Principles of measurement, handling and distribution of radiation-tested products

The following principles must be observed for all radiation tests and, depending on the degree of approval, for use and distribution:

1. Radiation-tested products - in the case of computers, workstations or comparable IT products, each consisting of basic unit, keyboard, monitor and mouse and, if applicable, KVM switch - are always radiation-tested and approved as a computer system in the associated configuration.

2. The equipment status of all radiation-tested components including cabling is recorded and documented.
   

3. Only after a short measurement procedure is a device or computer system cleared for processing classified information. Therefore, every device processing classified information must be subjected to a short measurement procedure before its operational use. This configuration of the individually radiation-tested computer system must be maintained until it reaches the end customer. Otherwise, the approval becomes invalid.

4. The test documentation must show that components such as the basic unit, monitor and keyboard, and possibly also the mouse, belong together. The delivery must be made in such a way that the recipient can directly recognise such a device set belonging together.

5. Only if the component is explicitly listed in BSI Technical Guideline 03305 as a recognisable individual device (e.g. printer or scanner) is the short measurement procedure and delivery as an individual device possible.

6. If a radiation-protected computer system is built up from components already approved in other computer systems, a new product with a different product designation is created, which must again be subjected to an approval measurement, approved by the BSI and subjected to the short measurement procedure before delivery. It does not matter whether these components come from one or more suppliers. The client does not have the option of putting together his own desired configuration from different products, which may already have been radiation tested, unless a new approval is granted.

7. The exchange of individual components is only permissible if the components listed in the equipment inventory are used and then briefly measured.

8. If one of these components is changed and thus the equipment status is changed, it is a new product without approval. This means that a new development of the radiation protection measures for the modified component is required, which ensures the testing of the radiation safety in interaction with the other components of the original product. This results in a new product with a different product designation, which must be subjected to a new approval procedure as a whole.

9. The process described above when replacing components must also be carried out if, in the case of a replacement, a component of identical type as used in the original product is no longer available or is to be replaced with one of higher quality.

10. Adding components leads to loss of approval, e.g. adding another monitor or network card to a computer system leads to loss of approval.

11. Removal of components is permitted, but requires proper sealing of any opening created by e.g. a network card or DVD burner. A short measurement is required.

12. A component list of the unit tested within the scope of the approval measurement, including the cabling, must always be enclosed with the product.

13. Components and cables that have not been tested for radiation must not be included in the package.

14. Any enclosed components that are not listed in the aforementioned component list or in the test report must be marked as "Not permitted" in order to avoid erroneous use by the user.

15. Units with visible defects such as loose seals or non-fixed ferrites must not be delivered as radiation-tested units and must be rejected.

16. Radiation-tested products must be protected against unauthorised access (to prevent possible tampering); if necessary, they must be subjected to another radiation test before being used again.

17. Radiation-tested hardware can also be distributed and used outside the classified area or the authority area.

18. When procuring devices that are not included in the list, in particular in the case of offers from foreign suppliers, the procuring agency is required to verify with the BSI that such devices are approved for use in processing national classified information.

to the top

Application for admission, basis for examination and procedure

Applications for approval must be sent to:

 

Federal Office for Information Security

PO Box 200363

53133 Bonn

Fax: +49 228-99 9582-5755

 

The application must be accompanied by proof of need from a federal authority for approval of the product; otherwise processing is not possible.

For example, tender documents of a federal authority can be used as proof of need. If the BSI is commissioned by a federal authority, processing is free of charge; otherwise costs are incurred in accordance with the BSI cost regulation.

Details of the test basis are partly classified. They will be disclosed to the manufacturer if required, if the manufacturer proves a legitimate interest to the Federal Office and fulfils the necessary security requirements; this must be confirmed by a security decision of the Federal Minister of Economics and Labour.

The test is carried out on a series device, which must be provided together with suitable peripherals and put into operation at the BSI.

For approval according to SDIP 27 Level A, the manufacturer must provide a technical report as well as additional hardware such as adaptations and test software as agreed.

An overview of this report (so-called "Tempest Company Report - TFB") can be requested from the BSI if required.