SUSE Compliance & Supply Chain Security

The countdown for NIS-2 is on: By 17 October 2024 at the latest, the new EU directive on network and information security must be transposed into national law. NIS-2 not only expands the circle of affected companies and public institutions - by up to 100,000 additional organisations across Europe - but also tightens the prescribed protective measures. Among other things, possible security risks in supply chains and supplier relationships come more into focus. As a result, NIS-2 also has an impact on a great many other companies.

To ensure the security of their supply chains, CRITIS operators must take into account "the specific vulnerabilities of each immediate supplier and service provider, as well as the overall quality of the products and cybersecurity practices of their suppliers and service providers, including the security of their development processes" - according to the current draft of the NIS-2 Implementation Act (NIS2UmsuCG). Supply chain risks thus become compliance risks for the organisations concerned. 

In this presentation, Knut Trepte shows how companies can prepare for the requirements of NIS-2 in good time - and what role certifications such as Common Criteria EAL 4+ play in this. Using SUSE Linux Enterprise Server (SLES) as an example, he explains what the use of a certified operating system means for legal liability.

The Common Criteria for Information Technology Security Evaluation, or Common Criteria for short, make it possible to evaluate the security of IT products according to general criteria. The internationally recognised standard defines seven trustworthiness levels, which contain increasing requirements for the testing and evaluation of a product.

SUSE Linux Enterprise Server received Common Criteria EAL 4+ certification from the German Federal Office for Information Security (BSI) in 2021. This was based on a comprehensive evaluation of the product and all development and security update processes by atsec information security and BSI officials. The Evaluation Assurance Level 4 augmented by ALC_FLR.3 (EAL 4+) confirms that SLES meets the highest security requirements for the product and the entire supply chain for mission-critical infrastructures - on x86-64 as well as on IBM Z and Arm architectures. This makes SUSE currently the only vendor of a current general purpose operating system that is Common Criteria EAL 4+ certified for all these platforms.

Against the background of the NIS-2 regulations, this certification is an enormous advantage for companies using SLES: They can rest assured that the development and production processes of their operating system have been evaluated by an independent body. This significantly reduces legal liability, as the security of the software supply chain can be considered to have been audited by the German Federal Office for Information Security (BSI).

In addition to Common Criteria EAL 4+ certification, SLES also meets the requirements of other national and international security standards. These include FIPS 140-2/3 for encrypted communications and data storage, the Google SLSA standard for secure supply chains, and security certifications from Spain's Centro Criptológico National (CCN) and South Korea's Telecommunications Technology Association (TTA).

SUSE follows the principle of "certify once, use many" when certifying its operating system products. This means that the certified security and standards of SLES are also transferred to SLE Micro and SLE BCI (Base Container Images) through the common code base. This makes it easier for companies to meet compliance requirements for their entire IT. 

For more information on SUSE's certifications, click here: https://www.suse.com/support/security/certifications/