Fast, predictable, lower cost: The lightweight alternative to CC certification
The Accelerated Security Certification (BSZ) is an independent certificate that confirms the security statement of your IT product.
BSZ focuses on the security robustness of your IT product. Through a combination of evaluations and penetration tests, it is possible to objectively prove that your product fulfills the stated security performance and the required security specifications of the BSI - quickly, predictably and with a minimum amount of documentation.
As a recognized BSZ evaluation body, TÜVIT offers you testing and evaluation services and supports you in achieving the successful certification for your IT product.
IT security certification in less than 3 months
Thanks to predictable evaluation runtimes & reduced effort, the BSZ represents a significantly faster alternative to CC certification.
Risk-based testing by experienced penetration testers
Our experienced IT security experts check the security of your IT product in the form of penetration tests & attacks with a high level of expertise.
Predictable costs & reduction in the amount of documents required
The smaller scope of the documents to be created reduces the effort on the manufacturer's side & enables a scheduled certification.
What is the Accelerated Security Certification (BSZ)?
The Accelerated Security Certification (BSZ) enables manufacturers to prove the security statement of their IT product with an independent certificate. The objective confirmation ensures the highest possible level of trust in the IT device among end customers.
BSZ is a certification procedure of the German Federal Office for Information Security (BSI) and is based on a combination of conformity tests with regard to the security performance of a product and penetration tests that put the effectiveness of the technical security measures to the test.
Whitepaper: Accelerated Security Certification (BSZ)
Our white paper on the Accelerated Security Certification familiarizes you with the basics of certification, introduces you to the various BSZ phases and explains the certification requirements.
Download with restricted access
Benefits of the Accelerated Security Certification (BSZ)
High level of trust
Objective confirmation of the security statement of your IT product in the form of a certificate.
Minimum requirements for evidence to be provided
The reduced scope of the required documents keeps the expenditure for manufacturers low.
Lightweight alternative to CC
The BSZ is a significantly faster alternative to certification in accordance with the Common Criteria (CC).
CSPN recognition
The BSZ certification scheme is compatible with the French CSPN & mutual recognition is in preparation.
Reliable time & cost planning
The BSZ saves time & reduces communication to a minimum. The result is a certification test that can be easily scheduled.
Designed for European recognition
Compatibility with the Fixed Time Approach (FIT CEM) provides a basis for integration at European level in future CSA schemes.
Our services as part of the BSZ
Carrying out a pre-pentest
Optimally prepared for the BSZ: Even before the actual evaluation begins, our experts assess the effectiveness and completeness of the implemented security measures, identify specific risks and suggest suitable measures to eliminate the identified vulnerabilities.
Review of the security requirements
Before the evaluation phase, we recommend the creation and review of the security target (ST) as the first fundamental step. The ST is a document that describes the security functionality, the interfaces, the threat model and the cryptographic mechanisms, among other things. The document is created by the applicant.
Upon request, our experts will pre-qualify the ST document, provide feedback on whether the IT product can be evaluated and coordinate with the BSI.
Evaluation of the IT product according to BSZ
Your IT product is evaluated in 4 phases:
■ Conformity to the security requirements (ST)
■ Penetration tests for robustness testing
■ Correctness of the installation instructions
■ Analysis of the implemented cryptography
In addition to the automated analysis & attack techniques, our IT security experts also always carry out manual investigations.
Accelerated Security Certification – Evaluation procedure
1.
Preparation
Review of the TOE (Target of Evaluation) and creation & evaluation of the ST (Security Target). Subsequent calculation of the evaluation effort.
2.
Joint kick-off at the BSI
Discussion of the evaluation of your product, determination of the required time frame as well as the underlying evaluation plan & clarification of questions.
3.
Evaluation & Test report
Examination of the product description & evaluation of the security performance of your product based on document analyses, conformity tests, pentests & crypto analyses.
4.
Final interview &
Issuance of the certificate
Final interview in which we defend the test report to the BSI. If the BSI accepts it, the certificate is issued.
Checklist: You will need these documents
Security Target (approx. 10 pages)
Architecture overview (operating system, main components, libraries used)
Description of the update mechanism
Description of the cryptographic functionality (protocols, parameters, libraries)
Instructions for secure configuration (Secure User Guide)
Frequently Asked Questions (FAQ):
General network components and embedded IP networked devices:
- IP based network routers
- Embedded, networked industrial control devices
- Mobile handhelds for special tasks (programming devices, scanners, etc.)
In the future, product categories with uniform specifications for technically comparable products are planned, which will also simplify the decision on the certifiability of specific products.
The final report is always prepared by our experts individually and in an easily understandable way (no automatic generation) and contains at least the following information:
- Introduction: Brief description of the subject of the evaluation.
- Management/Executive Summary: Summary of the results.
- Risk assessment: Assignment of a risk level to each vulnerability (informative, low, medium, high or critical risk), which describes the criticality of the respective vulnerability.
- Clear presentation: Clear presentation of all identified vulnerabilities in a table.
- Detailed description of vulnerabilities, deviations & proof-of-concept: For each vulnerability, there is an individual description that describes exactly how the vulnerability was found and how it can be exploited by an attacker (proof-of-concept).
- Results of automated tests: The results of the automated tests are evaluated by the TÜVIT experts, checked for false positives and then summarized in the report.
- Recommendation of measures to eliminate the vulnerability: For each vulnerability, there is a recommendation of measures to eliminate the vulnerability.
- References: If available, we provide references to vulnerability databases (e.g. CVE).
- Technical attachments: If available, further information and files on the tests carried out are provided as attachments, e.g. the raw results of the port and vulnerability scans.
The security target (ST) describes the security functionality of the product to be evaluated, the interfaces, the threat model, the cryptographic mechanisms and the (expected) environment of the evaluation object. The document must be created by the applicant. This is the main basis for the subsequent evaluation.
The structure and specifications for the content of the ST can be found in the BSI's AIS B1 document.
The certification is valid for 2 years. During this time, the manufacturer undertakes to monitor the product for potential new security vulnerabilities and to provide corresponding updates.
Why we are a strong partner for you
Independence
Expertise
International network of experts
Industry experience
Tailor-made for you
