The goal of this scheme is to provide a framework in which products can be tested in a limited timeframe (and cost) against a baseline of security requirements (Government security baseline). Products can include both hardware and software components that are used in the sensitive, but unclassified domain. Under Dutch internal legislation, governmental institutions need to demonstrate compliance against the BIO norm, including for the IT products they use in their work environment. The BSPA scheme was designed specifically to fulfil this need. Therefore the BSPA scheme is attractive for Dutch governmental bodies, but also for product manufacturers who are interested in obtaining a security specific certificate for their products.
Various types of products can be evaluated and certified under the BSPA scheme. The scope includes the following categories:
VPN, link encryption, Wi-Fi access point, etc.
Network filtering, detection and response
IDS, firewall, SSL proxy, etc.
Secure mail, secure chat-app, secure voice-call-app etc.
Media and file security
Full disk encryption, container encryption, file encryption, data erasure, etc.
Identity and access management
Password manager, key management and distribution, two-factor authentication, access control and federation, etc.
Secure OS execution environment
Secure-OS, secure-hypervisor, micro-kernel, separation kernel, etc.
Hardware and embedded software
HW-based encryption, HW-based secure-boot, USB device, keyboard (KVM-) switch, smart-meter, tamper resistant device, etc.
Smart cards and similar devices
Secure ICs, JavaCards, transportation/access cards, etc.