Introduction to STQC IT Testing and Certification
STQC (Standardisation Testing and Quality Certification) is the assurance and conformity-assessment arm of the Ministry of Electronics and Information Technology (MeitY), Government of India. For any organisation building products, delivering IT-enabled services to the government, operating data centres, hosting e-Governance workloads, or seeking recognition of an information-security or product-testing regime under Indian public procurement, an STQC certificate is frequently the mandated proof of trust. Unlike a self-declaration, an STQC certificate is issued by an accredited Government of India laboratory and, in most schemes, is underpinned by international mutual-recognition arrangements (such as the CCRA for Common Criteria) so that the certificate carries weight both within India and abroad.
This guide is written for two audiences at once. For the assessor, auditor or QSA it enumerates every domain, family, requirement and evaluation activity so that a gap assessment can be performed against real, verifiable criteria. For the implementer, developer and product-management team it explains the certification lifecycle, the evidence you must generate at each phase, and the maturity/assurance levels you are expected to attain. STQC is not a single monolithic standard; it is a family of schemes, and choosing the correct scheme for your product or service is the single most important scoping decision.
Copyright and standards note
STQC schemes are built on published Indian and international standards including the Common Criteria (ISO/IEC 15408), the Common Evaluation Methodology (ISO/IEC 18045), FIPS 140-2/140-3, ISO/IEC 27001, ISO 9001, ISO/IEC 17025, WCAG 2.1, and the GIGW guidelines. Those standards are the copyrighted property of their respective bodies (ISO, IEC, NIST, W3C, MeitY). This guide is original explanatory material authored by CyberSigma and must not be treated as a substitute for the licensed standard texts or the official STQC scheme documents, which you must obtain from STQC/MeitY, ISO, or NIST directly. Requirement identifiers are cited for navigation only.
What is STQC IT Testing and Certification
STQC operates a nationwide network of laboratories and centres that provide testing, calibration and certification services across electronics and IT. Within the IT and information-security space, STQC administers several distinct but complementary schemes. The most prominent is the Indian Common Criteria Certification Scheme (IC3S), through which STQC acts as the national Certification Body for evaluating the security functionality of IT products against ISO/IEC 15408. STQC also runs cryptographic module testing aligned to FIPS 140-2/140-3, an information-security-management-system certification scheme aligned to ISO/IEC 27001, website and application quality certification against the Guidelines for Indian Government Websites (GIGW) and WCAG accessibility, biometric device certification (for example for Aadhaar-authentication devices under UIDAI's L0/L1 requirements), electronic-hardware and product testing, and audit/empanelment services for e-Governance applications.
The unifying idea across all STQC schemes is independent, laboratory-based conformity assessment: a candidate product, system or management regime is evaluated by an accredited body against a defined set of criteria, evidence is examined and independently tested, and a certificate is issued at a stated assurance or conformance level with a defined scope of validity. STQC laboratories are themselves accredited (for example to ISO/IEC 17025 for testing and calibration, and ISO/IEC 17065/17021 for product and management-system certification), which is what gives the certificate its legal and commercial standing in Indian public procurement.
The principal STQC IT schemes at a glance
| Scheme | Underlying criteria | What is certified | Typical driver |
|---|
| IC3S (Indian Common Criteria Certification Scheme) | ISO/IEC 15408 + ISO/IEC 18045 | IT product security functionality at EAL1-EAL4+ | Sale to government / defence, MRA recognition |
| Cryptographic Module Testing | FIPS 140-2 / FIPS 140-3 | Cryptographic module security at Levels 1-4 | HSMs, crypto libraries, secure devices |
| ISMS Certification | ISO/IEC 27001 | Information-security management system | Data centres, e-Gov, IT/ITeS services |
| Website Quality / GIGW | GIGW + WCAG 2.1 | Government website usability, accessibility, security | Government website hosting / STQC quality mark |
| Biometric Device Certification | UIDAI L0/L1 + STQC device spec | Fingerprint/iris capture device integrity | Aadhaar-authentication device makers |
| Application / e-Gov Audit | OWASP, ISO/IEC 27001, MeitY guidelines | Web application security and quality | NIC/MeitY hosting pre-requisite |
| Electronic Product / Safety Testing | IS/IEC safety and EMI/EMC standards | Hardware safety, EMC, environmental | BIS / procurement conformity |
Who must comply with STQC
STQC certification is sometimes a legal or contractual mandate and sometimes a strong commercial differentiator. The obligation flows from the procurement rules of the buying entity (typically a government department, PSU or regulated operator) rather than from a single horizontal law, so the applicable scheme depends on what you are selling and to whom.
