1. Preliminary Remarks

Among other things, the Federal Office for Information Security (BSI) is legally authorised to examine IT procedures, products and devices for IT security and make binding statements on their security value.
This affects devices, products and procedures that are used for the processing and transfer of officially classified information (CI) in the federal area or by companies in the context of federal or state contracts. Devices, products and procedures that can be used for sensitive but not classified information in a public authority context are also included to a limited extent. Devices, products and procedures for IT security are referred to here as IT security products and systems or systems for short, or cryptographic systems if they contain cryptographic functions. The testing and assessment procedure is referred to as approval.

2. Regulatory background

According to the "General Administrative Provision of the Federal Ministry of the Interior on Material and Organisational Protection of Classified Information" (VS-Anweisung – VSA) of 31 March 2006 and the corresponding provisions of the department, systems with functions for the production of encryption tools, encryption itself, deletion or destruction of CI storage media, emission security, securing transmission lines and separating networks with different maximum classifications must be approved by the BSI. The approved systems are listed in the following BSI publications:

• BSI 7164 list of approved IT security products and systems
• BSI TL 03305 list of hardware with emission security/low emissions approved for classified government information
• BSI TL 03400 products for material security (not public information)

No approval regulation of this type applies in the area of sensitive, but not classified, information. However, the use of CI-approved systems may also be sensible in these cases.

3. Application

Applications for approval from a public authority user must be sent to the contact address.

Approval always begins with an inspection of the system, known as the evaluation. The relevant tasks are completed by the BSI. An evaluation in the context of approval is complex and laborious. In addition, evaluation capacity at the BSI is severely limited. For this reason, an application for inspection and approval can only be accepted if clear and appropriate proof of the need for approval is enclosed with the approval application. In addition, it must be clarified before submitting the application whether adequate technical support from the manufacturer is guaranteed.

It is not possible for a company to submit an application without proof from a public authority user.

If an approved system with the required functionality of the manufacturer or of another manufacturer already exists, the already approved system must be used.

4. Implementation of the evaluation

The evaluation of systems for the purpose of approval is in principle conducted at the BSI for reasons of independence, copyright and general security. For certain inspection tasks (e.g. emissions measurements), appropriate external bodies may be employed in agreement with the manufacturer and the BSI.

5. Approval results

The evaluation is generally completed with the approval of the systems for performance of a specific task or for a specific application.

Example: approval for the transmission of classified information up to the classification VS-VERTRAULICH.

The approval results are summarised in an approval report. The further justification for approval, inspection methods and the scope of the inspection are largely confidential and cannot be generally publicised. If necessary, the manufacturer can view the inspection documentation if it demonstrates a legitimate interest to the BSI and the necessary security requirements have been met.

6. Versions

IT security systems are generally available in different versions. The BSI inspection generally relates to just one specific version. Other versions usually differ significantly from the inspected version in terms of their equipment and functionality. This applies especially to the security functions. For this reason, it is not necessarily possible to apply the security evaluation of one system version to other system versions.

7. Usage in companies and commercial institutions

Other companies and commercial institutions that are at particular risk of industrial espionage due to specific development work or business relationships can also obtain CI-approved systems under the following conditions:

1. The Federal Ministry of the Interior identifies a risk of industrial espionage and thus approves the public interest in passing on the CI-approved systems generally classified as VS-NfD in accordance with Section 21 of the "General Administrative Provision of the Federal Ministry of the Interior on Material and Organisational Protection of Classified Information" (VS-Anweisung – VSA) dated 31 March 2006.

2. the company/institution enters into a contractual obligation

   1. to protect the systems in accordance with the "Instruction sheet on the handling of classified information of the VS-NfD security classification level" and a jointly defined security concept
   2. to engage the BSI or another trustworthy institution in the key distribution for the systems
   3. to use the systems abroad only in agreement with the BSI
   4. to return systems that are no longer required to the manufacturer/vendor or hand them over to the BSI
   5. to appoint a Security Representative who ensures compliance with the contractually agreed obligations

8. Overview of the approved systems

The list of approved IT security products and systems includes:

• approved cryptographic systems
• approved systems with no cryptographic components

The list is sorted alphabetically by product name.

The list contains systems that have been approved by the BSI and its predecessor institutions and are still in use. It appears sensible to also include older systems in the list and thus provide important information. Precise technical information and prices must be requested from the manufacturer or vendor.

9. Sale and export

Approved cryptographic systems and their components are subject to restricted sale.

The export of approved cryptographic systems and their components is subject to German export legislation and generally requires the approval of the responsible bodies.

10. International recognition

The evaluation of IT security products for the purpose of approval is based on special criteria of the BSI that, in consideration of the protection of classified information, cannot be published. The criteria are based on the NATO and EU guidelines and take account of all appropriate regulations of NATO and the EU.

As a result, the following regulations apply to nationally approved IT security products within the scope of the EU:

If the approved versions of a product have been inspected by the BSI on the basis of the guidelines of the Council of the European Union (EU), they are also approved for the appropriate classification for national use in accordance with the security regulations of the Council of the EU.
If the product is used in the Council of the EU or another sub-organisation, a second evaluation by an Appropriately Qualified Authority (AQUA) and an evaluation by the Council is required (EU directive TECH-P-01-02).

The following regulations apply to nationally approved IT security products within the scope of NATO--North Atlantic Treaty Organization:

If the approved versions of a product have been inspected by the BSI in accordance with the requirements of NATO policy C-M(2002)49 and subordinate directives, they are also approved for the protection of NATO information up to the classification "NATO RESTRICTED" or "NATO CONFIDENTIAL".

For usage with the classification "NATO SECRET" or higher, a successful second evaluation by the responsible NATO authority and approval by the NATO Military Committee (NAMILCOM) is required.

The required strength of a cryptographic product (Strength of Mechanism, SoM) can be considered in the context of the Threat Level and Impact Level.
A distinction is made between a Basic, Standard, Enhanced and High SoM. For conventional applications, the SoM generally correspond to international classifications:

• Standard – Restricted
• Enhanced – Confidential
• High – Secret

11. Contact

For any questions relating to approval, please contact:

Bundesamt für Sicherheit in der Informationstechnik
Referat KM 12 Zulassung von VS-Produkten
Postfach 20 03 63
53133 Bonn
Telefon: +49 (0) 22899 / 9582 - 5470
Telefax: +49 (0) 22899 / 10 9582 – 5470
E-Mail: zulassung@bsi.bund.de
De-Mail: zulassung@bsi-bund.de-mail.de

12. FAQ

Evaluation and certification FAQs