CON.11.1 Classified Information Protection VS-ONLY FOR OFFICIAL USE (VS-NfD)

Description

Introduction

State classified information protection encompasses all measures to maintain the secrecy of information that has been classified as classified material (VS — Verschlusssachen) by a government body or on its instructions. VS is information, objects or findings that must be kept secret in the public interest — in particular to protect the welfare of the Federation or a Land — regardless of the form in which they are represented.

State classified information protection is governed by federal and state law. The legal basis for federal classified information protection is the Security Screening Act (Sicherheitsüberprüfungsgesetz, SÜG). For the physical classified information protection of the Federation, the General Administrative Regulation on Physical Classified Information Protection (Allgemeine Verwaltungsvorschrift zum materiellen Geheimschutz, Verschlusssachenanweisung, VSA) is authoritative. This applies to federal authorities or federally subordinate public-law institutions (agencies) that handle VS.

If information technology is used for handling VS (VS-IT), the requirements of the VSA must be observed. A prerequisite for the use of VS-IT is an information security concept based on the BSI standards of IT-Grundschutz of the Federal Office for Information Security (BSI) in its current version. In addition, the classified information protection requirements described in this building block, which go beyond IT-Grundschutz, apply.

Interconnection of VS-IT refers to the direct or cascaded connection of two or more VS-IT systems for the shared use of data and other information resources (e.g. communication).

Objective

The objective of this building block is to ensure that classified information protection requirements are taken into account at an early stage in information security concepts (Security-by-Design). This building block is intended to support Classified Information Security Officers in defining the VSA requirements for the electronic processing of VS up to the classification level VS-ONLY FOR OFFICIAL USE (VS-NfD) and in integrating them into the information security concept together with Information Security Officers.

Scope and Modeling

The building block CON.11.1 Classified Information Protection VS-ONLY FOR OFFICIAL USE (VS-NfD) is to be applied once to the entire information network of the VS-IT if VS of the classification level VS-NfD are processed or are intended to be processed. This building block is directed at federal authorities or federally subordinate public-law institutions that are subject to the VSA.

If the building block is to be applied, it must be noted that this building block does not constitute an independent regulatory framework, but merely serves to support the implementation of the VSA. In principle, a distinction must be made between requirements for ensuring information security and classified information protection. IT-Grundschutz serves the implementation of information security and the VSA serves the implementation of classified information protection. For this reason, ISO27001 certification based on IT-Grundschutz does not replace approvals under the VSA. In order to implement comprehensive classified information protection, the requirements of the VSA must be observed.

The requirements of this building block are derived from the VSA and address the following aspects:

• general principles of the VSA,
• access of persons to VS,
• VS-IT documentation,
• handling of electronic VS,
• deployment of VS-IT, and
• maintenance and upkeep of VS-IT.

The requirements of this building block build upon the information security requirements and extend them with the classified information protection requirements. To secure the information network under consideration with VS-IT and to ensure that information security is implemented, the totality of all building blocks must generally be considered. In addition to the relevant system building blocks, this building block presupposes the implementation of the following process building blocks in particular, as they are extended by the classified information protection requirements:

• ORP.1 Organisation,
• ORP.2 Personnel,
• CON.6 Deletion and Destruction, and
• OPS.1.2.5 Remote Maintenance.

This building block does not address:

• the VSA requirements for securing VS-IT that is intended for the processing of VS at the classification levels VS-CONFIDENTIAL or higher,
• the structural and technical security of buildings and rooms in which VS of the classification level VS-NfD are processed — these are addressed in the corresponding building blocks of the layer INF Infrastructure,
• the general VSA requirements that have no direct connection to VS-IT, and
• the approval process for VS-IT.

Threat Landscape

Since IT-Grundschutz building blocks cannot address individual information networks, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular relevance for the building block CON.11.1 Classified Information Protection VS-ONLY FOR OFFICIAL USE (VS-NfD).

