RFC-2350

The following profile of CERT-Bund has been composed according to RFC-2350.

1. Document Information
1.1. Date of Last Update
This version was published on 2023-08-14.

1.2. Distribution List for Notifications
None.

1.3. Locations where this Document may Be Found
The current version of this document can be found at:
https://www.bsi.bund.de/dok/6616602 

1.4 Document Authenticity
This document can be retrieved from our webserver using TLS/SSL.

2 Contact Information
2.1 Name
CERT-Bund

2.2 Mailing Address
Bundesamt fuer Sicherheit in der Informationstechnik
Referat OC 21 - CERT-Bund
P.O. Box 20 03 63
53133 Bonn
GERMANY

2.3 Time zone
CET/CEST,
Central European Time/Central European Summer Time,
UTC+0100/UTC+0200 

2.4 Telephone number
+49 228 99 9582-5110

2.5 Facsimile number
+49 228 99 9582-7025

2.6 Other telecommunication
None.

2.7 Electronic mail address
certbund@bsi.bund.de

2.8 Public keys and encryption
CERT-Bund's current PGP and S/MIME keys are available under
https://www.bsi.bund.de/dok/6616630

2.9 Team members
No information is provided in public.

2.10 Operating Hours
Monday to Friday 8-16h
A 24/7 Emergency Hotline is available for CERT-Bund's constituency and trusted partners.

2.11 Other Information
see: https://www.bsi.bund.de/dok/6616602

CERT-Bund is a member of
  * FIRST (Forum for Incident Response and Security Teams), see http://www.first.org/members/teams/cert-bund/
  * TF-CSIRT, see: http://www.trusted-introducer.org/directory/teams/cert-bund.html
  * the EU CSIRTs Network, see: https://csirtsnetwork.eu/
  * CERT-Verbund, see: http://www.cert-verbund.de/
  * EGC-Group (European Government CERTs-Group), see: http://www.egc-group.org/
for further details

3 Charter
3.1 Mission Statement
CERT-Bund, being part of the Federal Office for Information Security as the national CERT, acts as the central point of contact regarding IT-security incidents concerning the German government. In addition it provides services to critical infrastructure, industry and SME as well as citizens.
Germany's national IT Situation Centre and the national Cyber Response Centre are supported by CERT-Bund.

3.2 Constituency
CERT-Bund's services are primarily available to the german federal authorities and it has the authority to support critical infrastructures in case of IT-security incidents.
CERT-Bund is responible for the following autonomous systems:
AS49234

3.3 Sponsoring Organization / Affiliation
Bundesamt fuer Sicherheit in der Informationstechnik (Federal Office for Information Security, BSI)

3.4 Authority
Bundesministerium des Innern und fuer Heimat (Federal Ministry of the Interior, BMI)

4 Policies
4.1 Types of Incidents and Level of Support
CERT-Bund is the central point of contact regarding security-related computer incidents in Germany.

CERT-Bund's services include reactive and proactive services:
  * 24-hour on-call duty (national IT Situation Centre)
  * alerts and warnings
  * incident analysis and forensics
  * incident response (also on-site)
  * incident response support
  * industrial control system (ics) security
  * malware analysis
  * threat intelligence analysis and sharing
  * vulnerability analysis
  * vulnerability response
  * vulnerability response coordination

Additionally to the capabilities available, CERT-Bund liases to a matrix of other capabilites and knowledge provided by the Federal Office for Information Security.
  
Also, CERT-Bund assists in creating situational reports and supports the BSI in education/training for the government information security officers.

4.2 Co-operation, Interaction and Disclosure of Information
Generally incident related information such as names and technical details is not published without agreement of the named parties.

CERT-Bund strongly supports responsible disclosure principles and therefore cooperates with vendors in order to handle relevant security issues within their products.
Therefore CERT-Bund's objective is to mitigate the risk by facilitating the communication between the discovering and the affected parties.

CERT-Bund will never pass information to third-parties unless CERT-Bund is required to by law. Under the condition of acceptance through affected parties or authorized by law, CERT-Bund prefers to share Tactics, Techniques and Procedures (TTPs) for the purpose of prevention and reaction to specific incidents.
Therefore such information might be passed to entities such as:
  * BSI's own technical experts and the national IT Situation Centre.
  * Affected parties in our constituency.
  * Affected ISPs/hosting providers in Germany.
  * German law enforcement agencies (if required by law or on request by information source).
  * CERT/CSIRT cooperation groups as named in 2.11

All information is passed depending on its classification and the need-to-know principle. Only the specifically relevant and anonymised extracts are passed on.
  
4.3 Communication and Authentication
The preferred method of communication is E-Mail. CERT-Bund respects the Traffic Light Protocol (TLP) as defined by the FIRST Standards Definitions, see: https://www.first.org/tlp/.
For the exchange of sensitive information and authenticated communication CERT-Bund uses its PGP and S/MIME key for encrypting and/or signing messages. 
All sensitive communication to CERT-Bund should be encrypted with our public PGP or S/MIME key.

5 Services
5.1 Incident Response
CERT-Bund's incident response services are available on a 24/7 basis to our constituency. All ICT related incidents are evaluated. In-depth analysis is provided by technical experts.

5.1.1 Incident Triage
  * Interpretaion of incoming incident reports, prioritizing them, and relating them to ongoing incidents and trends.
  * Help in determining whether an incident has really occurred, its severity and its scope.

5.1.2 Incident Coordination
  * Categorization of the incident related information (logfiles, contact information, etc.) with respect to the information disclosure policy.
  * Notification of other involved parties on a need-to-know basis, as per the information disclosure policy.

5.1.3 Incident Resolution
  * This may include analysis of compromised systems.
  * Elimination of the cause of a security incident (the vulnerability exploited), and its effects (for example, continuing access to the system by an intruder).

5.2. Proactive Activities
  * Warning and Information Services available under https://www.cert-bund.de
    (advisory portal).
  * Reports for network operators, internet service or hosting providers concerning incidents or vulnerable configurations in their networks (https://reports.cert-bund.de).
  * Alliance for Cyber-Security for critical infrastructures, big enterprises & SME available under https://www.allianz-fuer-cybersicherheit.de
    (technical warnings, situation reports, analysis, reporting office for security incidents).
  * Education and training (security officers of public sector and federal state CSIRTs).

Different sections of BSI offer additional services such as product certification, security auditing, consulting etc.
More information on BSI's services is available under https://www.bsi.bund.de/EN.

6 Incident Reporting Forms
The reporting of security incidents from within the government and critical infrastructures is based on distinct reporting forms.

Incident reporting by SMEs may also happen via a reporting form (German).
see: https://mip2.bsi.bund.de/

Vulnerability reporting may happen via a reporting form (German).
see: https://www.bsi.bund.de/DE/IT-Sicherheitsvorfall/IT-Schwachstellen/Online_Meldung_Schwachstellen/schwachstellenmeldung_node.html

7 Disclaimers
While every precaution will be taken in the preparation of information, notifications and alerts, CERT-Bund assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.