Regulation On The Procedure Of Issuance Of Security Certificates And Recognitions By The Federal Office For Security In Information Technology

Original Language Title: Verordnung über das Verfahren der Erteilung von Sicherheitszertifikaten und Anerkennungen durch das Bundesamt für Sicherheit in der Informationstechnik

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$20 per month, or Get a Day Pass for only USD$4.99.

Regulation on the procedure for the granting of security certificates and recognitions by the Federal Office for Information Security (BSI-Certification and Qualification Ordinance-BSIZertV)

href="index.html"> unofficial table of contents

bSIZertV

expiration date: 17.12.2014

full quote:

" BSI Certification and Qualification Order of 17. December 2014 (BGBl. I p. 2231) "

1
notified in accordance with Directive 98 /34/EC of the European Parliament and of the Council of 22 June 2007, of the European Parliament and of the Council of 22 June 2000 on the The European Parliament and of the Council of 19 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of the rules on information society services (OJ C OJ L 204, 21.7.1998, p. 37), as last amended by Article 26 (2) of Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 June 2012. 1 October 2012 (OJ C 327, 12).

footnote

(+ + + text-proof from: 24.12.2014 + + +)
(+ + + Official note of the norm-provider on EC law:
Notification of the
EGRL 34/98 (CELEX Nr: 31998L0034 + + +)

Non-Official Table of Contents

Input Formula

Based on § 10, paragraph 1, of the BSI Act of 14. August 2009 (BGBl. 2821), the Federal Ministry of the Interior, after hearing the economic associations concerned, is in agreement with the Federal Ministry for Economic Affairs and Energy:

Section 1
General Provisions

Non-official table of contents

§ 1 Scope

The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) (Federal Office) grants certificates and recognitions in accordance with § 9 of the BSI Act under this Regulation. Non-official table of contents

§ 2 Application procedure

Applications must be submitted in writing, and the name and address of the applicant as well as the date of the application. Non-official table of contents

§ 3 The submission and retention of documents and other evidence

(1) The application submitted with the application Documents and the documents obtained in the certification or recognition procedure shall be kept by the Federal Office electronically or in paper form in accordance with the applicable regulations.(2) In so far as the applicant is entitled under this Regulation to provide the Federal Office with documents or other evidence only temporarily, it shall have these documents or other evidence after the inspection by the applicant. To retain the Federal Office of the applicant during the application procedure and the validity period of the certification or the recognition. Upon expiry of the period of validity of the certification or of the recognition, these documents or other evidence must be kept for at least three more years and shall be made available to the Federal Office for free at any time on request. Non-official table of contents

§ 4 Test criteria, requirements, factual scopes

(1) The Federal Office shall, to the extent necessary, determine Certification and recognition procedures according to this Regulation
1.
technical scopes,
2.
requirements-based review criteria (safety criteria, protective profiles, technical guidelines and BSI standards),
3.
Requirements for expertise, equipment, and reliability, and
4.
required evidence
and will publish it on its website.(2) The Federal Office shall determine the procedure for the granting of certificates and recognitions pursuant to this Regulation and shall publish procedural descriptions on its website.(3) The Federal Office shall be subject to the publication referred to in paragraphs 1 and 2 if the publication endangers public safety. The Federal Office may depart from the publication if public interests or the safety of certain products, components, product categories or systems would be affected by the publication or if the test criteria or the test criteria were not met. Procedural descriptions are classified as classified information. The Federal Office shall disclose non-published test criteria, areas of validity and procedural descriptions to those who are considered to be applicants, if they have a legitimate interest in the Federal Office of the Federal Office of the Federal Republic of Germany and of the Federal Office of the Federal Republic of Germany. undertake to comply with the necessary security arrangements. Non-official table of contents

§ 5 Form of decisions; obligation to be consulted

(1) Decisions with which, in conclusion, a decision is taken under this Regulation. , shall be adopted in writing.(2) Prior to the rejection of an application, the applicant shall be informed of the reasons for the likely refusal. Within a reasonable period of time fixed by the Federal Office, the applicant shall be given the opportunity to submit comments and to remedy the situation. Section 28 (3) of the Administrative Procedure Act shall apply.(3) Before issuing a certificate or a recognition with secondary provisions in accordance with § 22, the applicant shall be consulted in accordance with Section 28 of the Administrative Procedure Act. Non-official table of contents