| Stakeholder | STQC scheme most relevant | Nature of obligation |
|---|
| Security-product vendors selling to Government/Defence | IC3S (Common Criteria) | Often mandatory in tenders; EAL level specified in RFP |
| HSM / cryptographic-module manufacturers | FIPS 140-2/140-3 testing | Mandatory for approved crypto in sensitive deployments |
| Data centres and cloud/hosting providers for e-Gov | ISMS (ISO/IEC 27001) + audit | Mandatory for MeitY-empanelled cloud/DC status |
| e-Governance application owners | Application security audit | Mandatory pre-go-live / pre-hosting on NIC/MeitY |
| Government website owners and their vendors | GIGW / Website Quality | Mandatory for GIGW compliance and STQC quality mark |
| Aadhaar-ecosystem device makers (AUA/KUA supply chain) | Biometric device certification | Mandatory (UIDAI L1 registered devices) |
| Electronics manufacturers (IT hardware) | Product safety/EMC testing | Mandatory for BIS and procurement conformity |
| Software product companies seeking public-sector trust | IC3S / ISMS / quality mark | Voluntary but commercially decisive |
Structure of STQC (schemes, domains and control families)
Because STQC is a family of schemes, its 'structure' is best understood as the internal control structure of each scheme plus the common conformity-assessment machinery that binds them. The table below decomposes the two flagship IT-security schemes (IC3S/Common Criteria and FIPS 140-3) plus the ISMS scheme into their constituent domains/families/requirement areas, because these are the areas an assessor will actually walk through.
| Scheme | Domain / family group | Requirement identifiers | Focus of the group |
|---|
| IC3S (CC) | Security Functional Requirements (SFRs) | Classes FAU, FCO, FCS, FDP, FIA, FMT, FPR, FPT, FRU, FTA, FTP | What the product's security enforces |
| IC3S (CC) | Security Assurance Requirements (SARs) | Classes ADV, AGD, ALC, ASE, ATE, AVA | How much confidence in the correctness of enforcement |
| IC3S (CC) | Evaluation Assurance Levels | EAL1 through EAL7 (India: up to EAL4+) | Depth and rigour of evaluation |
| IC3S (CC) | Security Target / Protection Profile | ASE / APE | Definition of the security problem and claims |
| FIPS 140-3 | Cryptographic module security areas | Areas 1-11 (per ISO/IEC 19790) | Physical, logical and cryptographic protections |
| FIPS 140-3 | Security levels | Level 1 through Level 4 | Escalating physical/tamper/authentication rigour |
| ISMS | Clauses 4-10 + Annex A | A.5-A.8 (2022 control themes) | Management system + 93 controls in 4 themes |
| Website/GIGW | Quality, usability, security, accessibility | GIGW + WCAG 2.1 A/AA | Content quality and inclusive access |
The Common Criteria assurance stack (SFR and SAR classes)
Within IC3S, a product (the Target of Evaluation, or TOE) is described by a Security Target (ST) that states which Security Functional Requirements it satisfies and which Evaluation Assurance Level of Security Assurance Requirements it claims. The functional classes cover audit (FAU), communication/non-repudiation (FCO), cryptographic support (FCS), user data protection (FDP), identification and authentication (FIA), security management (FMT), privacy (FPR), protection of the TSF (FPT), resource utilisation (FRU), TOE access (FTA) and trusted path/channels (FTP). The assurance classes cover development (ADV), guidance documents (AGD), life-cycle support (ALC), security-target evaluation (ASE), tests (ATE) and vulnerability assessment (AVA).