Unauthorised Disclosure

A significant threat to classified information protection is the disclosure of VS to unauthorised persons. This can arise when the requirements of the VSA are not observed.

Examples:

• The classification and marking of VS is omitted, performed incorrectly or incompletely.
• VS are deleted using IT products that have no approval statement.
• The VS-IT documentation is absent or is only maintained inadequately.

If the requirements of the VSA are not observed, this can result in:

• certain classified information protection measures being incorrectly deemed unnecessary due to incorrect handling of VS, meaning they are not implemented or not implemented to the necessary extent,
• VS being deleted in such a way that the content of the VS can be restored,
• due to absent or inadequate VS-IT documentation, it not being possible to determine whether a required classified information protection level is achieved, whether necessary measures to protect the VS-IT have been taken in the past, or whether currently planned measures are compatible with already implemented measures,
• VS being processed with IT that does not provide adequate protective measures.

Through applications, data can be stored or duplicated without being noticed.

Examples:

• Swap files or swap partitions sometimes contain sensitive data, e.g. passwords or cryptographic keys.
• When processing VS with a word processing program, temporary working copies can be created that, under certain circumstances — for example after a program crash — have not been deleted.
• In the ongoing operation of many applications, files accumulate that are not needed for productive operation (e.g. browser history). These files can contain security-relevant information.

As a result, such files can be read out when the storage media are removed and installed in another IT system. If swap files, application files or temporary files have not been securely deleted, unauthorised persons can gain knowledge of VS. Passwords and keys can be misused to gain unauthorised access to VS-IT or VS.

The consequences of unauthorised disclosure of VS of the classification level VS-NfD can be detrimental to the Federal Republic of Germany or one of its Länder. These may vary depending on the nature of the information classified as VS. For example, if classified network plans or information security concepts are disclosed, this information can be used to intrude into IT systems. If unauthorised persons gain knowledge of, for example, diplomatic information about another country, this can strain diplomatic relations between Germany and that country.

Covert Attacks

A covert attack is a form of espionage in which information is covertly obtained from non-publicly accessible information by foreign intelligence services. In covert attacks, intelligence services seek to obtain information of interest to them — such as VS — as unnoticed as possible.

In covert procurement activities, intelligence services conceal their true intentions. The information is obtained through the use of human sources (e.g. social engineering), through technical means (e.g. eavesdropping measures or cyber attacks in which backdoors are exploited or malware is used), or through a combination of both means.

As a result, foreign intelligence services can access VS and gain a strategic advantage over the Federal Republic of Germany or one of its Länder. For example, other states could use this information to strengthen their negotiating position vis-à-vis the Federal Republic of Germany. Other groups, such as terrorist organisations or organised crime, can also use information obtained through covert attacks to plan and carry out potential activities more effectively.

Insider Attacks

In an insider attack, internal information — such as VS — is deliberately stolen by internal or external employees and possibly sold to third parties or published. Insiders have extensive knowledge of the internal processes and workflows of their institutions. Furthermore, they have access, entry and access rights that outsiders do not possess. They can use this knowledge and the rights granted to them for their official duties to increase the probability of success of an attack. Furthermore, they can time the attack so that it is carried out when it is difficult to detect — for example during maintenance windows.

The reasons why employees decide to steal information are individually different.

Examples:

• The insiders feel morally compelled to publish information classified as VS in order to expose grievances, for example.
• The insiders have been recruited by an intelligence service.
• The insiders wish to enrich themselves by selling information.

As a result, third parties can gain unauthorised access to VS. This can be detrimental to the interests of the Federal Republic of Germany or one of its Länder. The conditions under which insiders operate make protection against such attacks more difficult. Many of the measures used to protect against attacks are not effective against insider attacks.

