VS-NfD and email security: What IT administrators need to know
The term VS-NfD is often used in connection with the secure handling of sensitive information in public authorities and companies. In our blog article, you can find out what VS-NfD is, why knowledge of it can be essential for your IT security, and how NoSpamProxy can also protect your organization securely.
What is VS-NfD?
The abbreviation stands for “Verschlusssache – Nur für den Dienstgebrauch” (confidential information – for official use only) and denotes the lowest of the four official levels of confidentiality in Germany. It is used when unauthorized access to information may not be life-threatening, but could nevertheless be harmful to federal interests.
Examples include the communication of internal technical documentation by a government agency or the disclosure of confidential contract details by a company in the context of a public contract – both typically fall under the VS-NfD category.
In addition to VS-NfD, there are three other levels of confidentiality:
With each level, the requirements for organization, technology, and data handling increase. However, VS-NfD is by no means a “ relaxed” classification.
VS-NfD entails clear security requirements, particularly with regard to email communication, because information, for example on internal processes at public authorities or the police, could help attackers. However, because this information is not classified as state secrets (but “only” organizational details worthy of protection), it is not upgraded.
| VS-NfD | VS-Vertraulich (Confidential) | Geheim (Classified) | Streng geheim (Top Secret) |
|---|---|---|---|
| For official use only | If disclosure could harm the interests of the Federal Republic of Germany | If disclosure could seriously jeopardize the security of the Federal Republic of Germany | If disclosure could jeopardize the existence or vital interests of the Federal Republic of Germany |
| VS-NfD | VS-Vertraulich (Confidential) | Geheim (Classified) | Streng geheim (Top Secret) |
|---|---|---|---|
| For official use only | If disclosure could harm the interests of the Federal Republic of Germany | If disclosure could seriously jeopardize the security of the Federal Republic of Germany | If disclosure could jeopardize the existence or vital interests of the Federal Republic of Germany |
What are the VS-NfD requirements?
The requirements for email communication under VS-NfD can be summarized in three key points:
The confidentiality of communications should be ensured by strong encryption, typically using OpenPGP or S/MIME, implemented with algorithms such as AES-256 or RSA-4096.
The integrity and authenticity of messages should be secured by digital signatures so that the recipient can immediately recognize whether an email actually originates from the specified sender and is unaltered.
Malware detection is also a key issue. Encrypted emails must be decrypted and checked in a protected environment without compromising the security of the classified information.
Secure email gateways and VS-NfD
To ensure VS-NfD-compliant operation, a gateway must offer functions that go beyond pure transport encryption. The tool should support centralized encryption and signing, operate as automated as possible, and simplify certificate management.
Furthermore, on-premises operation is usually necessary to ensure full control over key material and sensitive data. In addition, mechanisms for malware detection are also required for encrypted content.
It is important to mention that the BSI currently only considers and approves client-based encryption solutions for VS-NfD – gateways are deliberately excluded here. Not because they are considered insecure, but because it would make the corresponding profile considerably more complex.
For this reason, there will be a separate profile for gateway-based encryption in the future.
Which solutions does the BSI recommend?
In recent years, the German Federal Office for Information Security (BSI) has officially approved various solutions for VS-NfD. However, there are currently no secure email gateways on the list of approved products (see above). Nevertheless, many public institutions and authorities use NoSpamProxy because the solution meets many of the key requirements of VS-NfD:
NoSpamProxy is BSI-certified*
NoSpamProxy is the first and so far only email security product to be tested and certified by the BSI as part of its Accelerated Security Certification (BSZ) program. The test involved realistic attack scenarios, penetration tests, and evaluation of the central Protection and Encryption modules. No security vulnerabilities were found.
This certification is particularly useful for government agencies and security-oriented organizations, as it provides a reliable statement about the product’s resilience.
Conclusion
VS-NfD may be the lowest level of confidentiality, but the IT security requirements are high. For administrators, this means that encryption, signatures, malware protection, and secure configuration are mandatory when confidential data is transmitted via email.
Not yet using NoSpamProxy?
NoSpamProxy provides reliable protection for your company against dangerous emails. Request your free trial now!
*NoSpamProxy Server version 14.0.5.62 was used for certification, and the certificate was issued for this version.
