Knowledge Center / STQC
STQC, MeitY · India

STQC IT Testing & Certification

Government testing and certification for IT products, e-governance and security.

Introduction to STQC IT Testing and Certification

STQC (Standardisation Testing and Quality Certification) is the assurance and conformity-assessment arm of the Ministry of Electronics and Information Technology (MeitY), Government of India. For any organisation building products, delivering IT-enabled services to the government, operating data centres, hosting e-Governance workloads, or seeking recognition of an information-security or product-testing regime under Indian public procurement, an STQC certificate is frequently the mandated proof of trust. Unlike a self-declaration, an STQC certificate is issued by an accredited Government of India laboratory and, in most schemes, is underpinned by international mutual-recognition arrangements (such as the CCRA for Common Criteria) so that the certificate carries weight both within India and abroad.

This guide is written for two audiences at once. For the assessor, auditor or QSA it enumerates every domain, family, requirement and evaluation activity so that a gap assessment can be performed against real, verifiable criteria. For the implementer, developer and product-management team it explains the certification lifecycle, the evidence you must generate at each phase, and the maturity/assurance levels you are expected to attain. STQC is not a single monolithic standard; it is a family of schemes, and choosing the correct scheme for your product or service is the single most important scoping decision.

Copyright and standards note
STQC schemes are built on published Indian and international standards including the Common Criteria (ISO/IEC 15408), the Common Evaluation Methodology (ISO/IEC 18045), FIPS 140-2/140-3, ISO/IEC 27001, ISO 9001, ISO/IEC 17025, WCAG 2.1, and the GIGW guidelines. Those standards are the copyrighted property of their respective bodies (ISO, IEC, NIST, W3C, MeitY). This guide is original explanatory material authored by CyberSigma and must not be treated as a substitute for the licensed standard texts or the official STQC scheme documents, which you must obtain from STQC/MeitY, ISO, or NIST directly. Requirement identifiers are cited for navigation only.

What is STQC IT Testing and Certification

STQC operates a nationwide network of laboratories and centres that provide testing, calibration and certification services across electronics and IT. Within the IT and information-security space, STQC administers several distinct but complementary schemes. The most prominent is the Indian Common Criteria Certification Scheme (IC3S), through which STQC acts as the national Certification Body for evaluating the security functionality of IT products against ISO/IEC 15408. STQC also runs cryptographic module testing aligned to FIPS 140-2/140-3, an information-security-management-system certification scheme aligned to ISO/IEC 27001, website and application quality certification against the Guidelines for Indian Government Websites (GIGW) and WCAG accessibility, biometric device certification (for example for Aadhaar-authentication devices under UIDAI's L0/L1 requirements), electronic-hardware and product testing, and audit/empanelment services for e-Governance applications.

The unifying idea across all STQC schemes is independent, laboratory-based conformity assessment: a candidate product, system or management regime is evaluated by an accredited body against a defined set of criteria, evidence is examined and independently tested, and a certificate is issued at a stated assurance or conformance level with a defined scope of validity. STQC laboratories are themselves accredited (for example to ISO/IEC 17025 for testing and calibration, and ISO/IEC 17065/17021 for product and management-system certification), which is what gives the certificate its legal and commercial standing in Indian public procurement.

The principal STQC IT schemes at a glance

SchemeUnderlying criteriaWhat is certifiedTypical driver
IC3S (Indian Common Criteria Certification Scheme)ISO/IEC 15408 + ISO/IEC 18045IT product security functionality at EAL1-EAL4+Sale to government / defence, MRA recognition
Cryptographic Module TestingFIPS 140-2 / FIPS 140-3Cryptographic module security at Levels 1-4HSMs, crypto libraries, secure devices
ISMS CertificationISO/IEC 27001Information-security management systemData centres, e-Gov, IT/ITeS services
Website Quality / GIGWGIGW + WCAG 2.1Government website usability, accessibility, securityGovernment website hosting / STQC quality mark
Biometric Device CertificationUIDAI L0/L1 + STQC device specFingerprint/iris capture device integrityAadhaar-authentication device makers
Application / e-Gov AuditOWASP, ISO/IEC 27001, MeitY guidelinesWeb application security and qualityNIC/MeitY hosting pre-requisite
Electronic Product / Safety TestingIS/IEC safety and EMI/EMC standardsHardware safety, EMC, environmentalBIS / procurement conformity

Who must comply with STQC

STQC certification is sometimes a legal or contractual mandate and sometimes a strong commercial differentiator. The obligation flows from the procurement rules of the buying entity (typically a government department, PSU or regulated operator) rather than from a single horizontal law, so the applicable scheme depends on what you are selling and to whom.