Requirements

The following are the specific requirements of the building block CON.11.1 Classified Information Protection VS-ONLY FOR OFFICIAL USE (VS-NfD). Overall responsibility for classified information protection rests with the respective agency head. The associated tasks are performed, where appointed, by the respective Classified Information Security Officer. This person is responsible for implementing the VSA. If no Classified Information Security Officer has been appointed, the agency head performs these tasks. The Information Security Officer (this role corresponds to the IT Security Officer role defined in the VSA and in the UP Bund) supports and advises the Classified Information Security Officer on all questions regarding the deployment of VS-IT.

Exactly one role should bear Primary responsibility. There may also be Additional responsibilities. If one of these additional roles has primary responsibility for fulfilling a specific requirement, that role is listed in square brackets after the heading of the requirement. The use of singular or plural says nothing about how many persons should fill these roles.

Note: When applying this building block, the following rules must be observed:

• This building block has no regulatory character whatsoever. It is not an independent regulatory framework; rather, the requirements arise from the VSA.
• General VSA rules that contain no specific provisions for VS-IT are not part of this building block. These rules are to be taken from the VSA.

Basic Requirements

The following requirements MUST be met as a priority for this building block.

CON.11.1.A1 Compliance with the Principles for VS Processing with IT pursuant to §§ 3, 4 and 6 and No. 1 Annex V to the VSA (B)

VS of the classification level VS-NfD MUST NOT be processed except with VS-IT that has been approved for this purpose. Private IT MUST NOT be used for processing classified material. When processing VS with VS-IT, the principle of “need to know” MUST be observed. ONLY persons who must have knowledge of a VS due to their official duties MAY obtain knowledge of it. Persons MUST NOT be informed about a VS more broadly or earlier than is necessary for the performance of official duties.

Compliance with the principle of “need to know” SHOULD, particularly if VS-IT is used by multiple users, be ensured primarily through technical measures.

In accordance with the principle of layered security, personnel, organisational, physical and technical measures MUST be taken that in their interaction:

• reduce the risks of an attack (prevention),
• make attacks detectable (detection), and
• in the event of a successful attack, limit the negative consequences (response).

When fulfilling the requirements of this building block, the relevant BSI Technical Guidelines (BSI TL) MUST be observed. If deviations from the BSI TL are intended, this MUST NOT occur except in exceptional cases and in agreement with the BSI.

CON.11.1.A2 Creation and Updating of VS-IT Documentation pursuant to § 12 and No. 2.2 Annex II to the VSA (B)

Every agency that uses VS-IT MUST create VS-IT documentation as part of the classified information protection documentation. The VS-IT documentation MUST contain all documents listed in No. 2.2 Annex II to the VSA.

The VS-IT documentation MUST be updated for all classified information protection-relevant changes. It MUST furthermore be reviewed at least every three years for currency, completeness and necessity of existing and still-to-be-implemented classified information protection measures.

CON.11.1.A3 Deployment of IT Security Products pursuant to §§ 51, 52 VSA (B)

Based on the approval relevance defined in the VS product catalogue for individual product types by the BSI, and in particular based on the results of the structural analysis, all IT security functions relevant to the planned VS-IT MUST be identified. These can be assigned to the following categories pursuant to § 52 VSA:

• access and access control,
• identification and authentication,
• cryptographic support,
• security management,
• information flow control,
• internal protection of user data,
• self-protection of security functions and their data,
• network separation,
• protection of integrity,
• availability monitoring, or
• security logging and evidence management.

Subsequently, the identified IT security functions MUST be assigned to the respective sub-components of the VS-IT, taking into account the VS product catalogue of the BSI. Every identified sub-component that is significantly responsible for the protection of VS MUST be designated and treated as an IT security product pursuant to the VSA.

If the identified IT security product belongs to a product type for which an approval statement pursuant to BSI TL - IT 01 is required, a corresponding product pursuant to BSI Schrift 7164 (List of Approved Products) MUST be used. If no IT security products are listed there, contact MUST be made with the BSI approval authority. When using IT security products with an approval statement, the BSI’s operating conditions (SecOPs) for the respective product MUST additionally be observed.

