Regulation On The Procedure Of Issuance Of Security Certificates And Recognitions By The Federal Office For Security In Information Technology

Original Language Title: Verordnung über das Verfahren der Erteilung von Sicherheitszertifikaten und Anerkennungen durch das Bundesamt für Sicherheit in der Informationstechnik

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now

Read the untranslated law here: http://www.gesetze-im-internet.de/bsizertv_2014/BJNR223100014.html

Regulation on the procedure of issuance of security certificates and recognitions by the Bundesamt für Sicherheit in der Informationstechnik (BSI certification- and recognition of regulation - BSIZertV) BSIZertV Ausfertigung date: 17.12.2014 full quotation: "BSI certification- and recognition of regulation from 17 December 2014 (BGBl. I S. 2231)" 1 notified under Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 establishing an information procedure in the field of technical standards and regulations and of the rules for the services of the information society (OJ L 204 of the 21.07.1998, p. 37), as last amended by article 26 (2) of Regulation (EU) No. 1025/2012 of the European Parliament and of the Council of 25 October 2012 (OJ OJ L 316 of the 14.11.2012, p. 12).
Footnote (+++ text detection from: 24.12.2014 +++) (+++ official note of the standard authority on EC law: notification of EGRL of 98 at the 34 (CELEX Nr: 31998 L 0034 +++) input formula on the basis of article 10 paragraph 1 of the BSI law of August 14, 2009 (BGBl. I S. 2821) ordered the Ministry of the Interior after consultation with the affected industry associations in consultation with the Federal Ministry of economy and energy: section 1 General provisions article 1 scope of application the Bundesamt für Sicherheit in der Informationstechnik (Federal Office) granted certificates and awards in accordance with § 9 of the BSI law under this regulation.)

Section 2 application procedure applications must be submitted in writing be submitted, and the name and address of the applicant and the date of the application include.

§ 3 submission and storage of documents and other evidence (1) the documents incurred application and the documents filed with the application for certification or recognition procedure be stored electronically or in paper format in accordance with the provisions in force at the Federal Office.
(2) where the applicant is entitled under this regulation to do so only temporarily to provide documents or other evidence, the Federal Office he has these documents or other evidence after the inspection by the Federal Office for the applicant during the application process and the period of validity of certification or recognition to be kept. After expiry of the certification or recognition are to store these documents or other evidence for at least three more years and at any time on request free of charge to make the Federal Agency.

§ 4 the Federal Office determines criteria, requirements, material scope (1) if necessary, for certification and recognition procedures under this regulation 1 technical scopes, 2. needs-based criteria (security criteria, protection profiles, technical guidelines and BSI standards), 3. requirements for the expertise, equipment and reliability 4. necessary documents and published them on its Web site.
(2) the Federal agency determines the procedure for the granting of certificates and approvals according to this regulation and published procedures on its Web site for this purpose.
(3) the Federal Office apart from the publication referred to in paragraph 1 and 2, if the release would endanger public safety. The Federal Office may refrain from publication if publication would affect public interests or the safety of certain products, components, product categories or systems or the criteria or procedures are classified as classified. The Federal Office announces non-published criteria, scope and procedures those who come as the applicant into consideration, if they prove a legitimate interest to the Federal Office and undertake to comply with the necessary safety precautions.

Article 5 form of decisions; (1) decisions that finally an application made under this regulation will be decided, are duty to consult in writing to adopt.
(2) before refusing a request, the reasons of for expected rejection to be communicated are the applicant. The applicant within a reasonable period set by the Federal Office is opportunity to submit its observations and to rework. Article 28, paragraph 3, of the administrative procedures Act shall apply.
(3) before issuing a certificate, or a recognition with incidental provisions pursuant to article 22, the applicant is under section 28 of the administrative procedure act to hear.

§ 6 participation obligation of the applicant (1) which provides Federal Office the facts that are necessary to determine the facts relevant to the certification or recognition. It is the applicant, to provide the necessary evidence to determine of the facts of the case. The Federal Office shall not be obliged to make their own investigations in the sense of § 26 paragraph 1 of the Administrative Procedure Act, but can draw already present findings on him.
(2) the applicant is whether to ensure the necessary involvement of any third parties in the context of its cooperation obligations.