§ 6 Co-operativeness of the applicant

(1) The Federal Office shall establish the facts necessary to ensure that the applicant is responsible for the to identify the relevant facts of certification or recognition. It is the responsibility of the applicant to provide the necessary evidence in order to identify the facts. The Federal Office is not obliged to carry out its own investigations within the meaning of Article 26 (1) of the Administrative Procedure Act, but it can draw on the findings already available to it.(2) It is the responsibility of the applicant to ensure the necessary involvement of any third parties within the framework of his/her co-existence. Non-official table of contents

§ 7 Publication of certificates and recognitions

(1) The Federal Office publishes at least quarterly in the Internet or other media lists or list entries of the certified information technology systems, locations, products, components and protective profiles as well as the associated list entries, modified or added since the last publication. Safety certificates and certification reports.(2) The Federal Office shall publish, at least quarterly on the Internet or in other media, lists or list entries of the certified persons with their address, modified or added since the last publication, with the technical Scope of certification and the period of validity of certification.(3) The Federal Office publishes at least quarterly on the Internet or in other media lists or list entries of the certified IT security service providers, modified or added since the last publication, with their address, with the technical scopes of certification and with the period of validity of certification.(4) The Federal Office shall publish, at least quarterly on the Internet or in other media, lists or list entries of the recognised expert bodies with their address, modified or added since the last publication, with the technical fields of application of the recognition and the period of validity of the recognition.(5) The holder of a certificate or of a recognition may object to the publication referred to in paragraphs 1 to 4. The Federal Office shall depart from the publication referred to in paragraphs 1 to 4 to the extent that public security could be affected by the publication. The Federal Office may, in whole or in part, disregard the publication referred to in paragraphs 1 to 4 if public or private interests are adversely affected by the publication.

Section 2
Certification of information technology products or components, information technology systems, and protection profiles

Table of contents

§ 8 Certification of information technology products or components

(1) A request for certification of information technology products or components may be submitted by a natural or legal person be made. If the applicant is not a manufacturer of the product to be certified or the component to be certified, or parts thereof, the applicant shall submit a declaration to the application by all the manufacturers of the product to be certified or the product to be certified. certifying component, in which the manufacturers declare their consent to the application and their willingness to participate and agree to the applicant in the fulfilment of conditions or other secondary provisions in the To support the application procedure and after the certificate has been issued. Section 13 (2) of the Administrative Procedure Act shall remain unaffected.(2) The application must contain, in addition to the information required in accordance with § 2, the following:
1.
Details of the test criteria to be applied in accordance with § 4 (1) and the target Severity level,
2.
the exact label of the product to be certified, or the component to be certified,
3.
Details about manufacturer and right holder of the product or component to be certified,
4.
a representation of the development and manufacturing level,
5.
the indication of the Federal Office's recognized expert body intended for review and evaluation,
6.
where available, information on exams and assessments already carried out by others competent bodies as well as
7.
consent to the publication of a given certification pursuant to § 7 (1) or the objection to the publication after § 7 Paragraph 5 Sentence 1.
Non-official table of contents

§ 9 Certification of information technology systems

(1) A request for certification of information technology systems can only be provided by the operator of the system to be certified.(2) The application must contain, in addition to the information required in accordance with § 2, the following:
1.
Details of the test criteria to be applied in accordance with § 4 (1) and the target Severity level,
2.
the exact label of the system to be certified,
3.
Presentation of the development and production status as well as information about manufacturers and rights holders of the information technology products used,
4.
the indication of the information technology products used in the Federal Office of recognised expert body, provided for review and evaluation,
5.
where available, information on examinations and assessments by others Persons or competent bodies as well as
6.
consent to the publication of a given certification pursuant to Section 7 (1) or the opposition to the Publication in accordance with § 7 paragraph 5 sentence 1.
unofficial table of contents

