The goal of this scheme is to provide a framework in which products can be tested in a limited timeframe (and cost) against a baseline of security requirements (Government security baseline). Products can include both hardware and software components that are used in the sensitive, but unclassified domain. Under Dutch internal legislation, governmental institutions need to demonstrate compliance against the BIO norm, including for the IT products they use in their work environment. The BSPA scheme was designed specifically to fulfil this need. Therefore the BSPA scheme is attractive for Dutch governmental bodies, but also for product manufacturers who are interested in obtaining a security specific certificate for their products.
Various types of products can be evaluated and certified under the BSPA scheme. The scope includes the following categories:
Product category
| Examples
|
Network security | VPN, link encryption, Wi-Fi access point, etc. |
Network filtering, detection and response | IDS, firewall, SSL proxy, etc. |
Secure messaging | Secure mail, secure chat-app, secure voice-call-app etc. |
Media and file security | Full disk encryption, container encryption, file encryption, data erasure, etc. |
Identity and access management | Password manager, key management and distribution, two-factor authentication, access control and federation, etc. |
Secure OS execution environment | Secure-OS, secure-hypervisor, micro-kernel, separation kernel, etc. |
Hardware and embedded software | HW-based encryption, HW-based secure-boot, USB device, keyboard (KVM-) switch, smart-meter, tamper resistant device, etc. |
Smart cards and similar devices | Secure ICs, JavaCards, transportation/access cards, etc. |