§ 7 publication of certificates and recognitions (1) the Federal Office published at least quarterly in the Internet or in other media total list or added or changed since the last release list of certified information technology systems, locations, products, components and protection profiles as well as the related security certificates and certification reports.
(2) the Federal Agency published changed or added to list of certified persons at least quarterly in the Internet or in other media total list or since the last release with their address, the technical scopes of the certification and the period of validity of the certification.
(3) the Federal Agency published changed or added to list of certified IT security provider at least every three months on the Internet or in other media total list or since the last release with their address, the technical scopes of the certification and the period of validity of the certification.
(4) the Federal Agency published changed or added to list of recognized expert bodies at least quarterly in the Internet or in other media total list or since the last release with their address, the technical scopes of the recognition and the validity of the recognition.
(5) the holder of a certificate or a recognition may oppose the disclosure pursuant to paragraphs 1 to 4. The Federal Office apart from the disclosure pursuant to paragraphs 1 to 4, as far as the publication could affect public safety. The Federal Office may waive all or part of disclosure pursuant to paragraphs 1 to 4, if publication would adversely affect public or private interests.
Section 2 certification provided by information technology products or components, information technology systems, as well as a request for certification of information technology products or components can certification of information technology products or components (1) protection profiles section 8 by a natural or legal person. The applicant is not the manufacturer of the product to be certified or the component to be certified or any part thereof, so the applicant must attach an explanation of all manufacturers of the product to be certified or the component to be certified the application, in which manufacturers declare their agreement with the application as well as their willingness to participate and their consent, the applicant the fulfillment of requirements or other incidental provisions in the application process and after the issuing of the certificate to help. Article 13 paragraph 2 of the administrative procedure act shall remain unaffected.
(2) the request must include the following in addition to the information required pursuant to section 2: 1 information on the criteria applicable under article 4, paragraph 1, and the desired rating level, 2. the exact name of the product to be certified or to be certified component, 3. information about manufacturers and rights owner of the product to be certified or to be certified component, 4 is a representation of the developing and manufacturing stand , 5 providing the expert body recognised by the Federal Office that is intended for testing and evaluation 6 if available, information on already carried out tests and reviews by other expert bodies, as well as 7 the consent to the publication of a granted certification pursuant to § 7 paragraph 1 or the objection to the publication for article 7, paragraph 5, sentence 1.

§ 9 certification of information technology systems (1) an application for certification of information technology systems can be placed only by the operators of the system to be certified.
(2) the request must include the following in addition to the information required pursuant to section 2: 1 information to according to § 4 paragraph 1 applicable inspection criteria and the desired rating, 2. the precise designation of the certification system, 3. a representation of the development - and production level, as well as information on manufacturers and owners of used information technology products, 4. the recognized providing by the Federal expert body which is intended for testing and evaluation , 5.
where available, information on tests and reviews by other people or expert bodies, as well as 6 the consent to publication one granted certification pursuant to § 7 paragraph 1 or the objection to the disclosure pursuant to § 7, paragraph 5, sentence 1.

§ 10 certification of protection profiles (1) an application for certification of protection profiles is possible only by an Association of manufacturers or users of information technology products, a standards organization or by a public authority.
(2) the request must include the following in addition to the information required pursuant to section 2: 1. information concerning the criteria applicable under article 4 paragraph 1 and the desired rating level, 2. the exact name of body protection profile, 3. if available, information about the author of the protection profile, if author and subject are not identical, the consent of the applicant and owner, the protection profile free of charge to provide 4. , 5. the indication of by the Federal Office recognised expert body which is intended for testing and evaluation and 6 gave the consent to publish one certification in accordance with § 7 paragraph 1 or the objection to the publication according to § 7 paragraph 5 sentence 1.

§ 11 participation obligations (1) for the certification of information technology products or components, it is the applicant to provide the product to submit or component to submit, the equipment necessary for its or their operation and rights and the documents required pursuant to § 4 paragraph 1 and evidence the Federal Office and the expert site free of charge. Documents and other evidence will be the applicant in inspection, if the applicant makes credible, significant interests of the applicant to preclude a transfer of the documents or evidence.
(2) for the certification of information technology systems, it is whether the applicant free to grant access to the information technology system and the relevant sites the Federal Office and the expert authority and to provide the rights that are required for the inspection, as well as the necessary documentation and evidence pursuant to § 4 paragraph 1.
(3) for the certification of protection profiles, it is whether the applicant to provide the protection profile to submit the Federal Office and the commissioned expert site free of charge.
(4) for the implementation of the certification, it is whether the applicant to support the Federal Office and the expert agent free of charge by expert representatives. If necessary, it behooves the applicant, free the staff involved in the examination, evaluation and certification products, komponenten - or system related to instruct or conduct training.

