Posts

IT Security Act 2.0 passed by the cabinet

IT Security Act 2.0 passed by the cabinet

In the end, draft followed draft — and then it happened very quickly. Last Wednesday, 16 December 2020, the cabinet passed the IT Security Act 2.0. Federal Minister of the Interior Horst Seehofer calls it a “break­through for Germany’s security”. Industry associ­a­tions as well as the UP KRITIS are sharply critical of the involvement of the experts there, both in the content and the very short comment period of only a few working days for draft nos. 3 and 4. This does not reflect the impor­tance of the planned amend­ments to the law.

Start of discussion in November

Surpris­ingly, the discussion on the IT Security Act was reignited in November with a third draft bill. After a long stand­still, the discussion about critical infra­struc­tures, their operators and the role of the BSI got moving again. The comments of the technical experts, which were aimed at improving the content of essential points as well as clari­fying open questions, e.g. the partly dispro­por­tionate level of sanctions, transition periods, the certi­fi­cation and notifi­cation of the use of so-called critical compo­nents or also the inclusion of new sectors such as waste management.

More powers for the BSI

It is clear that the BSI’s powers will be greatly expanded. This can be seen not only in the number of newly created posts, but also in the effort to create a cyber inter­vention force as quickly as possible.

Evalu­ation of the IT-Sig 1.0

Furthermore, the legally stipu­lated evalu­ation of the IT-SIG 1.0 according to Article 10 is still pending. Also according to Article 9 of the Critical Infra­structure Ordinance (KritisV), the BSI Critical Infra­structure Ordinance — and thus in particular the threshold values above which an operator is considered a critical infra­structure — must be evaluated every two years.

Changes in content

In the view of the SRC experts, the following points are the main changes in the new IT-SIG:

  • Regula­tions on the use of critical components
  • Concreti­sation of key figures and threshold values for the largest companies in Germany, insertion of a legal regulation on the disclosure of inter­faces and compliance with estab­lished technical standards.
  • Regula­tions on fines and sanctions
  • Amendment of the provi­sions on the storage of log data
  • Alignment of inventory data disclosure with the require­ments of the BVerfG decision of 27 May 2020 (“Inventory Data Disclosure II”).
  • Limitation of the imple­men­tation of detection measures for network and IT security (“Hacker Paragraph”)
  • Amendment of deadlines for the KRITIS regula­tions in Section 8a BSIG and an adjustment or limitation of the oblig­ation to submit operator documents, insofar as the regis­tration oblig­ation has not been fulfilled.
    Regula­tions on IT security of companies in special public interest: Self-decla­ration forms provided by the BSI are no longer binding, with the submission of the self-decla­ration there is an oblig­ation to register with the BSI.
  • Temporal restriction of the BSI’s right of entry to check the require­ments of EU Regulation 2019/881 (EU Cyber­se­curity Act).

In addition, conceptual adjust­ments and concreti­sa­tions were made throughout the entire bill. On 16 December 2020, the Federal Cabinet adopted the draft for the IT Security Act 2.0. The cabinet version is available for download.

Further regulation on IT security

The draft bill on the Telecom­mu­ni­ca­tions Moderni­sation Act (Act on the Imple­men­tation of Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 on the European Electronic Commu­ni­ca­tions Code (recast) and on the Moderni­sation of Telecom­mu­ni­ca­tions Law), which was also presented on 09.12.2020, also contains provi­sions on IT security.

The SRC experts will be happy to exchange views with you on the innova­tions as well as their effects and support you in imple­menting the require­ments from IT-SIG and BSIG as well as in providing evidence within the scope of §8(a) BSIG (“Kritis-Prüfung”).

IT-Security Law 2.0

Is the IT security law 2.0 on its way?

After a longer stand­still, the discussion about the IT Security Law (IT-SIG 2.0) is now beginning again. Recently, a 3rd draft of the bill was published by the Federal Ministry of the Interior, Building and Community (BMI).

