BSI requirements documents contain comprehensive specifications on which documents are needed for an approval procedure. These requirements are based on internationally recognised Common Criteria security criteria, which they adapt to the needs of a product audit performed as part of the approval. They define the aspects of a product's security features that a manufacturer must prove to the BSI in the context of an evaluation and approval process. The Security Target is the key document here; it defines the security features to be audited during the evaluation on an abstract level and forms the basis for that evaluation.
The manufacturer must provide evidence for these security features in the form of detailed documentation of compliance, inter alia, in terms of security architecture, interface specification, design, source code, test certificates and vulnerability analyses.
The security features that the product must provide and the scope of the documentation of compliance both depend on the desired level of certification.
The length of the approval process depends on a variety of factors. It particularly depends on the intended approval level, the complexity of the IT security product, the scope of the audit and the support of the parties involved, such as the provision of product documentation by the manufacturer.
The documents can be provided in paper form or in any uneditable format. Documents can also be provided in an editable electronic form.
x
The manufacturer's support of the BSI particularly includes providing comprehensive documentation on the IT security product submitted, but it also involves activities that are required by the evaluation (e.g. appointing a competent contact person, providing test systems or meters if applicable).
An approval is a binding statement regarding the security value of an IT security product. Once an IT security product has been issued an approval, it can be used in accordance with the Security Screening Act to process or transfer classified information (CI) within the authorisation level for which the maximum authorisation was issued.
The General Administrative Provision for the Material Protection of Classified Information (VSA) permits an agency director to release products for use, especially if no suitable approved products are available and the provisioning of approved products cannot be arranged (in good time). The relevant advice provided by the BSI is documented as part of the release recommendation. A release recommendation is limited to a specific scenario and may also be associated with usage restrictions.
Where possible, the BSI will provide instructions for the release recommendation for the releasing agency (especially regarding usage and operating conditions). These instructions will include a list of known vulnerabilities and risks that arise from this deployment. As part of the release, the user is then requested to draw on this information and to weigh up the disadvantages in terms of IT security against the advantages of deployment and while considering the risks, and to document this explicitly by preparing a corresponding risk analysis. This risk analysis must recommend and prescribe measures that minimise the risks identified. The resulting residual risks must be clearly identifiable from this risk analysis for users and must also be accepted by them.
In all cases, an application for approval of an IT security product can be submitted only by a Federal public authority user (the 'customer'). An application form for this purpose can be requested from the contact addresses given below.
All IT security products that are used for processing and transferring classified information are generally subject to an audit and security assessment. Section 37 of the Instructions on the Handling of Restricted Information (VSA) defines the relevant details. A distinction is made between IT security products that must be certified by the BSI and IT security products that should be certified. The second group permits exceptions if no suitable certified products are available. National security requirements must always be taken into account. IT security products are generally used that are certified by the BSI on the basis of Common Criteria with a national protection profile.
The documents must be provided in German and/or English.
Pursuant to the BSI Act and the 'General Administrative Provision of the Federal Ministry of the Interior on Material and Organisational Protection of Classified Information' (VS-Anweisung -- VSA) of 31 March 2006, only the BSI can issue an approval for IT security products.
No direct costs are charged either to the user or the manufacturer. However, any expenses incurred by the manufacturer or customer in connection with supporting the BSI with the approval process must be borne by them. The BSI is not able to reimburse such costs.
No. The information made available by the manufacturer is handled confidentially within the BSI. Only those individuals appointed to conduct the approval process have access to the information provided. A confidentiality agreement to this effect can be set down in writing.
Among other things, the Federal Office for Information Security is legally authorised to examine IT security products (evaluation) and make binding statements on their security value (certification). This affects IT security products that are used for the processing and transfer of officially classified information in the federal area or by companies in the context of federal contracts. The product classes are listed in the Instructions on the Handling of Restricted Information (VSA) dated 31 March 2006 (Section 37 VSA). The procedure applies mainly to IT security products that contain cryptographic components, known as cryptosystems.
An evaluation for the purposes of issuing an approval is the technical testing and assessment of the security technical effectiveness of an IT security product in accordance with well-defined IT security criteria and appropriate audit techniques.
No, the precise build or version is defined in the certification. The user may only use the certified versions, taking into account the usage and operating conditions listed in the approval documentation, otherwise the processing or transfer of classified information is not permitted.
A modified build or version must be reported to the BSI by the manufacturer. A re-evaluation will then be initiated that is generally restricted to the modified and security-relevant components and the certification will be updated.
x
An approval only relates to IT security products used for the processing and transferring of state classified information (CI) and focuses particularly on the requirements of the state protection of classified information. An approval can only be issued by the BSI. A certification, on the other hand, can be applied to all IT products that contain security functions, provided that the manufacturer decides to submit it to an impartial audit. This evaluation can also be conducted by external evaluation facilities.
The IT security product is tested as part of a pre-audit to determine whether it is possible for it to be approved. The approval process may in principle be cancelled for well-founded reasons at any point of the approval process. This may be, for example, because of insufficient support from the manufacturer.
The following levels of approval exist: VS-NUR FÜR DEN DIENSTGEBRAUCH (VS-NfD), VS-VERTRAULICH (VS-V), GEHEIM and STRENG GEHEIM. The information to be protected must not be classified as any level higher than the approval.
Bundesamt für Sicherheit in der Informationstechnik
Referat KM 12 Zulassung von VS-Produkten
Postfach 20 03 63
53133 Bonn
Telefon: +49 (0) 22899 / 9582 - 5470
Telefax: +49 (0) 22899 / 10 9582 – 5470 E-Mail: zulassung@bsi.bund.de
De-Mail: zulassung@bsi-bund.de-mail.de