Regulation on the procedure for the granting of security certificates and recognitions by the Federal Office for Information Security (BSI-Certification-and -Recognition Regulation-BSIZertV)

Unofficial table of contents

BSIZertV

Date of completion: 17.12.2014

Full quote:

" BSI Certification and Qualification Ordinance of 17 December 2014 (BGBl. I p. 2231) "

1

Notified in accordance with Directive 98 /34/EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on information society services 1. OJ L 204, 21.07.1998, p. 37), as last amended by Article 26 (2) of Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 June 2012. October 2012 (OJ C 327, OJ L 316 of 14.11.2012, p. 12).

Footnote

(+ + + Text proof: 24.12.2014 + + +) 
(+ + + Official note from the norm-provider on EC law: 
 Notification of the 
 ERL 34/98 (CELEX Nr: 31998L0034 + + +) 

  

Unofficial table of contents

Input formula

On the basis of § 10 paragraph 1 of the BSI Act of 14 August 2009 (BGBl. 2821), the Federal Ministry of the Interior, after hearing the economic associations concerned, is in agreement with the Federal Ministry for Economic Affairs and Energy:

Section 1
General provisions

Unofficial table of contents

§ 1 Scope

The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, Bundesamt) grants certificates and recognitions in accordance with § 9 of the BSI Act under this Regulation. Unofficial table of contents

§ 2 Application procedure

Applications must be submitted in writing and shall include the name and address of the applicant and the date of the application. Unofficial table of contents

§ 3 Presentation and retention of documents and other evidence

(1) The application, the documents filed with the application and the documents arising in the certification or recognition procedure shall be kept by the Federal Office electronically or in paper form in accordance with the applicable provisions. (2) Insofar as the Applicants under this Regulation shall be entitled to provide the Federal Office with documents or other evidence only at times, if it has received these documents or other evidence after the Federal Office has taken the form of evidence by the Federal Office of the Federal Office of the Federal Republic of Germany. Applicants during the application procedure and the validity period of the certification or recognition. Upon expiry of the period of validity of the certification or of the recognition, these documents or other evidence must be kept for at least three more years and shall be made available to the Federal Office for free at any time on request. Unofficial table of contents

§ 4 Test criteria, requirements, factual areas of application

(1) The Federal Office shall, to the extent necessary, determine the certification and recognition procedures provided for in this Regulation

1.

technical fields of application,

2.

requirements-based test criteria (safety criteria, protective profiles, technical guidelines and BSI standards),

3.

Requirements for technical expertise, equipment and reliability and

4.

Necessary evidence

(2) The Federal Office shall determine the procedure for issuing certificates and recognitions pursuant to this Regulation and shall publish procedural descriptions on its Internet site. (3) The Federal Office of the Federal Republic of Germany shall be subject to the publication referred to in paragraphs 1 and 2 if public security is threatened by publication. The Federal Office may depart from the publication if public interests or the safety of certain products, components, product categories or systems would be affected by the publication or if the test criteria or the test criteria were not met. Procedural descriptions are classified as classified information. The Federal Office shall disclose non-published test criteria, areas of validity and procedural descriptions to those who are eligible as applicants, if they have a legitimate interest in the Federal Office of the Federal Office of the Federal Republic of Germany, and if they have a right to undertake to comply with the necessary security arrangements. Unofficial table of contents

§ 5 Form of Decisions; Hearing obligation

(1) Decisions concerning a final decision on a request made pursuant to this Regulation shall be adopted in writing. (2) Before an application is rejected, the applicant shall be subject to the reasons for the expected rejection of the application. . Within a reasonable period of time fixed by the Federal Office, the applicant shall be given the opportunity to submit comments and to remedy the situation. § 28 (3) of the Administrative Procedure Act is to be applied. (3) Before issuing a certificate or a recognition with secondary provisions in accordance with § 22, the applicant shall be consulted in accordance with Section 28 of the Administrative Procedure Act. Unofficial table of contents

