The approval issued by the BSI fulfils the legal task of testing IT security products and providing a binding statement on the strength of the implemented security functions. In particular, IT security products that are used for processing, transmitting and saving officially classified information (CI) in the federal area and in the states or at companies in the context of federal or state contracts require evaluation and assessment of this type in accordance with the General Administrative Provision for the Material Protection of Classified Information (VSA--Verschlusssachenanweisung). The appropriateness of the IT security function is confirmed by the BSI by issuing approval in which the maximum classification of the CI protected by the product is specified. In accordance with Section 51 VSA, all products must be approved that implement basic security functions according to Section 52 VSA for the protection of classified information.

The purpose of successful approval for the classifications CI NUR FÜR DEN DIENSTGEBRAUCH / RESTRICTED, CI VERTRAULICH or GEHEIM (CONFIDENTIAL or SECRET) can only be achieved on the basis of clear requirements. In order to produce a reliable and consolidated basis of requirements for all parties interested in the product, the BSI has established the process for generating CI requirements profiles. This brings manufacturers as well as operators, users and the BSI together, to coordinate and define all aspects of information security systems as comprehensively as possible. CI requirements profiles describe IT security requirements for certain products classes and types in a defined format based on the Common Criteria requirements for Protection Profiles. With an informal basis, they are directed primarily at users and operators, such as public authorities, who want to use products when dealing with classified documents and therefore need the basic requirements to be met by suitable products. On the other hand, CI requirements profiles are aimed at the manufacturers of such products in order to give them a general technical guideline for the implementation of relevant IT security requirements.