Germany’s IT Product Certification Process Enhanced

In a move to bolster cybersecurity measures for IT products, Germany has introduced an updated Common Criteria (CC) certification scheme. The certification process, overseen by the Federal Office for Information Security, plays a crucial role in ensuring the security and reliability of IT products and systems.

The CC certification process typically begins with the manufacturer, distributor, or developer organization initiating the certification for their product. Additionally, site certifications are usually prompted by the organization operating the site, while the certification of a protection profile is initiated by the respective authors or requesters. This comprehensive document serves as a guide for all those applying for an IT security certificate, whether it’s for a specific product, a site, or a protection profile.

The primary objective of this document is to provide detailed requirements and information supplementing the “Description of Process for Certification of Products, Processes, and Service Providers.” It outlines the procedures for certification based on the Common Criteria. Evaluation facilities can refer to this documentation when assisting manufacturers in preparing for a specific certification process.

The document outlines specific tasks that applicants must consider to meet the regulations and requirements applicable to the certification process. It also references helpful forms and resources for the initial certification process.

The IT security certification scheme encompasses several options, including:

  1. Certification of an IT product according to Common Criteria (CC) and the accompanying processes for the certification of a protection profile (PP) and a site according to CC.
  2. Certification of an IT product according to Information Technology Security Evaluation Criteria (ITSEC).

The legal basis for certification services in Germany is the BSI Act and the BSI Certification and Recognition Ordinance. Certification decisions are contingent on fulfilling technical criteria, specifications, regulations from evaluation criteria, recognition agreements, and ancillary conditions. However, certification may be withheld if it conflicts with public interest, such as national security policies.

The Common Criteria (CC) serves as a specification and evaluation standard for IT security products, which are integrated into the ISO standard 15408. The CC consists of several parts, including security functional components and security assurance components. These components form the basis for evaluating product scope, evaluation methods, and depth. To ensure consistent application of the CC, the “Common Evaluation Methodology (CEM)” evaluation handbook is employed.

Protection profiles (PP) are used to simplify and standardize product certifications. They define security requirements for specific product classes and facilitate the development of comparable security targets, resulting in consistent certificates for IT products. These profiles are recommended by various international bodies and organizations.

This updated certification scheme reflects Germany’s commitment to strengthening the cybersecurity of IT products and systems, ensuring that they meet the highest standards of security and reliability.

For more information on the certification process and related documents, visit the BSI website’s “Certification and Recognition” section under “Certification of products.” The website also provides updates on Common Criteria and Common Evaluation Methodology.

Germany continues to prioritize cybersecurity in an increasingly interconnected digital world, setting standards to safeguard critical IT infrastructure and systems.