Current status of the amendment

The amendment of the IT-SiG has now been in effect since April 2019, presumably delayed by the legal require­ments for the use of technical products from third countries by operators of critical infra­struc­tures. The third draft bill is now ready to be voted on by the various depart­ments. Adoption before the end of the first quarter of next year no longer seems unrealistic.

What are the main focuses of the draft law?

The new draft bill focuses on the threats to cyber security. In addition, the powers of the BSI will also be expanded and new areas of respon­si­bility will be created, e.g. as a national cyber security certi­fi­cation authority with the imple­men­tation of active detection measures.

The new draft also includes the notifi­cation of critical compo­nents in § 2 section 13:

“The use of a critical component (…), is to be indicated by the operator of a critical infra­structure to the Federal Ministry of the Interior, Building and Community before instal­lation. In the announcement the critical component and the kind of their employment are to be indicated “.

Critical compo­nents are especially those IT products that are used in KRITIS and are of high impor­tance for the functioning of the community. For telecom­mu­ni­ca­tions network operators or telecom­mu­ni­ca­tions service providers, these compo­nents are defined in more detail in the catalog pursuant to § 109 (6) TKG; all others are specified in a corre­sponding BSI catalog.

Only critical compo­nents may be used whose manufac­turers have issued a decla­ration of their trust­wor­thiness to the operator of the critical infra­structure (guarantee decla­ration). The BMI deter­mines the minimum require­ments for the guarantee decla­ration, taking into account superior public interests, in particular security policy concerns. The guarantee decla­ration must state whether and how the manufac­turer can adequately ensure that the critical component does not have any technical properties that could have an abusive effect on the security, integrity, avail­ability or operability of the critical infra­structure (such as sabotage, espionage or terrorism).

Here a new duty of disclosure arises for the operators of the compo­nents. Previ­ously, manufac­turers had to apply to the BSI for certi­fi­cation of these compo­nents. This new listing of critical compo­nents contains highly sensitive targets. Successful attacks by hackers or secret services can cause lasting damage to critical infra­struc­tures in the Federal Republic of Germany.

The discussion about require­ments for the IT products used, identi­fi­cation and authen­ti­cation proce­dures and their evalu­ation with regard to infor­mation security is also taken up and specified. These speci­fi­ca­tions lead to the devel­opment and publi­cation of a state of the art of security require­ments for IT products. In addition, there are require­ments for consumer protection and consumer information.

Conclusion

It remains to be seen whether this schedule can be met. In terms of content, the new draft is a signif­icant improvement, because it is more concrete than the draft of April 2019. It is critical that the evalu­ation of the IT-SIG of 2015, which should have taken place after four years at the latest, is still pending.

The SRC experts will be happy to discuss the innova­tions and their effects with you and to support you in imple­menting the require­ments of the IT-SIG and BSIG as well as in providing evidence within the scope of §8(a) BSIG (“Kritis-audit”).

NextGenPSD2 certification

New BSI guidance on evidence according to § 8a paragraph 3 BSIG

The IT Security Act (IT-Sig) in conjunction with the KRITIS regulation has been in use for over five years. The main objective is the regulation of KRITIS operators according to the BSI Act. The Federal Office for Infor­mation Security (BSI) accom­panies law and regulation with the so-called BSI Orien­tation Guide to Evidence.

IT-Sig 2.0 — Is it coming or not?

Unfor­tu­nately, the topic “IT security law 2.0” has become very quiet lately. Therefore no amendment of the KRITIS regulation is to be expected in the short term. However, the current draft of the IT-Sig 2.0 can be taken from the present speaker draft. For example, the inclusion of waste management in the existing sectors is being considered. In addition, an expansion of the target group beyond the KRITIS operators to include companies in the special public interest (e.g. due to their economic impor­tance) is also being considered. For these companies, the prepa­ration of safety concepts, the oblig­ation to report incidents, the regis­tration and management of a reporting office and the trust­wor­thiness of the employees in the area are important. The planned tight­ening of the framework for fines from the previous maximum of EUR 100,000 to a maximum of EUR 20,000,000 (or 4% of the total annual company turnover worldwide in the previous business year) is partic­u­larly striking.