§ 10 Certification of protection profiles

(1) A request for Certification of protection profiles can only be made by an association of manufacturers or users of information technology products, by a standardization organization or by an authority.(2) The application must contain, in addition to the information required in accordance with § 2, the following:
1.
Details of the test criteria to be applied in accordance with § 4 (1) and the target Severity level,
2.
the exact name of the protection profile to be certified,
3.
where available, information about the author of the protection profile, if the author and the applicant are not the same,
4.
the consent of the applicant and right holder to provide the protection profile free of charge
5.
the information provided by the Federal Office (Bundesamt), which is intended for review and evaluation, as well as
6.
the approval of the publication of a given certification pursuant to § 7 paragraph 1 or the opposition to the publication according to § 7 paragraph 5 sentence 1.
Non-Official Table of Contents

§ 11 Coaction Code

(1) For the certification of information technology products or components, it is the responsibility of the Applicants, free of charge to the Federal Office and the expert body, the product to be certified or the component to be certified, the facilities and rights necessary for the operation of the product or its operation, as well as the provisions of § 4 (1) to provide the necessary documentation and evidence. Documents and other evidence may be considered by the applicant in cases where the applicant proves that the disclosure of the documents or evidence is contrary to the applicant's essential interests.(2) For the certification of information technology systems, it is the responsibility of the applicant to provide the Federal Office and the expert body with free access to the installed information technology system and to the relevant locations and to provide the information technology for the certification of information technology systems. to make available for the examination necessary rights as well as the documents and evidence required in accordance with Article 4 (1).(3) For the certification of protective profiles, it is the responsibility of the applicant to provide the Federal Office and the commissioned expert body with the protective profile to be certified free of charge.(4) In order to carry out the certification procedure, it is the responsibility of the applicant to support the Federal Office and the commissioned expert body free of charge by professional representatives. To the extent necessary, it is the responsibility of the applicant to provide, free of charge, the personnel product, component or system related to the examination, evaluation and certification, or to carry out training. unofficial table of contents

§ 12 certificate

(1) A certificate in accordance with § 9 paragraph 4 of the BSI Act is granted if
1.
the review and the evaluation show that the information technology product, the information technology component, the information technology system, or the protective profile are the Test criteria according to § 4 paragraph 1 fulfilled, and
2.
the Federal Ministry of the Interior according to § 9 paragraph 4, point 2 of the BSI Act has determined that predominant Public interests, in particular security policy concerns of the Federal Republic of Germany, do not preclude grant.
(2) The certificate is to be limited by the Federal Office of the Federal Republic of Germany. The Federal Office shall determine the period of validity for the respective technical scope.(3) The certificate for information technology products, systems, components, and protection profiles includes:
1.
the certification number,
2.
specifying the verification criteria as far as they are known
3.
the name of the federal office ,
4.
any secondary provisions in accordance with § 22,
5.
site and date of the security certificate, as well as
6.
the duration of the Security certificate.
A certification report is attached to the security certificate.(4) In addition to paragraph 3, the certificate for information technology products or components shall contain the following information:
1.
the name, description, and specification the manufacturer of the tested product or component,
2.
specifying the documentation that belongs to the product or component that is being checked,
3.
the description of the security features and
4.
the severity level reached or the Audit scope.
(5) In addition to paragraph 3, the information technology certificate certificate contains the following information:
1.
the description and description of the the system and the relevant locations and
2.
where necessary, indicating the safety relevant to the system and the location of the site, and Documentation.
(6) In addition to paragraph 3, the protection profile certificate contains the following information:
1.
the name and description of the audited Protection profile and
2.
the evaluation level reached or the scope of the test.
(7) The Federal Office of the Federal Republic of Germany may at any time check whether the conditions for the Certification referred to in paragraph 1 shall continue to be available. The Federal Office develops procedural descriptions for the verifications and publishes them on its website. Non-official table of contents

§ 13 Return of information technology products or components

submitted by the applicant to the Federal Office information technology products or components shall be returned to the applicant at the site of the examination. The Federal Office may agree with the applicant that the product or component is kept at the Federal Office.