§ 12 (1) a certificate under section 9, paragraph 4, of the BSI law is granted certificate, if the audit and the evaluation result 1, that the tested information technology product, the information technology component, the information technology system, or protection profile meets the criteria pursuant to § 4 paragraph 1 and 2 number 2 of the BSI Act established the Federal Ministry of the Interior pursuant to section 9, paragraph 4 that prevailing public interests , in particular security concerns of the Federal Republic of Germany, the grant do not preclude.
(2) the certificate is limited by the Federal Office. The Federal Office shall determine the period of validity for the respective technical scope.
(3) the certificate for information technology products, systems, components, as well as for protection profiles contains: 1. the certification number, 2. specifying the criteria, as far as they are made known, 3. the recognized the name by the Federal expert body, testing and evaluation of the certification was applied, 4. any incidental provisions pursuant to § 22, 5. venue and date of the security certificate as well as 6 of the validity of the security certificate.
A certification report shall be annexed to the security certificate.
(4) the certificate for information technology products or components contains in addition to paragraph 3 the following information: 1 the name, the description, and the specification of the manufacturer of the tested product or component, 2. specifying the belonging to the tested product or component documentation, 3. the description of security functions and 4 which reached rating or the inspection scope.
(5) the certificate for information technology systems includes in addition to paragraph 3 the following information: 1. the name and the description of the certified system and the relevant sites, and 2. If necessary, the indication of security-related documentation belonging to the tested system and site.
(6) the certificate for protection profiles contains in addition to paragraph 3 the following information: 1. the name and the description of the approved protection profile and 2 achieved rating or the inspection scope.
(7) the Federal Office can check at any time cause-related, whether the requirements for certification are still referred to in paragraph 1. The Federal Office for the checks procedures developed and publishes them on its website.

§ 13 return of information technology products or of information technology products passed to components of the applicants to the Federal Office or components the applicant be returned at the place of examination. The Federal agency may agree with the applicant that the product or component at the Federal Office is kept.
Section 3 certification of persons § 14 request (1) an application for certification of a person may be provided only by the person, which would like to receive the certification.
(2) the request must include the following in addition to the information required pursuant to section 2: 1. information about the or the requested technical scopes, 2. the proof required for this technical scope according to § 4 paragraph 1 and 3. consent to the publication of a granted certification pursuant to § 7 paragraph 2 or the objection to the publication after article 7, paragraph 5, sentence 1.

§ 15 certificate (1) granted a certificate for persons according to § 9 paragraph 5 of the BSI law is, if the audit and evaluation revealed 1 meet the person to submit the test criteria for article 4, paragraph 1, and 2. number 2 of the BSI Act established the Federal Ministry of the Interior pursuant to § 9 paragraph 4 that prevailing public interests, in particular security concerns of the Federal Republic of Germany , do not preclude the issue.
(2) the certificate is limited by the Federal Office. The Federal Office shall determine the period of validity for the respective technical scope.
(3) the person certificate contains the following information: 1. the name and the address of the certified person, 2. the certification number, 3. the period of validity of certification, 4. the technical scope of the certification under reference to the underlying standards of standardization, 5. specifying the standardization norms underlying the evaluation of the person, 6 any incidental provisions for section 22 as well as 7 exhibition venue and date of the certificate.
(4) the Federal agency regularly checks whether the requirements for certification are still referred to in paragraph 1. In addition, a non-routine verification can take place at any time. The Federal Office for these checks procedures developed and publishes them on its website.
Section 4 certification from IT security service providers article 16 application (1) an application for certification as an IT security provider can be made only by the IT security providers, who would like to receive the certification.
(2) the request must include the following in addition to the information required pursuant to section 2: 1 requested information on the legal form, company structure and interests of the applicant, 2. information about the factual scope of certification, 3 a list of the responsible staff of the applicant and their respective area of responsibility, 4. information on the quality and information security management and, where appropriate, information secret protection support, 5. the Declaration of independence or objectivity relating to the envisaged activities in the scope and 6 the consent to the publication of a granted certification to § 7 paragraph 3 or the objection to the disclosure pursuant to § 7, paragraph 5, sentence 1.

Article 17 participation obligations (1) it is whether the applicant in the context of the procedure to grant access to the sites, the systems intended for the examination and the documents the Federal agency or the persons responsible for the Federal Office, where necessary, free of charge according to § 4.
(2) during the procedure, it is whether the applicant to support the Federal agency or the persons commissioned by the Federal Office free of charge by expert representatives.