StakeholderSTQC scheme most relevantNature of obligation
Security-product vendors selling to Government/DefenceIC3S (Common Criteria)Often mandatory in tenders; EAL level specified in RFP
HSM / cryptographic-module manufacturersFIPS 140-2/140-3 testingMandatory for approved crypto in sensitive deployments
Data centres and cloud/hosting providers for e-GovISMS (ISO/IEC 27001) + auditMandatory for MeitY-empanelled cloud/DC status
e-Governance application ownersApplication security auditMandatory pre-go-live / pre-hosting on NIC/MeitY
Government website owners and their vendorsGIGW / Website QualityMandatory for GIGW compliance and STQC quality mark
Aadhaar-ecosystem device makers (AUA/KUA supply chain)Biometric device certificationMandatory (UIDAI L1 registered devices)
Electronics manufacturers (IT hardware)Product safety/EMC testingMandatory for BIS and procurement conformity
Software product companies seeking public-sector trustIC3S / ISMS / quality markVoluntary but commercially decisive

Structure of STQC (schemes, domains and control families)

Because STQC is a family of schemes, its 'structure' is best understood as the internal control structure of each scheme plus the common conformity-assessment machinery that binds them. The table below decomposes the two flagship IT-security schemes (IC3S/Common Criteria and FIPS 140-3) plus the ISMS scheme into their constituent domains/families/requirement areas, because these are the areas an assessor will actually walk through.

SchemeDomain / family groupRequirement identifiersFocus of the group
IC3S (CC)Security Functional Requirements (SFRs)Classes FAU, FCO, FCS, FDP, FIA, FMT, FPR, FPT, FRU, FTA, FTPWhat the product's security enforces
IC3S (CC)Security Assurance Requirements (SARs)Classes ADV, AGD, ALC, ASE, ATE, AVAHow much confidence in the correctness of enforcement
IC3S (CC)Evaluation Assurance LevelsEAL1 through EAL7 (India: up to EAL4+)Depth and rigour of evaluation
IC3S (CC)Security Target / Protection ProfileASE / APEDefinition of the security problem and claims
FIPS 140-3Cryptographic module security areasAreas 1-11 (per ISO/IEC 19790)Physical, logical and cryptographic protections
FIPS 140-3Security levelsLevel 1 through Level 4Escalating physical/tamper/authentication rigour
ISMSClauses 4-10 + Annex AA.5-A.8 (2022 control themes)Management system + 93 controls in 4 themes
Website/GIGWQuality, usability, security, accessibilityGIGW + WCAG 2.1 A/AAContent quality and inclusive access

The Common Criteria assurance stack (SFR and SAR classes)

Within IC3S, a product (the Target of Evaluation, or TOE) is described by a Security Target (ST) that states which Security Functional Requirements it satisfies and which Evaluation Assurance Level of Security Assurance Requirements it claims. The functional classes cover audit (FAU), communication/non-repudiation (FCO), cryptographic support (FCS), user data protection (FDP), identification and authentication (FIA), security management (FMT), privacy (FPR), protection of the TSF (FPT), resource utilisation (FRU), TOE access (FTA) and trusted path/channels (FTP). The assurance classes cover development (ADV), guidance documents (AGD), life-cycle support (ALC), security-target evaluation (ASE), tests (ATE) and vulnerability assessment (AVA).

Master assessment checklist

This is the core of the guide. Each h3 below is a control group; each table lists, for the requirements in that group, exactly what an assessor must verify and the typical evidence an implementer must produce. No domain, family or requirement area is skipped. The checklist is organised first by the Common Criteria functional and assurance classes (the deepest and most examinable scheme), then by FIPS 140-3 areas, then by ISMS themes, then GIGW/accessibility, then biometric device criteria.