Master assessment checklist
This is the core of the guide. Each h3 below is a control group; each table lists, for the requirements in that group, exactly what an assessor must verify and the typical evidence an implementer must produce. No domain, family or requirement area is skipped. The checklist is organised first by the Common Criteria functional and assurance classes (the deepest and most examinable scheme), then by FIPS 140-3 areas, then by ISMS themes, then GIGW/accessibility, then biometric device criteria.
FAU - Security Audit (CC functional class)
| What to verify | Typical evidence |
|---|
| Auditable events are defined and generated (FAU_GEN) | Audit-event catalogue; log samples showing each event type |
| Each record carries subject identity, timestamp, outcome | Sample log records with all mandated fields |
| Audit review, selection and search are provided (FAU_SAR/SEL) | Log-review tool screenshots; query capability demo |
| Audit trail is protected from unauthorised deletion (FAU_STG) | Storage protection config; retention and overwrite policy |
| Alarms/actions on audit failure or storage exhaustion | Alerting rules; test log of storage-full behaviour |
FCO - Communication (non-repudiation)
| What to verify | Typical evidence |
|---|
| Proof of origin is generated and verifiable (FCO_NRO) | Design doc; signed-message samples with verification |
| Proof of receipt is generated and verifiable (FCO_NRR) | Receipt-token samples; verification test results |
| Association of evidence to identity is unforgeable | Cryptographic binding design; key-management evidence |
FCS - Cryptographic Support
| What to verify | Typical evidence |
|---|
| Approved algorithms and key sizes are used (FCS_COP) | Algorithm inventory; CAVP/CMVP references where applicable |
| Key generation uses an approved method (FCS_CKM.1) | RNG/DRBG design; entropy assessment |
| Key distribution and access are controlled (FCS_CKM.2) | Key-lifecycle procedure; access-control config |
| Key destruction/zeroisation is implemented (FCS_CKM.4) | Zeroisation routine code; test evidence of memory wipe |
FDP - User Data Protection
| What to verify | Typical evidence |
|---|
| Access-control and information-flow policies enforced (FDP_ACC/IFC) | Policy model; access-matrix and mediation tests |
| Residual information is protected (FDP_RIP) | Memory/object reuse test showing no data leakage |
| Data authentication and integrity monitored (FDP_DAU/SDI) | Integrity-check design; tamper-detection test logs |
| Import/export of data controlled with attributes (FDP_ITC/ETC) | Data-labelling design; boundary-transfer tests |
| Rollback and stored-data confidentiality provided | Rollback test; encryption-at-rest configuration |
FIA - Identification and Authentication
| What to verify | Typical evidence |
|---|
| Users are identified before any TSF-mediated action (FIA_UID) | Login-flow design; test showing pre-auth restriction |
| Authentication mechanism strength meets claim (FIA_UAU) | Password/MFA policy; authentication-failure handling test |
| Authentication-failure handling and lockout (FIA_AFL) | Lockout config; brute-force test evidence |
| User attributes bound and managed (FIA_ATD/USB) | Attribute-binding design; role-assignment records |
| Secrets quality and verification enforced (FIA_SOS) | Password-complexity rules; secret-generation test |
FMT - Security Management
| What to verify | Typical evidence |
|---|
| Management of TSF functions restricted to roles (FMT_MOF) | Role-permission matrix; privileged-action tests |
| Management of security attributes controlled (FMT_MSA) | Attribute-management UI/API; default-value config |
| Management of TSF data controlled (FMT_MTD) | Config-data access controls; audit of admin changes |
| Security roles are defined and maintained (FMT_SMR) | Role definitions; separation-of-duties evidence |
