Assessments carried out by laboratories as economic operators independent of the CVCN

The Laboratory carries out security assessments of systems, goods and services that do not fall within the "National Cyber Security Perimeter" (defined by the Prime Ministerial Decree of 15 June 2021).
These assessments may be addressed to:

• Economic operators (large companies or SMEs) who, although not falling within the Perimeter, intend to guarantee the protection of their systems or customer data;
• Institutional bodies or local administrations that wish to protect their information systems.

Incident and crisis management support (NIS2 compliance or DL 138 2024)

Incident and crisis management support is a service that helps companies ensure cybersecurity and respond to incidents effectively, in accordance with the NIS2 directive on the security of networks and information systems. The Laboratory provides assistance for the adaptation and compliance with NIS2 by supporting companies or public bodies operating in strategic sectors in incident management (detection, analysis, notification, response) and crisis management through the definition of plans, policies, processes and tools that ensure timely and adequate reactions in the respective service areas provided by ACN. The Laboratory supports the design and implementation of CSIRT in private and public entities.

Support for the voluntary certification CC:2022 (fut. EUCC:2024)

Within the voluntary certification scheme EUCC (European Union Cybersecurity Certification), based on the Common Criteria standard (ISO IEC 15408), the Laboratory provides consultancy services for the preparation of the documentation necessary to start the evaluation process: Security Target, Protection Profile, documentation relating to secure development, functional and anti-intrusion testing, documentation relating to the life cycle, security operating guides, etc. Furthermore, it guarantees assistance for the partner's activities planned during the certification process.

Assessments for academic research purposes

The Laboratory can cooperate with Italian and foreign learning institutions, departments, academies and universities to contribute to the development of new standards, best practices or methodologies for the prevention of IT risks and for conducting assessments with innovative tools and techniques that are always up to date with respect to the constantly evolving technological context.

Consulting for the preparation of security requirements

The Laboratory offers consulting services for the definition of Specific Security Requirements to be implemented for the creation of system security measures (physical, procedural, organizational, IT) in order to mitigate the risks identified in specific contexts.

Support for the renewal of certifications

The DEAS Cyber+ LAP supports companies and institutional actors in planning and developing the gap-analysis for the renewal of certifications that revolve around homologation and certification methodologies through the use of Common Criteria.

Risk Analysis in contexts other than the activities delegated by the CVCN

The highly specialized staff of the LAP supports the definition and drafting of the Risk Analysis in order to identify, evaluate and manage potential dangers (threats, vulnerabilities, associated risks) that can compromise the cybersecurity of a system or an organization. The Laboratory's Competence Center uses lead auditors, standards and frameworks such as ISO/IEC 27005, NIST 800-30, ISO 31000.

Support for Laboratory Quality Management Systems (ISO 17025, ISO 27001)

Specialist consultancy on quality management systems of measurement laboratories in the cyber sector, such as the ISO 17025 and ISO 27001 standards, which guarantee the validity and reliability of the results of functional and security tests. The LAP highly specialized staff provides support for the implementation of the Management Systems by helping to define processes, policies, procedures and controls for compliance.

Training for cybersecurity evaluators in Italy (Higher Education School)

The Laboratory designs training sessions and educational modules in the cybersecurity sector for the training of personnel to be employed in the Security Assessment Laboratories. The training offer contributes to the acquisition of highly specialized skills in the cyber sector, ranging from knowledge of assessment schemes and the regulatory framework to specialized training on advanced offensive and defensive security techniques.

Common Criteria Competence Center 2017 2022 and EUCC

The Laboratory presents itself as a center of competence in the knowledge of the Common Criteria v3.1 R5 (2017) standard and in the new 2022 application capable of training competent personnel and supporting ITSEF accredited laboratories for voluntary certification activities according to the EUCC scheme for hardware/software/ICT products relating to the “substantial” and “high” guarantee levels.