FAU - Security Audit (CC functional class)

What to verifyTypical evidence
Auditable events are defined and generated (FAU_GEN)Audit-event catalogue; log samples showing each event type
Each record carries subject identity, timestamp, outcomeSample log records with all mandated fields
Audit review, selection and search are provided (FAU_SAR/SEL)Log-review tool screenshots; query capability demo
Audit trail is protected from unauthorised deletion (FAU_STG)Storage protection config; retention and overwrite policy
Alarms/actions on audit failure or storage exhaustionAlerting rules; test log of storage-full behaviour

FCO - Communication (non-repudiation)

What to verifyTypical evidence
Proof of origin is generated and verifiable (FCO_NRO)Design doc; signed-message samples with verification
Proof of receipt is generated and verifiable (FCO_NRR)Receipt-token samples; verification test results
Association of evidence to identity is unforgeableCryptographic binding design; key-management evidence

FCS - Cryptographic Support

What to verifyTypical evidence
Approved algorithms and key sizes are used (FCS_COP)Algorithm inventory; CAVP/CMVP references where applicable
Key generation uses an approved method (FCS_CKM.1)RNG/DRBG design; entropy assessment
Key distribution and access are controlled (FCS_CKM.2)Key-lifecycle procedure; access-control config
Key destruction/zeroisation is implemented (FCS_CKM.4)Zeroisation routine code; test evidence of memory wipe

FDP - User Data Protection

What to verifyTypical evidence
Access-control and information-flow policies enforced (FDP_ACC/IFC)Policy model; access-matrix and mediation tests
Residual information is protected (FDP_RIP)Memory/object reuse test showing no data leakage
Data authentication and integrity monitored (FDP_DAU/SDI)Integrity-check design; tamper-detection test logs
Import/export of data controlled with attributes (FDP_ITC/ETC)Data-labelling design; boundary-transfer tests
Rollback and stored-data confidentiality providedRollback test; encryption-at-rest configuration

FIA - Identification and Authentication

What to verifyTypical evidence
Users are identified before any TSF-mediated action (FIA_UID)Login-flow design; test showing pre-auth restriction
Authentication mechanism strength meets claim (FIA_UAU)Password/MFA policy; authentication-failure handling test
Authentication-failure handling and lockout (FIA_AFL)Lockout config; brute-force test evidence
User attributes bound and managed (FIA_ATD/USB)Attribute-binding design; role-assignment records
Secrets quality and verification enforced (FIA_SOS)Password-complexity rules; secret-generation test

FMT - Security Management

What to verifyTypical evidence
Management of TSF functions restricted to roles (FMT_MOF)Role-permission matrix; privileged-action tests
Management of security attributes controlled (FMT_MSA)Attribute-management UI/API; default-value config
Management of TSF data controlled (FMT_MTD)Config-data access controls; audit of admin changes
Security roles are defined and maintained (FMT_SMR)Role definitions; separation-of-duties evidence
Specification of management functions (FMT_SMF)List of management functions; test coverage

FPR - Privacy

What to verifyTypical evidence
Anonymity provided where claimed (FPR_ANO)Design showing identity-unlinkable operations
Pseudonymity/unlinkability/unobservability (FPR_PSE/UNL/UNO)Privacy-mechanism design; correlation-resistance test

FPT - Protection of the TSF

What to verifyTypical evidence
TSF self-tests run and detect failures (FPT_TST)Self-test routines; fault-injection test results
Failure with preservation of secure state (FPT_FLS)Fail-secure design; abnormal-termination test
Time-source reliability for the TSF (FPT_STM)Trusted-time configuration; NTP/clock integrity
Inter-TSF and internal data consistency (FPT_TDC/TRC)Replication/consistency design and tests
Domain separation and reference mediation (FPT_SEP/RVM)Architecture separation; non-bypassability test

FRU - Resource Utilisation

What to verifyTypical evidence
Fault tolerance maintains service (FRU_FLT)Redundancy design; failover test evidence
Priority-of-service and quotas enforced (FRU_PRS/RSA)Quota configuration; resource-exhaustion test

FTA - TOE Access

What to verifyTypical evidence
Session establishment limits and locking (FTA_SSL/MCS)Session-timeout config; concurrent-session test
Access banners and history shown (FTA_TAB/TAH)Login-banner screenshot; last-login display
Session limits based on attributes (FTA_LSA/TSE)Time/location-restriction config and test

