Navigation and service

One of the core tasks of the BSI is to avert threats to federal IT. According to Section 8(1) of the Federal Office for Information Security Act (BSIG), the BSI draws up minimum standards for the security of federal information technology. These security standards are defined on the basis of technical expertise from the BSI with the belief that this level should be maintained at a minimum within the federal administration. By setting out security requirements for federal information technology, it is possible to establish a standard minimum security level with effective safeguards to defend against cyber attacks within heterogeneous government institutions. Minimum standards can also set out requirements for technical components such as hardware, software and networks, as well as for aspects that are relevant to security and related to technology, for example, organisation and personnel.

The scope of the minimum standards covers all 'federal stakeholders'. This means that the target group is the direct federal administration. In addition to federal authorities, direct federal administration also includes organisations where the Federal Republic of Germany is the legal entity. The direct federal administration is therefore responsible for correctly implementing and complying with the minimum standards.

The minimum standards describe a minimum security level. This is intended for the Federal Administration, but the minimum standards can also be applied in many cases in regional administrations or in commerce. The security requirements are formulated in such a way that they can also be met outside the Federal Administration. For example, the minimum standard for the use of external cloud services sets security requirements for the procurement, application and termination phase of cloud usage. The requirements for mobile device management, secure web browsers and a solution for interface monitoring, for example, can help other target groups to achieve a minimum security level.

The legal framework for minimum standards is derived from the BSI Act. Section 8 (1) of the BSI Act states that the BSI develops minimum standards for the security of the federal government's information technology and additionally advises federal agencies on the implementation of and compliance with the minimum standards.

The strategic framework for minimum standards is derived from the Cyber Security Strategy for Germany 2016. The minimum standards directly address the action areas it defines by ensuring a minimum level of security. The concrete specifications can help to successfully implement the identified measures such as "making digitisation secure", "strengthening the German IT economy" and "securing the federal administration".

The conceptual framework shows relevant regulations that refer to the minimum standards. These include the Implementation Plan for the Federal Administration 2017; as the Federal Government's information security guideline this refers explicitly to compliance with the BSI's minimum standards. In its 82nd session, the Budget Committee of the German Bundestag decided, among other things, that a minimum standard should be defined for the security of federal data centres. The "Civil Defence Concept" and the "Architectural Guideline for Federal IT" also refer to the minimum standards and stipulate that they are decisive for IT security in the federal administration. The conceptual framework in particular illustrates the importance of minimum standards and their application in the federal administration.

There are three important ways in which the BSI minimum standards differ from other national and international standards on information security:

1. Target group: the primary target group of the minimum standards is the direct federal administration
2. Security requirements: minimum standards differ from other standards by the type of requirements they contain. Minimum standards describe a minimum level of protection that must be maintained from the BSI's perspective. The aim is not to achieve the highest possible degree of security, but to define a standardised minimum level that all federal agencies can reach
3. Certification: the BSI minimum standards are not a certification in the sense of the ISO series or IT-Grundschutz, for example. They are purely a set of rules relating to federal IT security

The BSI develops minimum standards in line with a standardised procedure. The entire lifecycle of a minimum standard is described in a total of seven phases, from brainstorming to publication (see figure below). Particular importance is attached to the broad and active involvement of all addressees. Roughly speaking, the process can be divided into three main stages: the in-house development, the external consultation process and the utilisation phase after publication.

I. The first step is to identify possible topics for new minimum standards (pre-α). In addition to the expertise of the BSI, suggestions from the addressees are also an important source for this. Once a topic has been selected for processing, the Minimum Standards Unit and the responsible specialist unit draw up a rough version, which is then coordinated throughout the BSI and developed into the first BSI draft (α).

II. This is followed by the consultation procedure (β). The BSI submits its draft to the departments and publishes a Community Draft on its website at the same time. This gives the addressees and interested experts the opportunity to provide feedback and thus contribute their expertise to the development of the minimum standard. After the end of the β-phase, the feedback is incorporated together with the specialist unit. The second draft of the minimum standard is finally agreed and signed off in the BSI (Release Candidate). Subsequently, the minimum standard is published on the BSI website and given directly to the departments for implementation (Release).

III. The lifecycle does not end with the publication. The Δ phase follows, which includes support and monitoring. The use of the minimum standard is analysed and the contents are regularly reviewed to check they are up to date. A change request can be used to initiate the update of a minimum standard that has already been published, e.g. if the technical framework conditions have changed (Request for Change).

Minimum standards are therefore subject to an active, ongoing process in which reviews and feedback are explicitly sought.

Security requirements are numbered by an identification number, which allows them to be referenced. The designation of an individual minimum standard requirement is made up of: the abbreviation of the relevant minimum standard, the chapter number, the sub-chapter number and the requirement number (see illustration). In certain optional cases, this requirement may be split into sub-requirements.

Note: the minimum standards published before 2018 do not follow the layout described above. These will be adjusted as part of future updates.

Please contact us if you have questions or suggestions regarding the minimum standards.