(The need for secure cloud services is also increasing steadily in the Federal Administration. In practice, the fields of application can differ very widely, with the result that – also depending on the protection needs for the data to be processed – information security now plays an increasingly central role. The specification and implementation of security requirements therefore forms an important part of the utilisation of cloud services. In light of this, the BSI has identified the twin application areas of ‘use’ and ‘shared use’ as being of especial importance for the Federal Administration, and has defined targeted security requirements for these areas as minimum standards, according to Section 8 (1) of the BSI Act.

Use of external cloud services

In this application area, the federal agency (here, a federal office within the meaning of Section 8 (1) of the BSI Act) has a need for an IT service that it cannot meet with internal IT resources but which is to be provided by an external cloud service. This is therefore essentially a make-or-buy decision for the federal agency. If the federal agency decides to utilise the ‘buy’ option, it then proceeds to sign a contract with a commercial enterprise (cloud provider) for the provisioning of this IT service. In this case, the federal agency therefore assumes the role of the client. The BSI estimates that this scenario typically involves the utilisation of external cloud services by federal agencies.

This minimum standard encompasses the topic areas of information security, transparency of cloud service provision and proof of these aspects by means of suitable audits. Details of framework conditions for the provision of cloud services are specified. Also specified is the way in which audit records from the cloud provider should be used for information security management for the respective federal agency. However, this does not affect responsibility for the IT objects, which remains with the federal agency as part of its IT-Grundschutz strategy. This strategy is modified by the usage of external cloud services.

Shared use of external cloud services

The shared use application area includes scenarios where IT users at a federal agency make use of external cloud services without a contractual relationship defining this shared use existing between the agency and the actual cloud provider. In such cases, the federal agency is not itself the cloud service client. This shared use model is increasingly chosen in cases where IT users from different institutions wish to work together in the context of (international) projects or working groups. However, the security requirements from the minimum standard for the use of external cloud services are often too far-reaching – particularly during the acquisition phase. The BSI minimum standard for the shared use of cloud services therefore provides a set of specifications for this application area, thereby helping to evaluate such services.

Implementation Guidance

To provide assistance to IT managers, IT security officers and IT operating personnel, Implementation Guidance provides comprehensive information about the correct interpretation and implementation of these two minimum standards. The document first addresses common ground and differences between the two minimum standards, before providing a detailed set of implementation guidance on the respective security requirements. Managers can use the Implementation Guidance to make comparisons with their own information security process. The familiar contact addresses can also be used to submit any additional and related queries.

2021 update: the Federal Office for Information Security (BSI) is currently working on a new version of the minimum standard for the use of external cloud services. To this end, a Community Draft was published with an invitation to submit comments. By 8 January 2021, a wealth of feedback had been received from users in the Federal Administration, from public authorities at state and municipal level, and from the commercial IT community. Feedback of this kind forms an important part of quality assurance work for the minimum standard, helping to ensure that the standard is designed to reflect current good practice. After comments have been viewed and evaluated, and after a further internal coordination round within the BSI, the final version 2.0 of the revised minimum standard will be provided here as a download.

Download minimum standards (only available in German)

Mindeststandard des BSI nach § 8 Abs. 1 Satz 1 BSIG zur Nutzung externer Cloud-Dienste in der Bundesverwaltung

BSI minimum standard (Section 8 (1) Sent. 1 BSI Act) for the shared use of external cloud services

Download Implementation Guidance (only available in German)

Implementation Guidance on the BSI minimum standard for the use and shared use of external cloud services, according to Section 8 (1) of the BSI Act