FTP - Trusted Path/Channels

What to verifyTypical evidence
Trusted channel between TSF and remote IT (FTP_ITC)TLS/IPsec configuration; channel-integrity test
Trusted path between user and TSF (FTP_TRP)Anti-spoofing login-path design and test

ADV - Development (CC assurance class)

What to verifyTypical evidence
Security architecture supports self-protection (ADV_ARC)Security-architecture description document
Functional specification of TSF interfaces (ADV_FSP)Functional spec mapping SFRs to interfaces
TOE design decomposition to subsystems/modules (ADV_TDS)Design document with subsystem descriptions
Implementation representation available (ADV_IMP)Source-code samples / build artefacts for EAL4+

AGD - Guidance Documents

What to verifyTypical evidence
Operational user guidance is complete and correct (AGD_OPE)Admin/user manuals describing secure operation
Preparative procedures ensure secure install (AGD_PRE)Installation/acceptance guide; secure-config baseline

ALC - Life-cycle Support

What to verifyTypical evidence
Configuration management scope and coverage (ALC_CMC/CMS)CM plan; version-controlled item list
Secure delivery procedures (ALC_DEL)Delivery procedure preventing tamper in transit
Development security at the site (ALC_DVS)Site-security controls; access logs to dev environment
Life-cycle model and tools defined (ALC_LCD/TAT)SDLC documentation; toolchain/compiler options
Flaw remediation process (ALC_FLR)Flaw-tracking and patch procedure with SLAs

ASE - Security Target Evaluation

What to verifyTypical evidence
ST conformance and introduction are sound (ASE_INT/CCL)Security Target document with conformance claims
Security problem definition is complete (ASE_SPD)Threats, assumptions and organisational policies
Objectives and requirements are traceable (ASE_OBJ/REQ)Objective-to-SFR traceability matrix
TOE summary specification is consistent (ASE_TSS)TSS mapping SFRs to implemented functions

ATE - Tests

What to verifyTypical evidence
Test coverage of TSF interfaces (ATE_COV)Coverage analysis mapping tests to interfaces
Testing depth to subsystem/module level (ATE_DPT)Depth analysis for EAL3+/EAL4+
Functional test cases and results (ATE_FUN)Test plan, procedures, expected/actual results
Independent evaluator testing (ATE_IND)Evaluator test report reproducing/extending vendor tests

AVA - Vulnerability Assessment

What to verifyTypical evidence
Vulnerability analysis and penetration testing (AVA_VAN)Evaluator vulnerability-analysis and pen-test report
Resistance appropriate to attack potential for the EALAttack-potential rating; residual-vulnerability list

FIPS 140-3 cryptographic module security areas

What to verifyTypical evidence
Cryptographic module specification and boundary (Area 1)Module spec; defined cryptographic boundary diagram
Ports and interfaces separate data/control/status (Area 2)Interface definition; port-role documentation
Roles, services and authentication (Area 3)Role/service matrix; authentication-mechanism evidence
Software/firmware security and integrity (Area 4)Integrity-check design; approved load mechanism
Operational environment controls (Area 5)OS configuration; restricted/modifiable-environment proof
Physical security and tamper evidence/response (Area 6)Tamper-seal design; enclosure and response evidence
Non-invasive security mitigations (Area 7)Side-channel mitigation documentation
Sensitive security parameter management (Area 8)Key/CSP lifecycle; zeroisation and storage evidence
Self-tests (pre-operational and conditional) (Area 9)Self-test list; known-answer and integrity test logs
Life-cycle assurance and guidance (Area 10)Delivery, configuration and secure-operation guidance
Mitigation of other attacks (Area 11)Documentation of attacks addressed beyond areas 1-10

ISMS (ISO/IEC 27001) management-system clauses

What to verifyTypical evidence
Context, scope and interested parties (Clause 4)ISMS scope statement; stakeholder analysis
Leadership, policy and roles (Clause 5)Signed InfoSec policy; assigned responsibilities
Risk assessment and treatment planning (Clause 6)Risk methodology; risk register; SoA; treatment plan
Resources, competence and awareness (Clause 7)Training records; competence matrix; documented info control
Operational risk-treatment execution (Clause 8)Operating procedures; risk-treatment implementation records
Monitoring, measurement and internal audit (Clause 9)Metrics; internal-audit reports; management-review minutes
Nonconformity and continual improvement (Clause 10)CAPA log; corrective-action closure evidence

