According to § 51 para. 1 VSA, the Federal Office for Information Security (BSI) determines which IT security products or components must have an approval. These IT security products and components perform IT security functions within VS-IT for the protection of electronic classified information.
In principle, all IT security products that are used for the processing and transmission of classified information must be subjected to testing and security assessment. The IT security functions that require approval of the product by the Federal Office for Information Security pursuant to Section 51 (1) are listed in Section 52 (1) VSA.
Approval refers only to IT security products for the processing and transmission of state VS and takes particular account of state secrecy concerns. Approval is only granted by the BSI. In contrast, certification according to Common Criteria (CC) can be sought for all IT products with security functionality, provided the manufacturer decides to have a neutral test performed.
Approval of IT security products for the transmission and processing of classified information is only granted by the BSI in accordance with the BSI Act and the "Allgemeine Verwaltungsvorschrift zum materiellen Geheimschutz (Verschlusssachenanweisung - VSA)".
Approval is a binding statement on the security value of an IT security product. Once an approval has been granted for an IT security product, classified information (VS) may be processed or transmitted with this IT security product in accordance with the Security Clearance Act up to the maximum classification level for which the approval was granted.
If no approved IT security products or components are available for certain VS-IT or if an approval cannot be arranged or cannot be arranged in a timely manner, an authorization to use for other IT security products or components must be applied for from the Federal Office for Information Security in accordance with § 51 Para. 5 VSA. The Federal Office for Information Security can limit this authorization to use for a certain period of time and issue special conditions and restrictions regarding the conditions of use and operation. Further details are regulated in the approval concept of the Federal Office for Information Security.
If possible, the BSI will provide the releasing body with information on a authorization to use (in particular deployment and operating conditions). This also includes a list of recognised vulnerabilities and risks resulting from these during use. With the help of these notes, the user is required within the framework of the release according to § 50 VSA to weigh up the disadvantages with regard to IT security and the advantages of a use in view of the risks and to document this in particular by means of a corresponding risk analysis (see § 8a VSA). The risk analysis must recommend and prescribe measures that minimise the identified risks. The resulting residual risks must be clearly recognisable to the user from this risk analysis and must be borne by the user.
No, the approval statement specifies the exact design or version status. The user may only use the versions described there in compliance with the conditions of use and operation listed in the approval documents, otherwise the processing or transfer of VS is not permitted.
A changed design/version status must be reported by the manufacturer to the BSI. This leads to a new evaluation, which is usually limited to the changed and security-relevant components, and to an update of the approval statement.
According to § 4 paragraph 2 of the Security Clearance Act, there are the security clearance levels VS-NUR FÜR DEN DIENSTGEBRAUCH (VS-NfD), VS-VERTRAULICH (VS-V), GEHEIM (SECRET) and STRENG GEHEIM (TOP SECRET), whereby the classification of the information to be protected may not exceed the level of clearance.
In principle, an application for approval of an IT security product can only be submitted by a federal authority user (user). A corresponding application form can be obtained from the contact address below.
There are no direct costs for either the user or the manufacturer. However, expenses for the support of the BSI within the scope of the approval procedure must be paid by the manufacturer and the user. Reimbursement of costs by the BSI is not possible.
The duration of an approval procedure is influenced by various factors. It depends decisively on the intended level of classification, the complexity of the IT security product, the scope of testing and the support of the parties involved, for example in the provision of product documentation by the manufacturer.
An evaluation with the aim of approval is the technical testing and security-related assessment of an IT security product according to well-defined IT security criteria and corresponding testing methodology.
Every approval is time-limited. An extension is possible if the security properties of the product continue to meet the requirements for the requested classification level.
As a rule, an approval is extended at least once. It is possible that the approval statement is issued for a subsequent version.
The documents required for an approval procedure are comprehensively specified by BSI preliminary documents. These specifications are based on the internationally recognised security criteria of the Common Criteria and are adapted to the needs of a test of the product within the scope of the approval. They define the aspects of a product's security features to be proven to the BSI by a manufacturer within the framework of an evaluation and approval process. The central document in this context is the so-called Security Target, which is provided by the manufacturer of the product. This document specifies the security features to be tested in the evaluation in abstract terms and forms the basis of the evaluation.
As soon as the application for approval is submitted, the following documents must be available:
Security Target (at least Draft),
conceptual description of the IT security architecture and
an informal crypto concept
These security deliverables must be substantiated by the manufacturer with detailed evidence in the areas of security architecture, interface specification, design, source code, test evidence and vulnerability analysis, among others.
Both the security services to be provided by the product and the scope of proof depend on the level of secrecy sought.
The documents can either be in paper form or in an audit-proof, electronic format. In addition, the documents can be provided in an editable electronic format.
The documents must be available in German and/or English. If approval is also sought for the processing and protection of NATO or EU information, the documents must be available in English.
No. The information provided by the manufacturer is handled confidentially at the BSI. Only the persons entrusted with the approval procedure have access to the information provided. A corresponding confidentiality agreement can be fixed in writing.
The rights and obligations of the roles involved in the approval procedure, such as the manufacturer and the user, are listed in the Technical Guideline BSI TL IT-01 "Cooperation obligations in the approval procedure".
The manufacturer's support of the BSI extends in particular to meaningful documentation on the IT security product submitted, but also to activities accompanying the evaluation (e.g. naming competent contact persons, providing test systems and possibly measuring devices).
Approved IT security products are included in BSI publication 7164 "List of approved IT security products and systems". The list of approved IT security products and systems can be found here.
The IT security product is examined for its approvability within the scope of a preliminary examination. The termination of the approval procedure is possible at any time during the approval process due to valid reasons. This may be the case, for example, due to lack of support by the manufacturer.
Federal Office for Information Security
Division V 12 Approvals of Classified Information Systems and IT-Security Products
PO Box 20 03 63
53133 Bonn
Telephone: +49 (0) 22899 / 9582 - 5718
Fax: +49 (0) 22899 / 10 9582 - 5718
E-mail: zulassung@bsi.bund.de