Answers to Frequently Asked Questions about the Minimum Standards
-
As the national cyber security authority, it is a primary responsibility of the BSI to defend the federal information technology against threats. In accordance with Section 8 subsection 1 of the BSIG, the BSI establishes minimum standards to ensure the security of the federal information technology. The definition of these security standards is based on the technical expertise of the BSI and the firm conviction that the federal administration must not undercut this minimum level. Through the specification of security requirements for the federal IT, a unified minimum level, consisting of effective measures to defend the heterogeneous federal bodies against cyber attacks, can be established. Minimum standards can specify requirements for technical components, such as hardware, software and networks, as well as for other security relevant aspects connected to technology, such as organization and human resources.
-
The scope of minimum standards covers the federal bodies. This means that the federal administration is addressed as the target audience. In addition to federal bodies, institutions of which the legal entity is the German federal government are regarded as being part of the federal administration. The federal administration is therefore responsible for the correct implementation and compliance with the minimum standards of the BSI.
-
The minimum standards describe a minimum security level. Even though this is targeted at the federal administration, it can also be applicable to the state administration or the economy, as the security requirements are formulated in a way that they can be met and implemented outside of the federal administration. For instance, the minimum standard concerning the use of external cloud services outlines security requirements about the procurement, implementation and termination phase of cloud use. In addition, the requirements, for example, of a mobile device management, a safe web browser and a solution for interface control can also support other target audiences to achieve a minimum security level.
-
The legal framework of the minimum standards stems from the BSIG. Section 8 subsection 1 of the BSIG states that the BSI shall develop minimum standards for ensuring the security of federal information technology and that it shall advise the federal bodies upon request on the implementation of and compliance with the minimum standards.
The strategic framework of the minimum standards derives from the national cyber security strategy of Germany 2016. The fields of action defined therein are directly addressed by the minimum standards by ensuring a minimum level of security. The concrete specifications contribute to the implementation of the identified measures, such as shaping digitalization securely, strengthening the German IT-economy and securing the federal administration.
The conceptual framework outlines relevant regulations that refer to the instrument minimum standards. This includes the federal implementation plan, which serves as the information security guideline of the federal administration and explicitly emphasizes the consideration of minimum standards of the BSI. In its 82nd Meeting, the Committee on Budgets has decided, among others, that a minimum standard for the security of federal data centers should be specified. In addition, the Civil Defence Concept and the Architectural Guideline for the Federal IT refer to the minimum standards and emphasize that they are essential for IT-security within the federal administration. Particularly the conceptual framework highlights the importance of minimum standards and their application in the federal administration.
-
The minimum standards of the BSI differ from other national and international information security standards in three important aspects:
- Target audience: the target audience of the minimum standards is the federal administration.
- Security requirements: minimum standards differ from other standards due to their type of requirements. Minimum standards describe a minimum level of security that is based on the BSI’s firm conviction that this must not be undercut by the federal administration. The aim is not to establish the highest possible level of security, but to develop a unified minimum level that can be achieved by all federal bodies instead.
- Certification: the minimum standards of the BSI do not represent a form of certification, like the ISO-standards or the IT-Grundschutz for instance. It is a pure regulatory instrument for ensuring the security of the federal information technology.
-
The BSI develops minimum standards according to a standardized procedure. The Life Cycle of minimum standards consists of seven phases, from idea generation to its publication and beyond (see figure below). Thereby, the far-reaching and active involvement of the target audience is emphasized. The procedure can roughly be divided into three main phases: the in-house development, the external consultation procedure and the use phase after publication.
At first, possible topics for new minimum standards are identified (Pre-α). Besides the expertise of the BSI, suggestions from the target audience are a vital source. Once a topic is chosen, the section minimum standards and the responsible specialist section create a rough draft, which is then agreed upon within the entire BSI and further developed to the first BSI-draft (α).
Hereafter, the consultation procedure is initiated (ß). The BSI transfers its draft to the governmental departments and simultaneously publishes a community draft on its website. This ensures that the target audience and other interested specialists have the opportunity to comment on the draft and contribute their expertise to the development of the minimum standard. After the finalization of the ß-phase, all comments are incorporated into the draft with the specialist section. The second draft of the minimum standard is agreed upon a last time within the BSI and signed off (release candidate). Subsequently, the minimum standard is published on the BSI-website and sent directly to the governmental departments for its implementation (release).
However, the Life Cycle does not end with the publication of the minimum standard. The ∆-phase follows, which consists of support and monitoring. The application of the minimum standard is analyzed and the contents are regularly scrutinized for currency. Via a request for amendment, the review of a published minimum standard can be initiated, if for instance, technical circumstances have changed (request for change).
Minimum standards are therefore subject to an active, continuous process in which feedback and criticism are explicitly desired.
-
Please feel free to contact us with questions or feedback about the minimum standards. The BSI is looking forward to your response.