§ 6 Co-operativeness of the applicant

(1) The Federal Office shall establish the facts necessary to determine the facts relevant to the certification or recognition. It is the responsibility of the applicant to provide the necessary evidence in order to identify the facts. The Federal Office is not obliged to carry out its own investigations within the meaning of Article 26 (1) of the Administrative Procedure Act, but it can draw on the findings already available to it. (2) It is the responsibility of the applicant to do so within the framework of his To ensure the necessary involvement of any third parties. Unofficial table of contents

§ 7 Publication of certificates and recognitions

(1) The Federal Office publishes at least quarterly on the Internet or in other media lists or list entries of the certified information technology systems, locations, modified or added since the last publication. Products, components and protective profiles, as well as the associated security certificates and certification reports. (2) The Federal Office publishes at least quarterly on the Internet or in other media lists or since the last Publication modified or added list entries of the certified persons with their address, with the technical fields of validity of the certification and with the period of validity of the certification. (3) The Federal Office publishes at least quarterly on the Internet or in other media or, since the last publication, modified or added list entries of the certified IT security service providers with their address, with the technical scopes of certification and with the period of validity of the certification. (4) The Federal Office publishes at least quarterly on the Internet or in other media lists, or list entries of the recognised experts, modified or added since the last publication, with their address, with the technical scopes of recognition and with the Period of validity of recognition. (5) The holder of a certificate or of a recognition may object to the publication referred to in paragraphs 1 to 4. The Federal Office shall depart from the publication referred to in paragraphs 1 to 4 to the extent that public security could be affected by the publication. The Federal Office may, in whole or in part, depart from the publication referred to in paragraphs 1 to 4 if public or private interests are adversely affected by the publication.

Section 2
Certification of information technology products or components, information technology systems as well as protection profiles

Unofficial table of contents

§ 8 Certification of information technology products or components

(1) A request for certification of information technology products or components may be submitted by a natural or legal person. If the applicant is not a manufacturer of the product to be certified or the component to be certified, or parts thereof, the applicant shall submit a declaration to the application by all the manufacturers of the product to be certified or the product to be certified. certifying component, in which the manufacturers declare their consent to the application and their willingness to participate and agree to the applicant in the performance of conditions or other secondary provisions in the To support the application procedure and after the certificate has been issued. § 13 (2) of the Administrative Procedure Act shall remain unaffected. (2) The application must contain, in addition to the information required in accordance with § 2:

1.

information on the test criteria to be applied in accordance with Article 4 (1) and the evaluation level sought;

2.

the exact name of the product to be certified or the component to be certified,

3.

information about the manufacturer and the rights holder of the product to be certified or the component to be certified,

4.

a representation of the development and production level,

5.

an indication of the competent authority recognised by the Federal Office for the examination and evaluation of the competent authority;

6.

where available, information on audits and assessments already carried out by other competent bodies, and

7.

consent to the publication of a given certification pursuant to § 7 (1) or the opposition to the publication in accordance with § 7 (5) sentence 1.

Unofficial table of contents

§ 9 Certification of information technology systems

(1) A request for certification of information technology systems can only be submitted by the operator of the system to be certified. (2) In addition to the information required in accordance with § 2, the application must contain the following:

1.

information on the test criteria to be applied in accordance with Article 4 (1) and the evaluation level sought;

2.

the exact designation of the system to be certified,

3.

a presentation of the development and production status, as well as information on manufacturers and rights holders of the information technology products used,

4.

an indication of the competent authority recognised by the Federal Office for the examination and evaluation of the competent authority;

5.

where available, information on audits and assessments by other persons or competent bodies, and

6.

consent to the publication of a given certification pursuant to § 7 (1) or the opposition to the publication in accordance with § 7 (5) sentence 1.

Unofficial table of contents

§ 10 Certification of protective profiles

(1) A request for certification of protective profiles can only be submitted by an association of manufacturers or users of information technology products, by a standardization organization or by an authority. (2) The request must be made shall contain, in addition to the information required in accordance with Article 2:

1.

information on the test criteria to be applied in accordance with Article 4 (1) and the evaluation level sought;

2.

the exact name of the protection profile to be certified,

3.

if available, information about the author of the protection profile, if the author and the applicant are not identical,

4.

the consent of the applicant and the right-holder to provide the protection profile free of charge,

5.

an indication of the competent authority recognised by the Federal Office for the examination and evaluation of the competent authority; and

6.

consent to the publication of a given certification pursuant to § 7 (1) or the opposition to the publication in accordance with § 7 (5) sentence 1.