Section 3
Certification of persons

Non-Official Table Of Contents

§ 14 Application

(1) A request for certification of a person can only be submitted by the person who is certified is to be obtained.(2) The application must contain, in addition to the information required in accordance with § 2, the following:
1.
Details of the technical scope or applications applied for,
2.
the evidence required for this technical scope in accordance with § 4 paragraph 1 and
3.
for the publication of a certified certification pursuant to § 7 (2) or the opposition to the publication in accordance with § 7 (5) sentence 1.
Non-official Table of Contents

§ 15 Certificate

(1) A certificate for persons pursuant to § 9 paragraph 5 of the BSI Act is granted if
1.
the audit and the evaluation show that the person to be certified meets the test criteria in accordance with § 4, paragraph 1, and
2.
the Federal Ministry of the Interior pursuant to § 9, paragraph 4, point 2 of the BSI-Act has found that overriding public interests, in particular security policy concerns of the Federal Republic of Germany, do not preclude the grant.
(2) The certificate is to be limited by the Federal Office. The Federal Office shall determine the period of validity for the respective technical scope.(3) The person certificate contains the following information:
1.
The name and address of the certified person,
2.
the certification number,
3.
the period of validity of the certification,
4.
the technical scope of the certification with reference to the underlying standardization standards,
5.
the specification of the standardization standards that underlie the person's evaluation
6.
possible Secondary provisions according to § 22 as well as
7.
Exhibition site and date of the certificate.
(4) The Federal Office regularly checks whether the conditions for the Certification referred to in paragraph 1 shall continue to be available. In addition, an admission-related review can also take place at any time. The Federal Office develops procedural descriptions for these verifications and publishes them on its website.

Section 4
Certification of IT security service providers

Non-Official Table of Contents

§ 16 Request

(1) A request for certification as an IT security service provider can only be submitted by the IT security service provider , which would like to receive the certification.(2) The application must contain, in addition to the information required in accordance with § 2, the following:
1.
Information on the legal form, the corporate structure and the participations of the Applicant,
2.
Information on the subject scope of certification applied for,
3.
a list of responsible employees of the applicant and their respective area of responsibility,
4.
Information on Quality and Information Security Management and, where required, privacy policy information,
5.
the declaration of independence or objectivity regarding the intended activities within the scope and
6.
the approval of the publication of a given certification pursuant to § 7 paragraph 3 or the opposition to the publication in accordance with § 7 paragraph 5 sentence 1.
Non-Official Table of Contents

§ 17 Coaction Code

(1) It is the responsibility of the applicant to participate in the proceedings of the Federal Office or to the The Federal Office of the Federal Republic of Germany shall grant persons, where necessary, free access to the sites, to the systems provided for examination and to the documents in accordance with § 4.(2) During the procedure, it is up to the applicant to support the Federal Office or the persons appointed by the Federal Office for free by professional representatives. Non-official table of contents

§ 18 Certificate

(1) A certificate as an IT security service provider in accordance with § 9 paragraph 5 of the BSI Act is granted if:
1.
The audit and the assessment show that the IT security service provider meets the test criteria in accordance with § 4, paragraph 1, and
2.
The Federal Ministry of the Interior has determined, in accordance with Section 9 (4) (2) of the BSI Act, that overriding public interests, in particular security policy concerns, are The Federal Republic of Germany does not preclude grant.
(2) The certification is to be limited by the Federal Office. The Federal Office shall determine the period of validity for the respective technical scope.(3) The certificate contains the following information:
1.
The name of the IT security service provider and the addresses of all certified locations,
2.
the certification number,
3.
the period of validity of the certification,
4.
the technical scope or the technical scopes of certification with reference to the underlying standardization standards,
5.
the specification of the standardization standards that are based on the IT security service provider's review
6.
any side determinations according to § 22, and
7.
certificate location and date.
(4) The Federal Office shall regularly verify that the conditions for the certification referred to in paragraph 1 are still available. In addition, an admission-related review can also take place at any time. The Federal Office develops procedural descriptions for these verifications and publishes them on its website.