| Specification of management functions (FMT_SMF) | List of management functions; test coverage |
FPR - Privacy
| What to verify | Typical evidence |
|---|
| Anonymity provided where claimed (FPR_ANO) | Design showing identity-unlinkable operations |
| Pseudonymity/unlinkability/unobservability (FPR_PSE/UNL/UNO) | Privacy-mechanism design; correlation-resistance test |
FPT - Protection of the TSF
| What to verify | Typical evidence |
|---|
| TSF self-tests run and detect failures (FPT_TST) | Self-test routines; fault-injection test results |
| Failure with preservation of secure state (FPT_FLS) | Fail-secure design; abnormal-termination test |
| Time-source reliability for the TSF (FPT_STM) | Trusted-time configuration; NTP/clock integrity |
| Inter-TSF and internal data consistency (FPT_TDC/TRC) | Replication/consistency design and tests |
| Domain separation and reference mediation (FPT_SEP/RVM) | Architecture separation; non-bypassability test |
FRU - Resource Utilisation
| What to verify | Typical evidence |
|---|
| Fault tolerance maintains service (FRU_FLT) | Redundancy design; failover test evidence |
| Priority-of-service and quotas enforced (FRU_PRS/RSA) | Quota configuration; resource-exhaustion test |
FTA - TOE Access
| What to verify | Typical evidence |
|---|
| Session establishment limits and locking (FTA_SSL/MCS) | Session-timeout config; concurrent-session test |
| Access banners and history shown (FTA_TAB/TAH) | Login-banner screenshot; last-login display |
| Session limits based on attributes (FTA_LSA/TSE) | Time/location-restriction config and test |
FTP - Trusted Path/Channels
| What to verify | Typical evidence |
|---|
| Trusted channel between TSF and remote IT (FTP_ITC) | TLS/IPsec configuration; channel-integrity test |
| Trusted path between user and TSF (FTP_TRP) | Anti-spoofing login-path design and test |
ADV - Development (CC assurance class)
| What to verify | Typical evidence |
|---|
| Security architecture supports self-protection (ADV_ARC) | Security-architecture description document |
| Functional specification of TSF interfaces (ADV_FSP) | Functional spec mapping SFRs to interfaces |
| TOE design decomposition to subsystems/modules (ADV_TDS) | Design document with subsystem descriptions |
| Implementation representation available (ADV_IMP) | Source-code samples / build artefacts for EAL4+ |
AGD - Guidance Documents
| What to verify | Typical evidence |
|---|
| Operational user guidance is complete and correct (AGD_OPE) | Admin/user manuals describing secure operation |
| Preparative procedures ensure secure install (AGD_PRE) | Installation/acceptance guide; secure-config baseline |
ALC - Life-cycle Support
| What to verify | Typical evidence |
|---|
| Configuration management scope and coverage (ALC_CMC/CMS) | CM plan; version-controlled item list |
| Secure delivery procedures (ALC_DEL) | Delivery procedure preventing tamper in transit |
| Development security at the site (ALC_DVS) | Site-security controls; access logs to dev environment |
| Life-cycle model and tools defined (ALC_LCD/TAT) | SDLC documentation; toolchain/compiler options |
| Flaw remediation process (ALC_FLR) | Flaw-tracking and patch procedure with SLAs |
ASE - Security Target Evaluation
| What to verify | Typical evidence |
|---|
| ST conformance and introduction are sound (ASE_INT/CCL) | Security Target document with conformance claims |
| Security problem definition is complete (ASE_SPD) | Threats, assumptions and organisational policies |
| Objectives and requirements are traceable (ASE_OBJ/REQ) | Objective-to-SFR traceability matrix |
| TOE summary specification is consistent (ASE_TSS) | TSS mapping SFRs to implemented functions |
ATE - Tests
| What to verify | Typical evidence |
|---|
| Test coverage of TSF interfaces (ATE_COV) | Coverage analysis mapping tests to interfaces |
| Testing depth to subsystem/module level (ATE_DPT) | Depth analysis for EAL3+/EAL4+ |