ISMS Annex A control themes (ISO/IEC 27001:2022)

What to verifyTypical evidence
Organisational controls (A.5, 37 controls)Policies, supplier agreements, threat-intel, classification
People controls (A.6, 8 controls)Screening, terms of employment, awareness, disciplinary process
Physical controls (A.7, 14 controls)Perimeter, entry logs, equipment siting, secure disposal
Technological controls (A.8, 34 controls)Access control, cryptography, logging, secure development, backup

Website Quality and GIGW / WCAG 2.1 accessibility

What to verifyTypical evidence
Content quality, currency and authenticity (GIGW)Content policy; last-updated stamps; ownership metadata
Perceivable content: text alternatives, captions (WCAG 1.x)Alt-text audit; caption files; contrast-ratio report
Operable interface: keyboard, navigation (WCAG 2.x)Keyboard-only test; focus-order and skip-link evidence
Understandable content and predictable UI (WCAG 3.x)Readable-language settings; consistent-navigation test
Robust markup and assistive-tech compatibility (WCAG 4.x)Valid HTML/ARIA; screen-reader test results
Website security and privacy (GIGW security)VAPT report; HTTPS config; privacy-policy publication

Biometric device certification (UIDAI L0/L1)

What to verifyTypical evidence
Biometric capture quality and image standardsCapture-quality test results against ISO image specs
Signing/encryption of biometric record at source (L1)Secure-element design; PID-block encryption evidence
Device tamper resistance and secure key storageTamper design; key-injection and provisioning records
Registered-device registration and lifecycleRD-service integration; device-registration logs

Scoping the certification

Scoping determines cost, timeline and the very meaning of your certificate, and a mistake here is expensive to unwind. The first decision is which scheme applies; a cryptographic library should target FIPS 140-3, a security appliance IC3S, a hosting operation ISMS, and a citizen-facing portal GIGW. Within a scheme the scope is defined precisely: for IC3S the Target of Evaluation (TOE) boundary must state exactly which product versions, modules, interfaces and hardware/software environment are included, because anything outside the boundary is uncertified. For FIPS the cryptographic boundary must be drawn around the module, and the operational environment classified as non-modifiable, limited or modifiable. For ISMS the scope statement fixes the sites, services, business units and information assets covered by the Statement of Applicability.

  • Identify the mandate: read the tender/RFP or regulatory requirement to see which scheme and which level (e.g. EAL2, FIPS Level 3) is demanded.
  • Draw the boundary precisely: TOE/cryptographic/ISMS scope must be unambiguous and version-locked.
  • Fix the security problem: threats, assumptions and organisational policies the certificate will address.
  • Decide the assurance/security level to claim, balancing cost against the buyer's requirement.
  • Confirm any Protection Profile the product must conform to (some sectors mandate a specific PP).
  • Enumerate the operational environment and dependencies that the certificate assumes.

Implementation approach (phased)

An STQC engagement runs most smoothly as a staged programme. The phases below use IC3S/Common Criteria as the running example (the most document-intensive scheme); the same shape applies to FIPS and ISMS with scheme-specific artefacts substituted.

Phase 1 - Readiness and scheme selection

  • Activities: confirm applicable scheme and level; perform a gap assessment against the target criteria; draft the TOE/scope boundary.
  • Deliverables: scheme-selection memo, gap-assessment report, high-level scope statement and project plan.

Phase 2 - Security Target / documentation build

  • Activities: author the Security Target (or SoA/module spec); map claims to SFRs/controls; establish CM, SDLC and delivery procedures.
  • Deliverables: Security Target (ASE) or Statement of Applicability, CM plan, life-cycle documentation, guidance manuals (AGD).

Phase 3 - Engineering hardening and evidence generation

  • Activities: implement/remediate controls; produce design (ADV) and test (ATE) evidence; run internal VAPT and self-tests.
  • Deliverables: architecture and design documents, test plans and results, vulnerability-remediation records, secure-config baseline.

Phase 4 - Laboratory evaluation / audit

  • Activities: engage the accredited lab (CCTL for IC3S); submit evidence; support evaluator testing, penetration testing and observation reports.
  • Deliverables: evaluation-input package, evaluator observation-report responses, corrected artefacts, evaluation test evidence.