Section 5
Recognition of knowledgable bodies

Non-official table of contents

§ 19 Application

(1) A request for recognition as a qualified entity can only be submitted by the authority that To receive recognition.(2) The application must contain, in addition to the information required in accordance with § 2, the following:
1.
Information on the legal form, the corporate structure and the participations of the Location,
2.
Information about the technical scopes of recognition applied for,
3.
a list of responsible employees of the site and their respective area of responsibility,
4.
Information on Quality and Information Security Management and, if any, privacy policy information,
5.
a statement about the independence or objectivity of the site regarding the intended activities within the scope and
6.
the approval of the publication of a pronounced recognition pursuant to § 7 paragraph 4 or the opposition to the publication pursuant to § 7 paragraph 5 sentence 1.
(3) The applications shall be processed in the chronological order of their receipt, which may be dismissed if, on account of the number and scope of the pending examination procedures, the Federal Office cannot carry out an appropriate examination in an appropriate period of time and shall be subject to a Recognition of public interest. Non-official table of contents

§ 20 Cooperative obligations

(1) It is the responsibility of the applicant to do so within the framework of the procedure, or to the federal office or the The Federal Office of the Federal Republic of Germany shall grant persons, where necessary, free access to the sites, to the systems provided for examination and to the documents in accordance with § 4.(2) During the procedure, it is up to the applicant to support the Federal Office or the persons appointed by the Federal Office for free by professional representatives. Unofficial table of contents

§ 21 Recognition

(1) A recognition in accordance with § 9 paragraph 6 of the BSI Act is granted if
1.
the review and the evaluation show that the factual and personal equipment as well as the professional qualifications and reliability of the conformity assessment body According to § 4 (1), and
2.
the Federal Ministry of the Interior has determined, in accordance with § 9, paragraph 6, point 2 of the BSI Act, that the majority of the " Public interests, in particular security policy concerns of the Federal Republic of Germany, do not conflict with the grant.
(2) The Federal Office for a limited period of time has the recognition of the recognition of the public interest. The Federal Office shall determine the period of validity for the respective technical scope.(3) The acknowledgement contains the following information:
1.
the name and address of the trusted expert body and all recognized sites,
2.
the recognition number,
3.
the validity period of recognition,
4.
the technical scope or the technical scopes of recognition with reference to the underlying standardization standards,
5.
the specification of the standardization standards that are based on the review of the site,
6.
any Secondary provisions in accordance with § 22 and
7.
Place of exhibition and date of issue of the recognition certificate.
(4) The Federal Office regularly reviews the second sentence of § 9 (6) of the German Federal Office for the Accreditation of Accreditation. BSI Act as to whether the conditions for the recognition referred to in paragraph 1 are still available. In addition, an admission-related review can also take place at any time. The Federal Office develops procedural descriptions for these verifications and publishes them on its website.

Section 6
secondary provisions

Non-official table of contents

§ 22 secondary provisions

(1) A certificate according to § 12, § 15 and § 18 as well as a recognition according to § 21 may be subject to the reservation of the withdrawal.(2) A certificate according to § 12, § 15 and § 18 as well as a recognition according to § 21 may be issued with secondary provisions, in particular with conditions or deadlines. In particular, it may be determined that
1.
the holder of the certificate or the recognition in the use of the certificate or recognition, in particular in the case of the Use for advertising purposes, submission and verification, refer to and make available to specific accompanying documents issued in connection with the certification or recognition,
2.
The owner of the certificate will need to inform the Federal Office if the security properties of the certification object change,
3.
The holder of the certificate or the recognition regularly or in relation to his or her costs by the Federal Office or by persons or bodies commissioned by the Federal Office Whether the requirements for certification of products (for example, by Common Criteria) or recognition continue to exist,
4.
a certification of is subject to the validity of a protection profile or a technical directive,
5.
in the cases of § 15, § 18 or § 21 of the applicant to the Federal Office without delay in writing, if its functioning or its corporate form substantially changes or its registered office changes,
6.
in the cases of § 15, § § 15, § § 15, § § § 15. 18 or § 21 the applicant must participate in the technical scope of the certification or recognition offered by the Federal Office,
7.
in the Cases of § 18 or § 21 of the Applicants must employ a certain number of persons certified according to § 15 for the respective scope of application.

Section 7
Final provisions

unofficial table of contents

§ 23 Entry into force, repeal

This regulation will enter into force the day after the announcement. At the same time, the BSI certification ordinance comes from 7. July 1992 (BGBl. 1230).