| Functional test cases and results (ATE_FUN) | Test plan, procedures, expected/actual results |
| Independent evaluator testing (ATE_IND) | Evaluator test report reproducing/extending vendor tests |
AVA - Vulnerability Assessment
| What to verify | Typical evidence |
|---|
| Vulnerability analysis and penetration testing (AVA_VAN) | Evaluator vulnerability-analysis and pen-test report |
| Resistance appropriate to attack potential for the EAL | Attack-potential rating; residual-vulnerability list |
FIPS 140-3 cryptographic module security areas
| What to verify | Typical evidence |
|---|
| Cryptographic module specification and boundary (Area 1) | Module spec; defined cryptographic boundary diagram |
| Ports and interfaces separate data/control/status (Area 2) | Interface definition; port-role documentation |
| Roles, services and authentication (Area 3) | Role/service matrix; authentication-mechanism evidence |
| Software/firmware security and integrity (Area 4) | Integrity-check design; approved load mechanism |
| Operational environment controls (Area 5) | OS configuration; restricted/modifiable-environment proof |
| Physical security and tamper evidence/response (Area 6) | Tamper-seal design; enclosure and response evidence |
| Non-invasive security mitigations (Area 7) | Side-channel mitigation documentation |
| Sensitive security parameter management (Area 8) | Key/CSP lifecycle; zeroisation and storage evidence |
| Self-tests (pre-operational and conditional) (Area 9) | Self-test list; known-answer and integrity test logs |
| Life-cycle assurance and guidance (Area 10) | Delivery, configuration and secure-operation guidance |
| Mitigation of other attacks (Area 11) | Documentation of attacks addressed beyond areas 1-10 |
ISMS (ISO/IEC 27001) management-system clauses
| What to verify | Typical evidence |
|---|
| Context, scope and interested parties (Clause 4) | ISMS scope statement; stakeholder analysis |
| Leadership, policy and roles (Clause 5) | Signed InfoSec policy; assigned responsibilities |
| Risk assessment and treatment planning (Clause 6) | Risk methodology; risk register; SoA; treatment plan |
| Resources, competence and awareness (Clause 7) | Training records; competence matrix; documented info control |
| Operational risk-treatment execution (Clause 8) | Operating procedures; risk-treatment implementation records |
| Monitoring, measurement and internal audit (Clause 9) | Metrics; internal-audit reports; management-review minutes |
| Nonconformity and continual improvement (Clause 10) | CAPA log; corrective-action closure evidence |
ISMS Annex A control themes (ISO/IEC 27001:2022)
| What to verify | Typical evidence |
|---|
| Organisational controls (A.5, 37 controls) | Policies, supplier agreements, threat-intel, classification |
| People controls (A.6, 8 controls) | Screening, terms of employment, awareness, disciplinary process |
| Physical controls (A.7, 14 controls) | Perimeter, entry logs, equipment siting, secure disposal |
| Technological controls (A.8, 34 controls) | Access control, cryptography, logging, secure development, backup |
Website Quality and GIGW / WCAG 2.1 accessibility
| What to verify | Typical evidence |
|---|
| Content quality, currency and authenticity (GIGW) | Content policy; last-updated stamps; ownership metadata |
| Perceivable content: text alternatives, captions (WCAG 1.x) | Alt-text audit; caption files; contrast-ratio report |
| Operable interface: keyboard, navigation (WCAG 2.x) | Keyboard-only test; focus-order and skip-link evidence |
| Understandable content and predictable UI (WCAG 3.x) | Readable-language settings; consistent-navigation test |
| Robust markup and assistive-tech compatibility (WCAG 4.x) | Valid HTML/ARIA; screen-reader test results |
| Website security and privacy (GIGW security) | VAPT report; HTTPS config; privacy-policy publication |
