this document) that are applicable to each specific case. These measures will include a formal commitment to achieve compliance with the ENS within a period of no more than 12 months.

Therefore, the PCE-SSG includes the necessary requirements to guarantee reliability and technical competence in the deployment of SSG and to certify compliance with regulations. National or European organizations that require evidence of security in SSGs.

SSG provider organizations can be understood as a set of people, processes, and technologies that, through their interrelation, cooperation, and coordination, develop managed security activities for other organizations, both public and private, with the appropriate quality and security.

With the publication of this PCE-SSG, the National Cryptologic Center, in the exercise of its powers, validates and makes public the aforementioned requirements and its conformity assessment and certification model, in accordance with the provisions of Article 30 of Royal Decree 311/2022, of May 3, which regulates the National Security Scheme (ENS, hereinafter). This enables SSG provider organizations to achieve adequate levels of security and quality in their services, allowing them to instill the necessary trust in the entities that use their services.