§ 18 certificate (1) granted a certificate as IT security provider according to § 9 paragraph 5 of the BSI Act will, if the audit and the evaluation result 1 the IT security providers meet the criteria pursuant to § 4 paragraph 1, and 2. the Federal Ministry of the Interior pursuant to § 9 paragraph 4 number 2 of the BSI law has determined that prevailing public interests, in particular security concerns do not preclude the Federal Republic of Germany, the granting.
(2) the certification is limited by the Federal Office. The Federal Office shall determine the period of validity for the respective technical scope.
(3) the certificate contains the following information: 1 the name of the IT Sicherheitsdienstleisters and the addresses of all certified locations, 2. the certification number, 3. the period of validity of certification, 4. the technical scope or the technical scope of the certification under reference to the underlying standards of standardization, 5. specifying the standardization norms that underlay the assessment of IT Sicherheitsdienstleisters, 6 any incidental provisions to section 22 as well as 7 exhibition venue and date of the certificate.
(4) the Federal agency regularly checks whether the requirements for certification are still referred to in paragraph 1. In addition, a non-routine verification can take place at any time. The Federal Office for these checks procedures developed and publishes them on its website.
Section 5 recognition of expert bodies § 19 request (1) an application for recognition as expert may be provided only by the authority which would like to receive the recognition.
(2) the request must include the following in addition to the information required pursuant to section 2: 1 requested information on the legal form, company structure and shareholdings of the job, 2. information about the technical scope of the recognition, 3 a list of the responsible staff of the section and their respective area of responsibility, 4. information on the quality and information security management, and, where available, information secret protection support, 5. a Declaration on the independence or objectivity of the Authority relating to the envisaged activities in the scope and 6 the consent to the publication of an outspoken recognition after § 7 paragraph 4 or the opposition against the publication, paragraph edited 5 sentence 1 (3) which are requests pursuant to § 7 in the chronological order of receipt; This may be waived, if the Federal agency because of the number and scope of pending examination procedures can not perform an audit in a timely and on a recognition there is a public interest.

Article 20 cooperation obligations (1) it is whether the applicant in the context of the procedure to grant access to the sites, the systems intended for the examination and the documents the Federal agency or the persons responsible for the Federal Office, where necessary, free of charge according to § 4.
(2) during the procedure, it is whether the applicant to support the Federal agency or the persons commissioned by the Federal Office free of charge by expert representatives.

§ 21 recognition (1) a recognition according to § 9 paragraph 6 of the BSI law is granted if the testing and the evaluation result 1, that the factual and personal equipment as well as the competence and reliability of conformity assessment body meet the test criteria according to article 4, paragraph 1, and 2. number 2 of the BSI law has determined the Federal Ministry of the Interior according to § 9 paragraph 6, that vast public interests , in particular security concerns of the Federal Republic of Germany, the grant do not preclude.
(2) the recognition can be limited by the Federal Office. The Federal Office shall determine the period of validity for the respective technical scope.
(3) the recognition provides the following information: 1 the name and address of recognized expert body and all sites recognized 2. recognition number, 3. the duration of recognition, 4. the technical scope or the technical scope of the recognition under reference to the underlying standards of standardization, 5. specifying the standardization norms of that were assessing the site based, 6 any incidental provisions to section 22 as well as 7 exhibition venue and date of the certificate of approval.
(4) the Federal agency regularly according to § 9 paragraph 6 sentence 2 of the BSI law continues to exist whether the conditions for recognition under paragraph 1. In addition, a non-routine verification can take place at any time. The Federal Office for these checks procedures developed and publishes them on its website.
Section 6 incidental provisions section 22 incidental provisions (1) a certificate under section 12, section 15 and section 18, as well as a recognition according to § 21 may be issued subject to the revocation.
(2) a certificate under section 12, section 15 and section 18, as well as a recognition after section 21 may be issued with incidental provisions, in particular with requirements or time limitations. In particular can be that 1 the holder of the certificate or the recognition for the use of the certificate or the recognition, especially when used for promotional purposes, template and verification, certain on closer, in connection with the certification or recognition issued accompanying documents shall indicate and make these available, 2. the holder of the certificate without being asked the Federal Office inform must, when changing the security properties of the subject of the certification determines , 3. the holder of the certificate or the recognition of regular or cause-related, at his own expense by the Federal agency or by persons authorized by this or make check must, if the conditions for certification of products (for example according to common criteria) or recognition continue to exist, 4. a certification of the validity of a protection profile or a technical guideline is dependent on, 5. in the cases of § 15 , article 18 or article 21 of the applicant the Federal Office must inform immediately in writing, if significantly changes its functioning or its corporate form or changes his headquarters, 6 in the cases of § 15, § 18, or section 21 of the applicant in meeting the technical scope of the certification or recognition offered by the Federal Office must take part, 7 in the cases of section 18 or section 21 of the applicant must employ a certain number according to § 15 certified persons for the respective scope.
Section 7 final provisions § 23 entry into force, expiry this regulation enter into force on the day after the announcement. At the same time the BSI certification regulation of July 7, 1992 (Federal Law Gazette I p. 1230) override.