Biometric device certification (UIDAI L0/L1)
| What to verify | Typical evidence |
|---|
| Biometric capture quality and image standards | Capture-quality test results against ISO image specs |
| Signing/encryption of biometric record at source (L1) | Secure-element design; PID-block encryption evidence |
| Device tamper resistance and secure key storage | Tamper design; key-injection and provisioning records |
| Registered-device registration and lifecycle | RD-service integration; device-registration logs |
Scoping the certification
Scoping determines cost, timeline and the very meaning of your certificate, and a mistake here is expensive to unwind. The first decision is which scheme applies; a cryptographic library should target FIPS 140-3, a security appliance IC3S, a hosting operation ISMS, and a citizen-facing portal GIGW. Within a scheme the scope is defined precisely: for IC3S the Target of Evaluation (TOE) boundary must state exactly which product versions, modules, interfaces and hardware/software environment are included, because anything outside the boundary is uncertified. For FIPS the cryptographic boundary must be drawn around the module, and the operational environment classified as non-modifiable, limited or modifiable. For ISMS the scope statement fixes the sites, services, business units and information assets covered by the Statement of Applicability.
- Identify the mandate: read the tender/RFP or regulatory requirement to see which scheme and which level (e.g. EAL2, FIPS Level 3) is demanded.
- Draw the boundary precisely: TOE/cryptographic/ISMS scope must be unambiguous and version-locked.
- Fix the security problem: threats, assumptions and organisational policies the certificate will address.
- Decide the assurance/security level to claim, balancing cost against the buyer's requirement.
- Confirm any Protection Profile the product must conform to (some sectors mandate a specific PP).
- Enumerate the operational environment and dependencies that the certificate assumes.
Implementation approach (phased)
An STQC engagement runs most smoothly as a staged programme. The phases below use IC3S/Common Criteria as the running example (the most document-intensive scheme); the same shape applies to FIPS and ISMS with scheme-specific artefacts substituted.
Phase 1 - Readiness and scheme selection
- Activities: confirm applicable scheme and level; perform a gap assessment against the target criteria; draft the TOE/scope boundary.
- Deliverables: scheme-selection memo, gap-assessment report, high-level scope statement and project plan.
Phase 2 - Security Target / documentation build
- Activities: author the Security Target (or SoA/module spec); map claims to SFRs/controls; establish CM, SDLC and delivery procedures.
- Deliverables: Security Target (ASE) or Statement of Applicability, CM plan, life-cycle documentation, guidance manuals (AGD).
Phase 3 - Engineering hardening and evidence generation
- Activities: implement/remediate controls; produce design (ADV) and test (ATE) evidence; run internal VAPT and self-tests.
- Deliverables: architecture and design documents, test plans and results, vulnerability-remediation records, secure-config baseline.
Phase 4 - Laboratory evaluation / audit
- Activities: engage the accredited lab (CCTL for IC3S); submit evidence; support evaluator testing, penetration testing and observation reports.
- Deliverables: evaluation-input package, evaluator observation-report responses, corrected artefacts, evaluation test evidence.
Phase 5 - Certification and surveillance
- Activities: STQC Certification Body reviews the Evaluation Technical Report and issues the certificate; establish assurance-continuity/maintenance and surveillance where applicable.
- Deliverables: certificate and certification report, maintenance/assurance-continuity plan, surveillance-audit schedule and re-certification roadmap.
