VS-NfD Documentation & Security Concept

A VS-NfD security concept per the VS-NfD memorandum (Annex

4 to the Classified Information Handbook) must document all technical and organizational measures that ensure the protection of classified information at the VS-NfD level.The concept covers three core areas:1. Physical Security: Access controls, security zones, secure storage in steel cabinets or security rooms2. Personnel Security: Security clearance checks per the Security Clearance Act (SÜG), commitment declarations, classified information briefings3. IT and Information Security: Use of BSI-approved IT systems, hard drive encryption, access control, logging, and network segmentationFor networked IT systems (compound systems), an additional information security concept per BSI IT-Grundschutz is required, documenting all communication relationships. ADVISORI creates this concept to be both audit-proof and practical.

Since September 1, 2025, self-accreditation is mandatory for all companies handling classified information that process VS-NfD on IT systems. The VS-NfD officer must confirm in writing to management every three years that all VS-NfD memorandum requirements are fully implemented.The confirmation covers three areas:- Implementation of all IT requirements from the memorandum- Compliance with operating conditions for BSI-approved IT security products- Evidence of an ISMS through BSI IT-Grundschutz (with IT-Grundschutz check, risk analysis, and implementation plan) or ISO 27001 certificationThis confirmation must be presented to the VS-NfD contracting authority or the BMWK upon request. ADVISORI guides you through the entire accreditation process.

The VS-NfD memorandum distinguishes between technically isolated IT systems and networked compound systems:Isolated Systems (Air-Gapped):- Restrictive user permissions and role-based access- Prohibition of wireless interfaces (WiFi, Bluetooth)- BSI-approved hard drive encryption- No private software or storage mediaNetworked Systems (Compound Systems):- Project-specific access controls- Physical securing of central components- Information security concept per BSI IT-Grundschutz- Documentation of all communication relationships- Encryption with BSI-approved productsAdditionally, all systems must meet requirements for data backup, controlled data destruction, and logging. ADVISORI documents these requirements in your individual security concept.

BSI IT-Grundschutz and the VS-NfD security concept complement each other but are not identical:BSI IT-Grundschutz is a general information security framework with building blocks, threats, and measures. It provides the methodological foundation.The VS-NfD security concept builds on this but adds specific requirements:- Specific provisions from the Classified Information Directive (VSA)- Requirements from the Classified Information Handbook (GHB)- Mandatory use of BSI-approved products (not just recommended ones)- Personnel security clearances per the Security Clearance Act (SÜG)- BSI building block CON.11.1 'Classified Information Protection VS-NfD' specifies the requirementsFor compound systems, the VS-NfD memorandum requires at least the basic requirements of BSI IT-Grundschutz. An ISO 27001 certification based on IT-Grundschutz can facilitate self-accreditation.

A VS-NfD security concept is required by all organizations that work with classified information at the VS-NfD level (For Official Use Only):- Companies handling classified information: Suppliers to the Bundeswehr and defense industry with access to VS-NfD information- Government agencies: Federal, state, and municipal institutions that create or process VS-NfD- Critical infrastructure operators: KRITIS operators with access to classified information- IT service providers: Companies that provide or operate IT systems for processing VS-NfDThe obligation stems from the Classified Information Directive (VSA) and the Classified Information Handbook (GHB). Without a valid security concept and successful self-accreditation, companies may not process VS-NfD on IT systems since September 2025.

The duration depends on the complexity of your IT landscape and the maturity of your existing security measures:- Small companies with isolated IT systems: 4–8 weeks- Medium companies with compound systems: 8–16 weeks- Large organizations with complex IT infrastructure: 3–6 monthsThe main factors affecting duration:1. Number and complexity of VS-NfD-processing IT systems2. Existence of an ISMS (ISO 27001 or BSI IT-Grundschutz)3. Status of physical and personnel security measures4. Availability of required BSI-approved productsADVISORI accelerates the process through proven templates and structured methodologies. If an ISMS is already in place, the VS-NfD-specific security concept can be completed in significantly less time.

BSI building block CON.11.1 'Classified Information Protection VS-NUR FÜR DEN DIENSTGEBRAUCH (VS-NfD)' is the central reference module for VS-NfD security concepts in the IT-Grundschutz Compendium.It defines:- Basic requirements: Minimum measures for every VS-NfD workstation, including awareness training, access control, and document management- Standard requirements: Extended measures such as logging, contingency planning, and regular reviews- Enhanced requirements: Additional measures for particularly sensitive environmentsThe building block supports classified information officers in systematically implementing VSA requirements for electronic processing of VS-NfD. It bridges the gap between general IT-Grundschutz and specific VS-NfD requirements.ADVISORI uses CON.11.1 as the foundation for structuring your security concept and ensures that all basic, standard, and enhanced requirements are addressed.