Phase 5 - Certification and surveillance

  • Activities: STQC Certification Body reviews the Evaluation Technical Report and issues the certificate; establish assurance-continuity/maintenance and surveillance where applicable.
  • Deliverables: certificate and certification report, maintenance/assurance-continuity plan, surveillance-audit schedule and re-certification roadmap.

Assurance / capability levels (scoring model)

Each STQC scheme expresses rigour through a graded level scale. The table maps the level scales of the flagship schemes so implementers can choose a target and assessors can calibrate depth.

SchemeLevelMeaning / rigour
IC3S EALEAL1Functionally tested - basic confidence
IC3S EALEAL2Structurally tested - low-to-moderate assurance
IC3S EALEAL3Methodically tested and checked
IC3S EALEAL4Methodically designed, tested and reviewed (India's usual ceiling, EAL4+)
IC3S EALEAL5-EAL7Semiformal/formal design and verification (highest rigour)
FIPS 140-3Level 1Approved algorithms, no physical security beyond production-grade
FIPS 140-3Level 2Tamper-evidence and role-based authentication
FIPS 140-3Level 3Tamper-response/zeroisation and identity-based authentication
FIPS 140-3Level 4Complete envelope of protection against physical/environmental attack
ISMSCertifiedConformity to ISO/IEC 27001 clauses and applicable Annex A controls

Assessment and audit approach

  1. Application and scoping: submit the certification application to STQC, agree the scheme, level and boundary.
  2. Evidence submission: deliver the Security Target/SoA and supporting design, life-cycle and guidance evidence to the accredited laboratory.
  3. Evaluation planning: the lab produces an evaluation work-plan mapping each requirement to evaluation activities.
  4. Documentary evaluation: evaluators examine each SFR/SAR (or clause/control) and raise observation reports on deficiencies.
  5. Independent testing: evaluators reproduce vendor tests and design their own functional and penetration tests.
  6. Vulnerability assessment: evaluators rate residual vulnerabilities against the attack potential defined for the claimed level.
  7. Observation-report resolution: the vendor remediates and resubmits until all findings are closed.
  8. Evaluation Technical Report: the lab compiles the ETR and a verdict per requirement.
  9. Certification decision: the STQC Certification Body reviews the ETR and issues (or withholds) the certificate and certification report.
  10. Surveillance / assurance continuity: maintenance, re-evaluation of changes and periodic surveillance sustain the certificate's validity.

Evidence request list

  • Governance: scheme-selection memo, certification application, project plan, scope/boundary statement.
  • Security definition: Security Target or Statement of Applicability, Protection Profile conformance claims, risk register.
  • Design: security-architecture (ADV_ARC), functional specification (ADV_FSP), TOE design (ADV_TDS), implementation representation for EAL4+.
  • Life-cycle: configuration-management plan and item list, secure-delivery procedure, development-site security controls, flaw-remediation process, SDLC model.
  • Guidance: operational user guidance and preparative install procedures, secure-configuration baseline.
  • Testing: test plans, procedures and results, coverage and depth analyses, self-test and known-answer-test logs.
  • Cryptography: algorithm inventory, key-lifecycle and zeroisation evidence, entropy/DRBG assessment, CAVP/CMVP references.
  • Vulnerability: internal and evaluator VAPT reports, residual-vulnerability list, patch SLAs.
  • ISMS operations: policies, training records, internal-audit reports, management-review minutes, CAPA log.
  • Web/accessibility: WCAG audit, VAPT report, HTTPS/privacy configuration, content-ownership metadata.

Roles and responsibilities

RolePrimary responsibility
STQC Certification Body (MeitY)Owns the scheme, reviews ETRs, issues certificates and maintains the register
Accredited laboratory / CCTLPerforms the independent evaluation, testing and vulnerability assessment
Sponsor / Developer (vendor)Provides the TOE, Security Target, design, life-cycle and test evidence
Product security leadOwns SFR/control implementation and evidence quality
Development site security officerMaintains development-environment security (ALC_DVS)
QA / Test leadProduces functional test evidence and coverage/depth analyses
Cryptography engineerOwns key management, algorithms and zeroisation (FCS / FIPS areas)
ISMS manager (for ISMS scope)Runs the management system, risk treatment and internal audits
CyberSigma advisory teamGuides scoping, builds evidence, remediates gaps and manages the lab engagement