CON.11.1.A4 Procurement of VS-IT pursuant to § 49 VSA (B)

Before VS-IT is procured, it MUST be ensured that its security is continuously guaranteed throughout the entire lifecycle, from the point at which it becomes clear that the IT is to be used for VS processing, through to decommissioning. In order to ensure continuous classified information protection, the procurement documents MUST be formulated so that the requirements of the VSA can be fully met.

For procurement orders for VS-IT, the necessary IT security functions of the respective IT products MUST be defined in advance. When formulating the procurement documents, particular attention MUST be paid to:

• retention,
• archiving and
• deletion of electronic VS, as well as
• decommissioning,
• maintenance and repair of VS-IT.

If an IT security function is assigned to an IT product to be procured, an IT product from the list of approved IT security products SHOULD be procured. If instead a product without an approval statement is selected, it SHOULD be clarified in advance with the BSI whether it can be approved. In addition, the tender SHOULD include the requirement that the manufacturer must participate in an approval procedure (see BSI TL - IT 01). Contracts MUST be designed such that, in the event of return of defective or leased IT products, their storage media or other components on which VS could be stored remain in the possession of the agency.

CON.11.1.A5 Commitment upon Access to VS pursuant to § 4 VSA and Annex V to the VSA (B)

Before a person is granted access to VS of the classification level VS-NfD, they MUST be committed to Annex V. A copy of Annex V to the VSA MUST be made accessible to each person against acknowledgement of receipt.

If personnel from non-public bodies are granted access to VS, No. 6.6 Annex V to the VSA MUST be observed. The commitment of a person MUST NOT be dispensed with EXCEPT if work is only carried out briefly on VS-IT and access to VS can be excluded during that time.

CON.11.1.A6 Supervision and Escorting of External Personnel for VS-IT pursuant to §§ 3, 4 VSA (B)

Non-committed external personnel working on VS-IT MUST be accompanied and supervised throughout the entire time. The accompanying persons MUST have the necessary specialist knowledge to be able to monitor the activities.

CON.11.1.A7 Marking of Electronic VS and Storage Media pursuant to §§ 20, 54 and Annex III, V and VIII to the VSA (B)

Electronic VS MUST be marked in accordance with the requirements of the VSA. The marking MUST be visible at all times during the entire duration of their classification when processing VS with VS-IT. The marking MUST also be retained on copied, electronically transmitted or printed VS. If the nature of electronic VS does not permit marking in accordance with the VSA, the VS MUST be marked accordingly in a corresponding sense.

The file name of an electronic VS SHOULD contain a marking that makes it recognisable as VS without having to open the VS. Emails MUST be marked in accordance with template 11 of Annex VIII to the VSA.

If an electronic marking of VS (in the sense of metadata) is to be used, it MUST be examined whether this takes on IT security functions (see CON.11.1.A3 Deployment of IT Security Products pursuant to §§ 51, 52 VSA).

Storage media on which electronic VS of the classification level VS-NfD are stored encrypted by products without an approval statement MUST be marked with the classification level of the VS stored on them. If the assembly of VS on the storage medium results in a data set that requires a higher classification, the storage medium itself MUST be treated and marked as VS of the classification level VS-CONFIDENTIAL.

CON.11.1.A8 Administration and Proof of Electronic VS pursuant to § 21 VSA (B)

For the administration of electronic VS, the principles of proper record management (pursuant to the Registry Directive for the Processing and Management of Documents in Federal Ministries) and the VSA provisions on the administration and proof of VS MUST be observed (no proof of management required for VS of the classification level VS-NfD). Electronic VS classified as VS-NfD MUST NOT be managed in open (electronic) registries except in compliance with the principle of “need to know”.

CON.11.1.A9 Storage of Electronic VS pursuant to § 23 and No. 5 Annex V to the VSA (B)

Electronic VS MUST be stored encrypted using an IT security product with an approval statement, or secured by physical means in accordance with the VSA provisions (see CON.11.1.A15 Handling of Storage Media and IT Products pursuant to § 54 and Annex V to the VSA).