Unofficial table of contents

Section 11 Cooperative action

(1) For the certification of information technology products or components, the applicant shall be responsible for the certification of the product or the component to be certified, free of charge to the Federal Office and the expert body responsible for the certification of the product or components thereof. or the establishment of such facilities and rights, as well as the documents and evidence required in accordance with Article 4 (1). Documents and other evidence may be considered by the applicant if the applicant proves that the disclosure of the documents or evidence is contrary to the essential interests of the applicant. (2) Certification of information technology systems it is the responsibility of the applicant to give the Federal Office and the expert body free access to the installed information technology system and to the relevant locations and to provide the information technology for the Examination of the necessary rights and the necessary rights pursuant to § 4 (1) (3) For the certification of protective profiles, it is incumbent on the applicant, the Federal Office and the commissioned expert body to provide the protective profile to be certified free of charge. (4) In order to carry out the certification procedure, it is the responsibility of the applicant to support the Federal Office and the commissioned expert body free of charge by professional representatives. To the extent necessary, it is the responsibility of the applicant to provide, free of charge, the personnel product, component or system related to the examination, evaluation and certification, or to perform training courses. Unofficial table of contents

§ 12 Certificate

(1) A certificate pursuant to Section 9 (4) of the BSI Act shall be issued if:

1.

the examination and the evaluation show that the information technology product, the information technology component, the information technology system or the protection profile meets the test criteria in accordance with Article 4 (1), and

2.

According to Section 9 (4) (2) of the BSI Act, the Federal Ministry of the Interior has determined that overriding public interests, in particular security policy concerns of the Federal Republic of Germany, do not preclude the granting of the grant.

(2) The certificate is on a temporary basis by the Federal Office. The Federal Office of Germany sets the period of validity for the respective technical scope. (3) The certificate for information technology products, systems, components as well as for protective profiles contains:

1.

the certification number,

2.

an indication of the test criteria, to the extent that they are known,

3.

the name of the expert body recognised by the Federal Office, whose audit and evaluation of the certification has been used,

4.

any secondary provisions in accordance with section 22,

5.

the location and date of issue of the security certificate; and

6.

the validity of the security certificate.

A certification report shall be attached to the security certificate. (4) In addition to paragraph 3, the certificate for information-related products or components shall contain the following information:

1.

the name, description and indication of the manufacturer of the tested product or component,

2.

an indication of the documentation relating to the product or component which is to be examined,

3.

the description of the security functions and

4.

the level of assessment achieved or the scope of the test.

(5) In addition to paragraph 3, the certificate for information technology systems shall contain the following information:

1.

the name and description of the audited system and of the relevant sites and

2.

where necessary, the indication of the security-relevant documentation pertaining to the system and location being verified.

(6) In addition to paragraph 3, the certificate for protection profiles shall contain the following information:

1.

the name and description of the tested protection profile; and

2.

the level of assessment achieved or the scope of the test.

(7) The Federal Office may at any time check whether the conditions for the certification referred to in paragraph 1 continue to exist. The Federal Office develops procedural descriptions for the verifications and publishes them on its website. Unofficial table of contents

§ 13 Return of information technology products or components

Information technology products or components submitted by the applicant to the Federal Office shall be returned to the applicant at the site of the examination. The Federal Office may agree with the applicant that the product or the component is kept at the Federal Office.

Section 3
Certification of persons

Unofficial table of contents

Section 14 Request

(1) A request for certification of a person can only be submitted by the person who wishes to receive the certification. (2) The application must contain, in addition to the information required in accordance with § 2:

1.

information on the technical scope or areas of application requested,

2.

The evidence required for this technical scope in accordance with Article 4 (1) and

3.

the consent to the publication of a given certification pursuant to § 7 (2) or the opposition to the publication pursuant to § 7 paragraph 5 sentence 1.