Assurance / capability levels (scoring model)
Each STQC scheme expresses rigour through a graded level scale. The table maps the level scales of the flagship schemes so implementers can choose a target and assessors can calibrate depth.
| Scheme | Level | Meaning / rigour |
|---|
| IC3S EAL | EAL1 | Functionally tested - basic confidence |
| IC3S EAL | EAL2 | Structurally tested - low-to-moderate assurance |
| IC3S EAL | EAL3 | Methodically tested and checked |
| IC3S EAL | EAL4 | Methodically designed, tested and reviewed (India's usual ceiling, EAL4+) |
| IC3S EAL | EAL5-EAL7 | Semiformal/formal design and verification (highest rigour) |
| FIPS 140-3 | Level 1 | Approved algorithms, no physical security beyond production-grade |
| FIPS 140-3 | Level 2 | Tamper-evidence and role-based authentication |
| FIPS 140-3 | Level 3 | Tamper-response/zeroisation and identity-based authentication |
| FIPS 140-3 | Level 4 | Complete envelope of protection against physical/environmental attack |
| ISMS | Certified | Conformity to ISO/IEC 27001 clauses and applicable Annex A controls |
Assessment and audit approach
- Application and scoping: submit the certification application to STQC, agree the scheme, level and boundary.
- Evidence submission: deliver the Security Target/SoA and supporting design, life-cycle and guidance evidence to the accredited laboratory.
- Evaluation planning: the lab produces an evaluation work-plan mapping each requirement to evaluation activities.
- Documentary evaluation: evaluators examine each SFR/SAR (or clause/control) and raise observation reports on deficiencies.
- Independent testing: evaluators reproduce vendor tests and design their own functional and penetration tests.
- Vulnerability assessment: evaluators rate residual vulnerabilities against the attack potential defined for the claimed level.
- Observation-report resolution: the vendor remediates and resubmits until all findings are closed.
- Evaluation Technical Report: the lab compiles the ETR and a verdict per requirement.
- Certification decision: the STQC Certification Body reviews the ETR and issues (or withholds) the certificate and certification report.
- Surveillance / assurance continuity: maintenance, re-evaluation of changes and periodic surveillance sustain the certificate's validity.
Evidence request list
- Governance: scheme-selection memo, certification application, project plan, scope/boundary statement.
- Security definition: Security Target or Statement of Applicability, Protection Profile conformance claims, risk register.
- Design: security-architecture (ADV_ARC), functional specification (ADV_FSP), TOE design (ADV_TDS), implementation representation for EAL4+.
- Life-cycle: configuration-management plan and item list, secure-delivery procedure, development-site security controls, flaw-remediation process, SDLC model.
- Guidance: operational user guidance and preparative install procedures, secure-configuration baseline.
- Testing: test plans, procedures and results, coverage and depth analyses, self-test and known-answer-test logs.
- Cryptography: algorithm inventory, key-lifecycle and zeroisation evidence, entropy/DRBG assessment, CAVP/CMVP references.
- Vulnerability: internal and evaluator VAPT reports, residual-vulnerability list, patch SLAs.
- ISMS operations: policies, training records, internal-audit reports, management-review minutes, CAPA log.
- Web/accessibility: WCAG audit, VAPT report, HTTPS/privacy configuration, content-ownership metadata.
Roles and responsibilities
| Role | Primary responsibility |
|---|
| STQC Certification Body (MeitY) | Owns the scheme, reviews ETRs, issues certificates and maintains the register |
| Accredited laboratory / CCTL | Performs the independent evaluation, testing and vulnerability assessment |
| Sponsor / Developer (vendor) | Provides the TOE, Security Target, design, life-cycle and test evidence |
| Product security lead | Owns SFR/control implementation and evidence quality |
| Development site security officer | Maintains development-environment security (ALC_DVS) |
| QA / Test lead | Produces functional test evidence and coverage/depth analyses |
| Cryptography engineer | Owns key management, algorithms and zeroisation (FCS / FIPS areas) |
| ISMS manager (for ISMS scope) | Runs the management system, risk treatment and internal audits |
| CyberSigma advisory team | Guides scoping, builds evidence, remediates gaps and manages the lab engagement |
KPIs to track
- Percentage of SFRs/SARs (or Annex A controls) with complete, lab-ready evidence.
