BSI criteria catalog for cloud computing C5 requires more

The Federal Office for Information Security (BSI) published an updated version of its criteria catalog for secure cloud computing today, Tuesday. This establishes the minimum standards for secure operation.

C5:2026 replaces the 2020 version and also brings a German interpretation of the EU Cloud Certification Scheme. The BSI requirements are considered a legally mandated prerequisite for many service providers – for example, a Type 2 certification is required for the digital German healthcare system. But C5 is also often considered decisive for digital financial services and in the banking sector, for passport photos, or for government agencies.

The basic idea behind the scheme: to ensure a reliable definition of all terms and operational processes, so that what is meant is included. This starts with seemingly simple things like the question of what constitutes a shared zone in cloud operations, what a partition is, and what a location is. This is followed by the actual core criteria and further supplementary criteria on how services must be operated to be C5 compliant.

The C5 criteria require, among other things, that providers and their parent companies, if any, disclose which law they are subject to, but also how zones are divided and where customer data is located. Extensive information must also be provided to answer official requests regarding customer cloud data.

In addition to organizational and legal requirements, the new version also contains a wealth of classic security issues, from securing customer data to incident management. With C5:2026, not everything has changed, but individual aspects such as container management have been significantly revised. The new iteration contains much more precise specifications on this than before.

Post-quantum crypto makes its way into C5

The BSI states that in developing the new version, in addition to compatibility and interoperability with other standards, particular attention was paid to what the community has communicated to the Bonn IT security authority since the 2020 version. Considering the increasingly pressing issues of post-quantum cryptography, Chapter 5.8 also contains extensive information on the criteria that cloud providers must adhere to for effective encryption according to C5. This includes, among other things, the use of hybrid methods to strengthen foreseeable weak methods.

BSI President Claudia Plattner therefore wants the updated catalog to be understood as a “contemporary and practical standard for everyone who uses, audits, offers, or procures cloud services.” In fact, many of the requirements are reminiscent of what has been specified lately in several BSI cloud collaborations with various providers – including European as well as US companies – as requirements for secure operation.

BSI focuses on machine readability

The new C5 catalog is also intended to improve usability for users. “The revised structure with sub-criteria and tightening or supplementary additional criteria provides more clarity in auditing, assignment, and evaluation,” explains BSI Vice President Thomas Caspers. To this end, the catalog will soon be available in a machine-readable format for the first time. This should be helpful for automating corresponding processes.

The fundamental problem that official certification is extensive, therefore costly, and thus primarily manageable for more established companies, cannot be solved by the new catalog either. And even those who set up with C5:2026 must continue to follow the debates. In addition to the security criteria for cloud services described in C5, the BSI intends to publish general sovereignty criteria for cloud computing solutions shortly, according to the Federal IT Security Authority.

(mma)