Unofficial table of contents

§ 15 Certificate

(1) A certificate for persons pursuant to § 9 paragraph 5 of the BSI Act shall be issued if:

1.

the examination and the evaluation show that the person to be certified meets the test criteria in accordance with Article 4 (1), and

2.

According to Section 9 (4) (2) of the BSI Act, the Federal Ministry of the Interior has determined that overriding public interests, in particular security policy concerns of the Federal Republic of Germany, do not preclude the granting of the grant.

(2) The certificate is on a temporary basis by the Federal Office. The Federal Office shall determine the period of validity for the respective technical scope. (3) The certificate of personal data shall contain the following information:

1.

The name and address of the certified person,

2.

the certification number,

3.

the period of validity of the certification;

4.

the technical scope of the certification, with reference to the underlying standards of standardisation,

5.

an indication of the standards of standardisation which underlie the person's evaluation;

6.

any secondary provisions in accordance with section 22 and

7.

Issue location and date of the certificate.

(4) The Federal Office shall regularly verify that the conditions for the certification referred to in paragraph 1 are still available. In addition, an admission-related review can also take place at any time. The Federal Office develops procedural descriptions for these verifications and publishes them on its website.

Section 4
Certification of IT security service providers

Unofficial table of contents

§ 16 Request

(1) A request for certification as an IT security service provider can only be submitted by the IT security service provider who would like to receive the certification. (2) The application must contain, in addition to the information required in accordance with § 2:

1.

information on the legal form, corporate structure and participation of the applicant,

2.

information on the relevant areas of application of the certification,

3.

a list of the responsible staff of the applicant and their respective areas of responsibility;

4.

Information on quality and information security management and, where necessary, information on the protection of the secret services,

5.

the declaration of independence or objectivity with regard to the activities envisaged in the scope and

6.

the consent to the publication of a given certification pursuant to § 7 (3) or the opposition to the publication pursuant to § 7 paragraph 5 sentence 1.

Unofficial table of contents

Section 17 Coaction

(1) It is the responsibility of the applicant, within the framework of the procedure, to have free access to the locations, to the systems provided for the examination and to the documents pursuant to § 4 to the Federal Office or the persons appointed by the Federal Office of the Federal Office of the Federal Office. (2) During the procedure, it is up to the applicant to support the Federal Office or the persons responsible for the Federal Office for free by professional representatives. Unofficial table of contents

§ 18 Certificate

(1) A certificate as an IT security service provider in accordance with § 9 paragraph 5 of the BSI Act shall be issued if:

1.

the audit and the assessment show that the IT security service provider complies with the test criteria in accordance with Article 4 (1), and

2.

According to Section 9 (4) (2) of the BSI Act, the Federal Ministry of the Interior has determined that overriding public interests, in particular security policy concerns of the Federal Republic of Germany, do not preclude the granting of the grant.

(2) The certification is on a temporary basis by the Federal Office. The Federal Office shall determine the period of validity for the respective technical scope of application. (3) The certificate shall contain the following information:

1.

The name of the IT security service provider and the addresses of all certified sites,

2.

the certification number,

3.

the period of validity of the certification;

4.

the technical scope or the technical fields of application of the certification, with reference to the standards laid down in the standard,

5.

an indication of the standardisation standards which underlie the assessment of the IT security service provider;

6.

any secondary provisions in accordance with section 22 and

7.

Issue location and date of the certificate.

(4) The Federal Office shall regularly verify that the conditions for the certification referred to in paragraph 1 are still available. In addition, an admission-related review can also take place at any time. The Federal Office develops procedural descriptions for these verifications and publishes them on its website.

Section 5
Recognition of competent bodies

Unofficial table of contents

§ 19 Request

(1) A request for recognition as an expert body may only be submitted by the body which wishes to receive the recognition. (2) The application must contain, in addition to the information required in accordance with § 2:

1.

information on the legal form, the structure of the company and the participation of the body,

2.

information on the technical scope of recognition applied for;

3.

a list of the responsible staff of the body and their respective areas of responsibility;

4.

