What is Bundesamt für Sicherheit in der Informationstechnik (BSI)?

Most countries have some sort of government agency dedicated to protecting digital infrastructure and promoting cybersecurity awareness. In the English-speaking world alone, the UK has the National Cyber Security Center (NCSC), the US has the National Institute of Standards and Technology (NIST), and Canada has the Canadian Centre for Cyber Security; chances are you’re already aware of them.

However, cybersecurity knows no borders. Expanding our knowledge beyond the anglosphere is crucial to working effectively in the modern world. With this in mind, let’s look at one of the most important cybersecurity agencies in the non-English-speaking world: Germany’s Bundesamt fur Sicherheit in der Informationstechnik (BSI), or the Federal Office for Information Security.

Bundesamt fur Sicherheit in der Informationstechnik: An Overview

The German BSI is the central IT security service provider for the German federal government. Established in 1991, it is one of the world’s longest-standing cybersecurity agencies and is crucial in promoting information security in Germany. Its primary responsibility is to ensure the confidentiality, integrity, and availability of information and communication technologies in all facets of German society, including the federal government, businesses, and individuals.

To achieve this goal, the German BSI focuses on the following key objectives:

• Protecting Government IT Systems: The BSI secures the German public sector’s IT infrastructure against cyber threats, primarily through developing security standards, carrying out risk assessments, and providing incident response capabilities.
• Promoting Cybersecurity Awareness: Public awareness is a huge part of the BSI's work. For example, it provides educational resources covering various cybersecurity topics, participates in EU-wide cybersecurity awareness campaigns (such as European Cyber Security Month), and even offers online phishing tests.
• Security Product Evaluation: The BSI evaluates security products and solutions to ensure they align with established security guidelines and standards.
• Developing Security Standards: Like NIST, the BSI develops and publishes security standards and guidelines for various sectors, most notably IT-Grundschultz, which we’ll cover in more detail later.
• Incident Response: The BSI operates a national cyber emergency response team (CERT) that handles cybersecurity incidents affecting government and critical infrastructure organizations.
• Research and Development:  The BSI’s R&D efforts include analyzing threat landscapes, researching secure technologies like cryptography and AI, and exploring emerging technology security, such as IoT and the cloud.

The IT Grundschutz Methodology

The IT Grundschutz methodology is the foundation of the Bundesamt für Sicherheit in der Informationstechnik’s suite of security standards and guidelines, providing a structured approach to information security management. It includes the following pillars:

The IT-Grundschutz Compendium

The rather grand-sounding IT-Grundschutz Compendium is foundational to the German BSI’s approach to cybersecurity. It outlines the overarching methodology for establishing and maintaining an information security management system. Addressing organizational, infrastructure, and application security is essentially a “how-to” guide for building a strong security posture.

The IT-Grundschutz Catalogs

These catalogs go into more depth than the Compendium, providing granular, technical recommendations tailored to specific IT components and systems. For example, there are separate catalogs for servers, clients, networks, databases, and everything in between. Ultimately, they provide practical steps to help organizations secure individual elements of their IT environment.

IT-Grundschutz Checklists

In the final stage of the IT-Grundschutz methodology, these checklists offer concise, actionable steps for implementing specific security measures. They consolidate the broader guidance from the Compendium and Catalogues into concrete tasks that organizations can tick off as they complete them. Examples include checklists for access controls, data backup processes, and incident response.

The German BSI in the Headlines

The German BSI has demonstrated on multiple occasions that, as both a regulatory body and cybersecurity agency, it can take meaningful action to improve Germany's digital safety. Here are a couple of examples from the past year.

Forcing Microsoft to Disclose Security Measures

In June 2024, the German BSI pressured Microsoft to release a white paper detailing its implementation of double-key encryption across platforms like Microsoft 365 and Azure. The disclosure followed the BSI's invocation of a clause in the Federal Office for Information Security Act, compelling IT companies to provide necessary security information upon request.

The BSI's inquiry was linked to a 2023 incident where hackers exploited Azure Active Directory tokens to breach U.S. government networks. Microsoft attributed the attack to a Chinese threat actor known as Storm-0558 or Volt Typhoon. The BSI has been collaborating with Microsoft to assess and enhance data protection measures against similar threats.

Cutting Access to Devices Infected with BadBox Malware

In December 2024, the German BSI identified over 30,000 internet-connected devices across the country infected with pre-installed malware known as BadBox. In response, it implemented a method known as sinkholing to redirect traffic from these devices to safe servers, cutting hackers' access to them. However, it’s worth mentioning that, as devices with outdated software remain at risk, the German BSI urges consumers who receive warnings from the authorities to disconnect these devices from the internet or stop using them.

How Fortra Can Help

If your organization operates in Germany and needs to comply with the German BSI’s IT-Grundschutz, Fortra can help with that. Fortra’s compliance assessment uses the Powertech Security Scan to identify misconfiguration vulnerabilities in your IBM I system and determines how critical they are so you can fix any issues before an audit.

Try it for free today. 

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.