New guidance on evidence

While IT-Sig 2.0 is still a long way off, in the second half of August the BSI published its new “Guidance on evidence pursuant to Section 8a (3) BSIG”. Version number 1.1 already suggests it: the changes include many concreti­sa­tions and clari­fi­ca­tions of the facts and require­ments. In addition, there are further signif­icant changes. For example, the new Form P combines the infor­mation contained in the previ­ously used forms PD (test perfor­mance), PE (test results) and PS (testing body). In addition to the written submission, a digital/­ma­chine-readable copy is now also required. The list of safety deficiencies and the imple­men­tation plan are now combined in one document, while existing test results (maximum 12 months old) must be explicitly checked for topicality and stock. A clear innovation is the well-founded assessment of the maturity levels of the management systems for infor­mation security (ISMS) and business conti­nuity (BCMS). The strong focus on the aspect of trace­ability is also very noticeable. This becomes visible at various points:

  • Detailed description of the scope (with its inter­faces, depen­dencies and parts of the critical service operated by third parties) and
  • the instal­lation (including associated parts of the critical service and all essential features) as well as
  • Provision of a compre­hen­sible network structure plan.
  • In addition, a list of deficiencies must also be compre­hen­sible without the need for further documents.

Even without IT-Sig 2.0, the new BSI orien­tation guide requires attention. SRC experts will be pleased to discuss the innova­tions and their effects with you and support you in the imple­men­tation of the extended requirements.

IT Security Congress 2019

IT-Security Congress 2019 — Arne Schönbohm welcomes SRC

The IT-Security Congress 2019 again offered SRC the platform for dialogues with manufac­turers, partners and repre­sen­ta­tives of public author­ities. The motto of the event was “IT security as a prereq­uisite for successful digiti­zation”. The topics are as varied as the visitors: artificial intel­li­gence and its fields of appli­cation, Common Criteria certi­fi­ca­tions of micro-kernel operating systems and profes­sional perspec­tives for scien­tists and computer scien­tists at SRC. Almost all SRC services were in demand at the stand, whether penetration tests, consulting and certi­fi­cation of infor­mation security management systems or support for product manufac­turers in evalu­a­tions according to Common Criteria.

Sandro Amendola’s lecture at the IT-Security Congress 2019, entitled “Legal Security Require­ments for Payment Proce­dures for Customer Authen­ti­cation Using Mobile Devices”, was widely discussed. The high pace of innovation on the one hand and the parallel devel­opment of regulatory require­ments on the other hand provide continuous material for discus­sions and forecasts of future trends.

The host of the IT-Security Congress 2019, the Federal Office for Infor­mation Security (BSI) (see photo), also stopped by our stand. Thilo Pannen is respon­sible for Business Devel­opment at SRC. “We at SRC are delighted that we have been able to support the BSI for many years with a range of experts,” said Thilo Pannen in his welcoming address. The extensive discussion with BSI President Arne Schönbohm touched all aspects of the extensive cooper­ation with the BSI. Be it the prepa­ration of studies, the support in the various BSI projects or the work of SRC as a BSI-recog­nized testing laboratory. In its function as a testing laboratory, SRC does not only assess according to Common Criteria. The require­ments for the technical domains “Smart­cards and similar Devices” and “Hardware Devices with Security Boxes” are also fulfilled by SRC.
Such extensive and complex cooper­ation in such a dynamic environment requires constant adaptation of the processes. “If we at BSI can contribute to further good cooper­ation, please let me know,” said the BSI President at the end of his visit to the SRC stand.

Portfolio Items