CON.11.1.A10 Electronic Transmission of VS pursuant to §§ 24, 53, 55 and No. 6.2 Annex V to the VSA (B)

If VS are to be transmitted electronically, the VSA provisions on the disclosure of VS (§ 24 VSA) MUST be observed. For disclosure to parliaments, state authorities and non-public bodies, the special provisions of §§ 25 and 26 VSA MUST additionally be observed.

The VS-IT of all communication partners MUST be approved for the processing of VS of the classification level VS-NfD. If VS are transmitted electronically, they MUST in principle be encrypted using an IT security product with an approval statement. Encryption MAY NOT be dispensed with EXCEPT if:

• VS are transmitted exclusively by wire and the transmission equipment, including cables and distributors, is protected against unauthorised access, or
• in addition to the local networks, the transport network has also been approved for the processing of VS.

An access protection MAY ONLY be assumed within rooms and areas that are protected against uncontrolled entry.

VS MUST NOT be transmitted electronically by other means except in exceptional cases pursuant to § 55 para. 2–4 VSA while observing the requirements and precautions stated therein. If it is to be expected in advance that VS could be transmitted electronically, the exceptional provision of § 55 VSA MUST NOT be applied.

CON.11.1.A11 Taking Electronic VS on Travel pursuant to § 28 VSA and No. 7 Annex V to the VSA (B)

Electronic VS MUST NOT be taken on official trips and to official meetings except where this is officially necessary and they are adequately secured against unauthorised disclosure. If taken personally, they MUST be stored as follows:

• on approved VS-IT,
• on a storage medium transported in a sealed envelope,
• on a storage medium that has been encrypted using an IT security product with an approval statement, or
• encrypted using an IT security product with an approval statement, if the storage medium itself has not been encrypted using an IT security product with an approval statement.

If VS of the classification level VS-NfD are to be processed in private residences, they MUST NOT be processed except electronically using VS-IT approved for this purpose.

CON.11.1.A12 Archiving of Electronic VS pursuant to §§ 30, 31 VSA (B)

VS MUST be transferred in accordance with the Federal Archives Act in the same manner as unclassified information. When introducing systems for electronic records management and business process handling, the technical procedures for transfer MUST be agreed at an early stage with the competent archive. If the competent archive does not wish to accept VS, they MUST be securely deleted or destroyed pursuant to CON.11.1.A13 Deletion of Electronic VS, Destruction of Storage Media and IT Products pursuant to §§ 32, 56 VSA.

CON.11.1.A13 Deletion of Electronic VS, Destruction of Storage Media and IT Products pursuant to §§ 32, 56 and No. 8 Annex V to the VSA (B)

To delete VS or storage media encrypted with an IT security product with an approval statement, the key MUST be deleted in compliance with the SecOPs.

If electronic VS that have not been encrypted with an IT security product with an approval statement are to be deleted, the entire storage medium or IT product on which VS are stored MUST be deleted using an IT security product with an approval statement.

Storage media or IT products MUST be deleted before they permanently leave the secured operating environment. They MUST be physically destroyed if they cannot be deleted. For the destruction, products or procedures MUST be used, or service providers MUST be commissioned, that meet the requirements of BSI TL - M 50.

The sub-requirements described above MUST also be observed for defective storage media and IT products.

CON.11.1.A14 Access and Entry Protection pursuant to § 3 VSA (B)

VS-IT used for VS classified as VS-NfD MUST be protected in such a way that access to the VS-IT and access to VS is only possible for committed persons (see CON.11.1.A5 Commitment upon Access to VS pursuant to § 4 and Annex V to the VSA). The protection of the VS MUST be ensured through:

• IT security products with an approval statement,
• physical,
• organisational, or
• personnel measures.

Multi-factor authentication SHOULD be used for access and entry protection.