- Number of open observation reports from the laboratory and mean time to resolution.
- Residual vulnerabilities by severity and closure rate against the attack-potential threshold.
- Documentation coverage ratio (design/guidance/life-cycle artefacts complete versus required).
- Test coverage and depth against TSF interfaces and subsystems.
- Elapsed time per phase versus plan (readiness, ST build, evaluation, certification).
- Self-test and known-answer-test pass rate for cryptographic modules.
- Days to re-certification / next surveillance and assurance-continuity actions raised per change.
Readiness checklist
- Correct STQC scheme and target level confirmed against the mandate or RFP.
- TOE / cryptographic / ISMS boundary drawn and version-locked.
- Security Target or Statement of Applicability drafted and internally reviewed.
- All applicable SFRs/controls mapped to implemented functions with traceability.
- Design, life-cycle, guidance and test evidence assembled to the claimed level.
- Internal VAPT completed and high/medium findings remediated.
- Cryptographic self-tests and key-zeroisation verified.
- Accredited laboratory / CCTL engaged and evaluation work-plan agreed.
- Flaw-remediation, CM and secure-delivery procedures operational.
- Surveillance / assurance-continuity plan defined for post-certification.
Common gaps
- Ambiguous or over-broad TOE boundary that pulls uncertified components into scope.
- Security Target claims not traceable to actual implemented functions (weak ASE_TSS).
- Missing or thin life-cycle evidence: no formal CM item list or secure-delivery procedure.
- Insufficient test coverage/depth for the claimed EAL (ATE_COV/DPT shortfalls).
- Cryptography using non-approved algorithms or lacking documented key zeroisation.
- No trusted-time source or self-test evidence for TSF protection (FPT_STM/FPT_TST).
- ISMS Statement of Applicability with unjustified control exclusions.
- Accessibility failures (poor contrast, missing alt-text, keyboard traps) in GIGW/WCAG scope.
- Residual vulnerabilities not rated against the correct attack potential for the level.
- No assurance-continuity plan, so a routine product update invalidates the certificate.
STQC mapped to other frameworks
| STQC scheme / requirement | Maps to | Nature of mapping |
|---|
| IC3S EAL levels | ISO/IEC 15408 + ISO/IEC 18045 | IC3S is the Indian national CC scheme; direct adoption |
| IC3S certificates | CCRA mutual recognition | Recognised internationally up to the CCRA-recognised level |
| Cryptographic Module Testing | FIPS 140-2/140-3 (ISO/IEC 19790) | Testing aligned to NIST/ISO cryptographic-module standards |
| ISMS certification | ISO/IEC 27001:2022 | Same clauses and Annex A control set |
| Application/e-Gov audit | OWASP ASVS / Top 10, ISO/IEC 27001 | Control themes overlap for web-application security |
| Website Quality (GIGW) | WCAG 2.1 (W3C), ISO 9241 usability | Accessibility and usability alignment |
| Biometric device certification | ISO/IEC 19794 image standards, UIDAI specs | Capture-quality and secure-record alignment |
| FCS / FIPS key management | NIST SP 800-57 key-management guidance | Key-lifecycle practice alignment |
How CyberSigma helps
CyberSigma runs STQC engagements end to end. As a CERT-In empanelled and PCI QSA practice, we begin with scheme selection and a rigorous gap assessment, then draw a defensible TOE/cryptographic/ISMS boundary and author the Security Target or Statement of Applicability so your claims are traceable and lab-ready. Our engineers close design, life-cycle, testing and cryptographic-evidence gaps, run internal VAPT and self-test validation, and prepare the full evaluation-input package. We manage the accredited laboratory/CCTL engagement, drive observation-report resolution, and steer the certification decision to a clean result. Post-certification we build your surveillance and assurance-continuity plan so that ordinary product updates never silently invalidate your certificate. Talk to CyberSigma to turn an STQC mandate into a durable, market-recognised assurance asset.