1. Preliminary remarks

One of the legal tasks of the Federal Office for Information Security (BSI) is to test information technology procedures, products and devices for security in information technology (IT) and make a binding statement on their security value.

This primarily concerns products that are used for the processing and transmission of officially classified information (secret protection, classified information, VS) in the area of the Federal Government and the states (Länder) or by companies within the scope of contracts awarded by the Federal Government or the states.

Products for security in information technology are referred to as IT security products; when cryptographic functions are included, they are referred to as cryptosystems. The testing and assessment procedure is called approval.

2. Regulatory situation

The General Administrative Regulation on the Material Protection of Classified Information (VSA) of 01 April 2023 and the corresponding regulations of the ministries stipulate that products which assume IT security functions for the protection of classified information must be approved.

The approved products are listed in the BSI publication "BSI 7164 List of Approved IT Security Products and Systems". In addition, when processing classified information with a classification level VS-VERTRAULICH and higher, it must be noted that radiation-tested systems must be used here; these can be found in the BSI publication "BSI TL 03305 List of radiation-proof/low-emission hardware approved for government VS".

In the area of sensitive but unclassified information, such an approval regulation does not apply. Nevertheless, the use of VS-approved systems can still be useful.

3. Submission of applications

Applications for approval of a system are to be submitted by the federal authority user to the contact address given below.

Approval always begins with a test of the system, the so-called evaluation. The work needed is carried out at the BSI. The evaluation in connection with an approval is complex and lengthy. Therefore, an application for approval can only be granted if it is accompanied by a clear, adequate proof of need. Before the application is submitted, it must be clarified whether sufficient technical support by the manufacturer is ensured.

The rights and obligations of the roles involved in the approval procedure, such as manufacturer and user, are listed in the Technical Guideline BSI TL IT-01 "Cooperation obligations in the approval procedure".

It is not possible for a company to submit an application; companies that are subject to secrecy supervision by the BMWK should contact the BMWK.

If an approved system of the manufacturer or from another manufacturer with the required functionalities already exists, the already approved system is to be used if possible.

4. Implementation of the evaluation

The evaluation of IT security products for the purpose of approval is generally carried out at the BSI. For certain test tasks (e.g. radiation measurements), suitable external test centres may be used in consultation between the manufacturer and the BSI.

5. Approval result

The evaluation usually ends with the approval of the IT security product for a specific task fulfilment or for a specific purpose.

Example: Approval for the transmission of classified information up to classification level VS-VERTRAULICH.

The approval results are summarised in an approval report. More detailed justifications for the approval, test methods and depth of testing are largely subject to secrecy and cannot be made generally known. If required, the manufacturer may inspect the test documents if he can prove to the BSI that he has a legitimate interest and that he fulfils the necessary security requirements.

6. Versions

IT security systems are usually available in different versions. The BSI's statement of approval usually refers only to a specific version. Other versions usually deviate considerably from the tested version in terms of features and functionality. This applies in particular to the security functions. Therefore, the security assessment of one system version cannot be transferred to other system versions; rather, subsequent versions must be subjected to a re-evaluation in case of changed or adapted security functions.

7. Use in companies and institutions of the economy

Companies and institutions in the economy that are particularly at risk of industrial espionage due to certain development work or business relationships may also receive VS-approved systems under the following conditions:

1. The Federal Ministry of the Interior recognises a threat posed by industrial espionage and thus affirms the public interest in the transfer of the systems classified for VS-approved and, as a rule, VS-NfD in accordance with § 25 of the "General Administrative Regulation on Material Secret Protection (Classified Information Instruction - VSA) of 01 April 2023".
2. the company/institution contractually undertakes,
3. to protect the systems in accordance with the "Merkblatt über die Behandlung von VS des Geheimhaltungsgrad VS-NfD" and a mutually agreed security concept,
4. to have the key distribution for the systems carried out by the BSI or another trustworthy institution,
5. to use the systems abroad only in agreement with the BSI,
6. to return systems that are no longer required to the manufacturer/distributor or to hand them over to the BSI, and
7. to appoint a security representative to ensure compliance with the obligations assumed under the contract.

8. Overview of the approved systems

The list of approved IT security products and systems is arranged alphabetically by product name. It contains systems that were approved by the BSI and their predecessor authorities and are still in use. Older systems are left in the list, thus providing important information at a later time as well. Exact technical specifications and exact prices should be obtained from the manufacturer or distributor.

9. Distribution and export

Approved IT security products and their components are subject to restricted distribution by the manufacturer. Export or shipment from Germany may be subject to German export legislation. The Federal Office of Economics and Export Control (BAFA) should be contacted for clarification

10. Approval for the processing of EU or NATO classified information

The evaluation of IT security products with crypto functions for the purpose of approval is carried out according to special criteria of the BSI, which cannot be published out of consideration for the classified area. The criteria are based on NATO and EU guidelines and take into account all relevant NATO and EU regulations.

If the nationally approved versions of an IT security product with crypto functions have been tested according to the specifications of the Council of the European Union (EU) as well, they can also be approved by the BSI for the protection of EU classified information for national use. This applies to the EU classification levels RESTREINT UE/ EU RESTRICTED as well as CONFIDENTIEL UE/EU CONFIDENTIAL, but not to SECRET UE/ EU SECRET. However, if IT security products approved by the BSI are to be used outside national networks, e.g. in EU institutions, this always requires prior approval by the EU Council based on a successful second evaluation by an Appropriately Qualified Authority (AQUA). This applies to all EU classification levels.
If the nationally approved versions of an IT security product with crypto functions have been tested according to NATO specifications as well, they can also be approved by the BSI for the protection of NATO classified information at the NATO RESTRICTED or NATO CONFIDENTIAL classification level. This does not apply to the NATO SECRET classification level. For this, approval by the NATO Military Committee based on a successful second evaluation must always be available.

11. Contact

For any questions relating to approval, please contact:

Federal Office for Information Security
Division V 12 Approvals of Classified Information Systems and IT-Security Products
PO Box 20 03 63
53133 Bonn

Telephone: +49 (0) 22899 / 9582 - 5718
Fax: +49 (0) 22899 / 10 9582 - 5718
E-mail: zulassung@bsi.bund.de