CON.11.1.A15 Handling of Storage Media and IT Products pursuant to § 54 and Annex V to the VSA (B)

Storage media and IT products MUST be stored in locked containers or rooms when not in use, if:

• the storage medium or IT product is itself classified as VS-NfD,
• unencrypted VS of the classification level VS-NfD are stored on the storage medium or IT product, or
• VS of the classification level VS-NfD are stored encrypted on the storage medium or IT product by a product without an approval statement.

CON.11.1.A16 Interconnection of VS-IT pursuant to § 58 VSA (B)

Before VS-IT may be interconnected with other VS-IT, it MUST be examined whether and to what extent information may be exchanged between the interconnected VS-IT. In the examination, the respective level of protection and the principle of “need to know” MUST be taken into account.

Depending on the result of the examination, IT security functions for the protection of system transitions MUST be implemented (see CON.11.1.A3 Deployment of IT Security Products pursuant to §§ 51, 52 VSA). Before the VS-IT is interconnected, it MUST be assessed and documented whether this is absolutely necessary for the intended scenario and whether the interconnection creates a particular threat to the individual subsystems. It MUST be examined whether the total volume of data arising from the interconnection of VS-IT must be classified at a higher level and whether further classified information protection measures become necessary.

If VS-IT for the processing of VS of the classification level VS-NfD is directly or in cascade connected to VS-IT for the processing of VS of the classification level TOP SECRET, it MUST be ensured that no connections are made to unprotected or public networks.

CON.11.1.A17 Maintenance and Repair Work on VS-IT pursuant to § 3 para. 3 VSA (B)

Maintenance and repair work on VS-IT components SHOULD be carried out within the institution’s own premises. If this is not possible, it MUST be ensured that the VSA requirements are met both during transport and during maintenance and repair work.

During maintenance and repair work, the processing of VS in the area of VS-IT affected by the maintenance SHOULD be stopped. If this is not possible, it MUST be continuously ensured during the period of maintenance and repair work that no VS can be exfiltrated.

After the maintenance and repair work has been completed, the Classified Information Security Officer MUST assess whether any classified information protection-relevant changes to the VS-IT have resulted.

CON.11.1.A18 Remote Maintenance of VS-IT pursuant to § 3 para. 3 VSA (B)

If VS-IT is remotely maintained, the remote maintenance connection MUST be encrypted. IT security products with an approval statement MUST be used for the encryption.

The IT used to carry out the remote maintenance, as well as the transmission paths, MUST be treated as VS-IT and defined as objects of protection.

The remote maintenance connection MUST be established and terminated by the agency. The agency MUST be able to interrupt the connection in the event of anomalies, even during maintenance.

For the remote maintenance of VS-IT, an information security concept MUST be created that takes into account all components involved in the remote maintenance. In particular, the network transitions and the VS-IT from which the remote maintenance is controlled MUST be considered.

Standard Requirements

No standard requirements are defined for this building block.

Requirements for High Protection Needs

No requirements for high protection needs are defined for this building block.

Additional Information

Good to Know

The legal basis for classified information protection is the “Act on the Requirements and the Procedure for Security Screenings of the Federation and the Protection of Classified Material (Security Screening Act — SÜG)”.

The “General Administrative Regulation on Physical Classified Information Protection (Classified Material Regulation — VSA)” issued on the basis of the SÜG contains the provisions for physical classified information protection in the federal administration.

The Federal Ministry for Economic Affairs and Climate Action (BMWK) publishes the Classified Information Protection Handbook for the Private Sector (Geheimschutzhandbuch der Wirtschaft, GHB) for the non-public sector.

The BSI issues Technical Guidelines for the implementation of the VSA.

The BSI publishes “BSI-Schrift 7164”, a list of all IT security products with a valid approval statement.

Further information on the approval of IT security products and a more detailed description of the individual IT security functions is provided in the document “VS Product Catalogue of the BSI”.

The principles of proper record management are set out in the “Registry Directive for the Processing and Management of Documents in Federal Ministries”, published by the Federal Ministry of the Interior (BMI).