KPIs to track

  • Percentage of SFRs/SARs (or Annex A controls) with complete, lab-ready evidence.
  • Number of open observation reports from the laboratory and mean time to resolution.
  • Residual vulnerabilities by severity and closure rate against the attack-potential threshold.
  • Documentation coverage ratio (design/guidance/life-cycle artefacts complete versus required).
  • Test coverage and depth against TSF interfaces and subsystems.
  • Elapsed time per phase versus plan (readiness, ST build, evaluation, certification).
  • Self-test and known-answer-test pass rate for cryptographic modules.
  • Days to re-certification / next surveillance and assurance-continuity actions raised per change.

Readiness checklist

  • Correct STQC scheme and target level confirmed against the mandate or RFP.
  • TOE / cryptographic / ISMS boundary drawn and version-locked.
  • Security Target or Statement of Applicability drafted and internally reviewed.
  • All applicable SFRs/controls mapped to implemented functions with traceability.
  • Design, life-cycle, guidance and test evidence assembled to the claimed level.
  • Internal VAPT completed and high/medium findings remediated.
  • Cryptographic self-tests and key-zeroisation verified.
  • Accredited laboratory / CCTL engaged and evaluation work-plan agreed.
  • Flaw-remediation, CM and secure-delivery procedures operational.
  • Surveillance / assurance-continuity plan defined for post-certification.

Common gaps

  • Ambiguous or over-broad TOE boundary that pulls uncertified components into scope.
  • Security Target claims not traceable to actual implemented functions (weak ASE_TSS).
  • Missing or thin life-cycle evidence: no formal CM item list or secure-delivery procedure.
  • Insufficient test coverage/depth for the claimed EAL (ATE_COV/DPT shortfalls).
  • Cryptography using non-approved algorithms or lacking documented key zeroisation.
  • No trusted-time source or self-test evidence for TSF protection (FPT_STM/FPT_TST).
  • ISMS Statement of Applicability with unjustified control exclusions.
  • Accessibility failures (poor contrast, missing alt-text, keyboard traps) in GIGW/WCAG scope.
  • Residual vulnerabilities not rated against the correct attack potential for the level.
  • No assurance-continuity plan, so a routine product update invalidates the certificate.

STQC mapped to other frameworks

STQC scheme / requirementMaps toNature of mapping
IC3S EAL levelsISO/IEC 15408 + ISO/IEC 18045IC3S is the Indian national CC scheme; direct adoption
IC3S certificatesCCRA mutual recognitionRecognised internationally up to the CCRA-recognised level
Cryptographic Module TestingFIPS 140-2/140-3 (ISO/IEC 19790)Testing aligned to NIST/ISO cryptographic-module standards
ISMS certificationISO/IEC 27001:2022Same clauses and Annex A control set
Application/e-Gov auditOWASP ASVS / Top 10, ISO/IEC 27001Control themes overlap for web-application security
Website Quality (GIGW)WCAG 2.1 (W3C), ISO 9241 usabilityAccessibility and usability alignment
Biometric device certificationISO/IEC 19794 image standards, UIDAI specsCapture-quality and secure-record alignment
FCS / FIPS key managementNIST SP 800-57 key-management guidanceKey-lifecycle practice alignment
How CyberSigma helps
CyberSigma runs STQC engagements end to end. As a CERT-In empanelled and PCI QSA practice, we begin with scheme selection and a rigorous gap assessment, then draw a defensible TOE/cryptographic/ISMS boundary and author the Security Target or Statement of Applicability so your claims are traceable and lab-ready. Our engineers close design, life-cycle, testing and cryptographic-evidence gaps, run internal VAPT and self-test validation, and prepare the full evaluation-input package. We manage the accredited laboratory/CCTL engagement, drive observation-report resolution, and steer the certification decision to a clean result. Post-certification we build your surveillance and assurance-continuity plan so that ordinary product updates never silently invalidate your certificate. Talk to CyberSigma to turn an STQC mandate into a durable, market-recognised assurance asset.

Frequently asked questions

What does STQC certify?
STQC provides testing and certification for IT products, e-governance applications, biometric devices and security/quality assurance under MeitY.
Official documents

Need help with STQC?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.