Information on quality and information security management and, where available, information on the protection of the secret services,

5.

a declaration on the independence or objectivity of the body in relation to the activities envisaged in the scope and

6.

the consent to the publication of a pronounced recognition pursuant to § 7 paragraph 4 or the opposition to the publication pursuant to § 7 paragraph 5 sentence 1.

(3) The applications shall be processed in the chronological order of their receipt; this may be dismissed if the Federal Office is unable to carry out an examination in due time due to the number and scope of pending examination procedures, and to a recognition of a public interest. Unofficial table of contents

Section 20 Coaction

(1) It is the responsibility of the applicant, within the framework of the procedure, to have free access to the locations, to the systems provided for the examination and to the documents pursuant to § 4 to the Federal Office or the persons appointed by the Federal Office of the Federal Office of the Federal Office. (2) During the procedure, it is up to the applicant to support the Federal Office or the persons responsible for the Federal Office for free by professional representatives. Unofficial table of contents

Section 21 Recognition

(1) A recognition pursuant to Article 9 (6) of the BSI Act shall be granted if:

1.

the examination and the evaluation show that the technical and professional equipment and the professional qualifications and reliability of the conformity assessment body satisfy the test criteria in accordance with Article 4 (1), and

2.

According to Section 9 (6) (2) of the BSI Act, the Federal Ministry of the Interior has determined that overriding public interests, in particular security policy concerns of the Federal Republic of Germany, do not preclude the granting of the grant.

(2) The recognition shall be limited by the Federal Office of the Federal Republic of Germany. The Federal Office shall determine the period of validity for the respective technical scope. (3) The recognition shall contain the following information:

1.

the name and address of the recognised competent authority and all recognised locations,

2.

the recognition number,

3.

the period of validity of the recognition;

4.

the technical scope or the technical fields of application of the recognition, referring to the standards of standardization which have been used,

5.

an indication of the standardisation standards which underlie the assessment of the body;

6.

any secondary provisions in accordance with section 22 and

7.

Exhibition site and date of the certificate of recognition.

(4) The Federal Office shall regularly check, in accordance with the second sentence of Article 9 (6) of the BSI Act, whether the conditions for the recognition referred to in paragraph 1 are still in place. In addition, an admission-related review can also take place at any time. The Federal Office develops procedural descriptions for these verifications and publishes them on its website.

Section 6
Secondary provisions

Unofficial table of contents

Section 22 By-provisions

(1) A certificate according to § 12, § 15 and § 18 as well as a recognition according to § 21 may be issued under the reservation of the revocation. (2) A certificate according to § 12, § 15 and § 18 as well as a recognition according to § 21 may be issued with secondary provisions, in particular with Conditions or deadlines are adopted. In particular, it may be determined that:

1.

the holder of the certificate or the recognition in the use of the certificate or recognition, in particular when used for advertising purposes, submission and verification, to be specified in more detail, in connection with the certification or recognition of accompanying documents and making them available,

2.

the holder of the certificate has to inform the Federal Office of the certificate if the security properties of the certificate are changed,

3.

the holder of the certificate or the recognition shall have to be checked on a regular basis or in accordance with his/her costs by the Federal Office or by persons or bodies commissioned by the Federal Office to determine whether the requirements for the certification of products (for example, in accordance with Common Criteria) or recognition remains available,

4.

a certification is subject to the validity of a protection profile or a technical directive;

5.

In the cases of § 15, § 18 or § 21 the applicant must inform the Federal Office in writing without delay if his/her working methods or his form of business change substantially or if his registered office changes,

6.

in the cases of § 15, § 18 or § 21, the applicant must participate in the work meetings offered by the Federal Office for the technical scope of certification or recognition,

7.

in the cases of § 18 or § 21 of the applicant, a certain number of persons certified according to § 15 must be employed for the respective scope of application.

Section 7
Final provisions

Unofficial table of contents

Section 23 Entry into force, external force

This Regulation shall enter into force on the day following the date of delivery. At the same time, the BSI Certification Ordinance of 7 July 1992 (BGBl. 1230).