In addition to the conventional approval procedure, which is described in the Evaluation and certification FAQs and in the Technical Guidelines BSI TL - IT 01 the BSI utilizes the qualified procedure to accelerate approvals.

Prior to the establishment of the qualified procedure, the BSI determined the trustworthiness of an IT security product exclusively by means of a comprehensive technical evaluation as part of approval procedures in accordance with the
General Administrative Provision for the Material Protection of Classified Information (VSA). The qualified procedure takes account of shorter development cycles by evaluating the trustworthiness of development processes themselves.
The underlying criteria are based on the international Common Criteria standard. They include requirements for the entire life cycle of an IT security product from the preliminary design phase, to development, market launch, service and
maintenance, to the regulated discontinuation of a product. Verified and trustworthy processes from the developer side allow product approvals to be implemented with a significantly reduced technical evaluation depth. The level of trustworthiness achieved is the same as with the conventional VS-NfD approval procedure by using the trustworthy processes.

The qualified procedure is divided into the steps of the developer qualification and the qualified approval procedure.

Firstly, the BSI evaluates and assesses the processes and environments used for the development of an IT security product.

In the second step, this allows IT security products, which have been developed with the assessed processes, to be analysed as part of the qualified approval procedure. The suitability of the IT security product for approval is assessed by the BSI using only conceptional evidence provided by the developer. Part of the necessary developer evidence is an informal but systematic description of the security functions and properties of the IT security product. Assuming that the BSI confirms the suitability of the product for approval, the developer has to provide a developer declaration. This declaration confirms that the product has been developed using the processes and environments assessed within the developer qualification. Furthermore, it ensures that all evaluation evidence required for a conventional approval procedure has been produced and is available.

Developer qualifications are issued for a limited period of time. The compliance with the reviewed development processes is regularly verified by the BSI on the basis of actual approval procedures.

For further questions about the qualified procedure, please use the contact Referat-KM11@bsi.bund.de.

Developer with currently valid developer qualification

• ADVA Optical Networking
• genua GmbH
• NCP Engineering GmbH
• Rohde & Schwarz Cybersecurity GmbH
• secunet Security Networks AG
• Utimaco IS GmbH