BSI publishes minimum requirements for the use of external cloud services

The Federal Office for Information Security (BSI) has published minimum standards for the use of external cloud services. To do so, the BSI made use of its authority set forth in Section 8 Act on the Federal Office for Information Security in Information Technology (BSIG) to develop general minimum requirements on IT security for federal government offices. Earlier this year, the BSI had already published recommendations for secure web browsers.

The new minimum standard addresses security requirements in the stages of acquiring, using, and terminating cloud services and are based on the security requirements set forth in the BSI Cloud Computing Compliance Controls Catalogue (C5) and the IT Basic Protection Catalogue (Cloud).

The Federal Ministry of the Interior may enact the minimum standards for cloud services developed by the BSI as general administrative regulations, making them binding for all federal offices in Germany. For federal courts and constitutional bodies of the federal government, the BSI’s minimum standards will serve as recommendations.

Practical tip:

The BSI minimum standards on the use of external could services are not directly applicable to private companies. For cloud providers, however, the requirements will nonetheless be relevant, as in the future federal offices will only consider such providers for cloud services that meet the BSI security requirements.