BSI TR-03180

Criteria (both for the device and for the support processes on the manufacturer's side) are necessary to assess the IT security level of a mobile IT device. These criteria can be used to measure the IT security level for a specific device. The Technical Guideline (TR) 03180 compiles criteria for mobile IT devices and the supporting processes, which the German Federal Office for Information Security (BSI) considers to be relevant for an appropriate IT security level of mobile IT devices. The TR refers to devices that are intended for personal use. This applies in particular to telephony, SMS/MMS, calender management, internet browsing, social networking, photography and file storage, for which they were designed as consumer products. The TR defines "mobile IT devices" primarily as smartphones and tablets. Although laptops also count as mobile IT devices, they do not have some of the characteristics typical of smartphones and tablets.

Typical characteristics include, for example, software distribution structures in which central marketplace operators have more or less control over installable programmes, the type of device management and the form factor. Although the world of classic desktop operating systems is now increasingly converging with the world of operating systems for smartphones and tablets, laptops are currently more closely related to stationary IT devices (PCs) than to smartphones or tablets. A significant proportion of the security objectives and criteria in this TR are not specific to smartphones and tablets and can also be applied to other mobile IT devices and stationary or classic IT devices.

The BSI TR-03180 is generally open to remarks and adaptations to future technological changes and developments. Suggestions can be sent to referat-tk12@bsi.bund.de.

Download

BSI TR-03180

BSI TR-03180 Requirements catalogue for the IT Security Label

The document TR-03180 A "Requirements catalogue for the IT Security Label" specifies the requirements that a mobile device must fulfil in order to be granted an IT Security Label by BSI. The catalogue of requirements contains specific testable properties which a mobile device must, should, may or can fulfil in order to be granted an IT Security Label. This requirements are derived from the BSI TR-03180, ETSI TS 103 732 and the Cyber Resilience Act.

The requirements catalogue is intended both for self-assessment by the manufacturer and for assessment by a conformity assessment body on behalf of the manufacturer. In order to ensure that the test properties can be tested objectively and that the test results for the IT Security Label can be used independently of the respective tester, each test requirement contains a selection of permitted test method.

Further development and Proof of Concept

The BSI is interested in making the requirements catalogue as practice-oriented as possible and incorporating the perspectives of various stakeholders into the standardisation project. BSI TR-03180 A is currently published in version 1.0.0 following a public commentary phase.

A further proof of concept with a conformity assessment body and one or more interested manufacturers is planned for use of the BSI TR-03180 A with the IT Security Label for „Mobile Devices“. Interested manufacturers who wish to participate in the proof of concept should contact it-sicherheitskennzeichen@bsi.bund.de by 31 September 2024.

Comments, remarks and suggestions for improvements to BSI TR-03180 A are always welcome and can be sent to it-sicherheitskennzeichen@bsi.bund.de.

Download

BSI TR-03180 A - Requirements catalogue for the IT Security Label

BSI TR-03180 A Appendix A - Conformity declaration for the IT-Security Label