TR 03187-Conformance Statement for Version 1
CIVITAS/CORE aims to conform to Level 1 of BSI TR-03187, a German security recommendation for Urban Data Platforms. In the context of BSI TR-03187, CIVITAS/CORE implements requirements that pertain to "Entwickler" (Software Developers) and "Lösungsanbieter" (Integrators). Requirements that pertain to "Betreiber" (Operators) are out of scope.
The following sections detail how the pertinent requirements of BSI TR-03187 are fulfilled in CIVITAS/CORE.
Scope note on 3rd party components: The conformance assessment currently covers components developed by the CIVITAS/CORE project. Verification of 3rd party components (e.g. upstream container images, external libraries) is out of scope for the time being.
Release covered: This statement reflects the state of CIVITAS/CORE at the v1.7 release.
| Requirement | V1 Status | V1 Comment |
|---|---|---|
| AR-1 Geringstmögliche Privilegien | Done | Roles must be assigned manually; new users have read-only access to open data only. |
| AR-2 Legacy-Clienttechnologien vermeiden | Done | Legacy technologies are not used. |
| AR-3 Nicht verwendete Abhängigkeiten entfernen | partially met | Fulfilled for in-house developments; verified on a best-effort basis for standard software components. |
| AR-4 Version Pinning | Done | Complete version pinning in CIVITAS/CORE. |
| AR-5 Sitzungs-IDs zufällig und eindeutig | Done | All deployed tools use appropriate UUID generation methods. |
| AR-6 Sitzungsablauf nach Inaktivität | Done | |
| AR-7 Rollenbasierte Benutzerverwaltung | Done | |
| AR-8 Replay-Schutz | Done | |
| AR-9 Geheimnisse müssen änderbar sein | Done | |
| AR-10 Geheimnisse von Benutzern dürfen nicht zur Sicherstellung von Vertraulichkeit verwendet werden | partially met | Fulfilled for in-house developments; verified on a best-effort basis for standard software components. |
| AR-11 Kryptografische Verfahren sollen TR-2101-1 entsprechen | partially met | Fulfilled for in-house developments; verified on a best-effort basis for standard software components. |
| AR-12 Standardframeworks für sicherheitskritische Funktionen | Done | Only standard functions of established, finished components are used. |
| AR-13 Ganze Zertifikatkette validieren | partially met | Fulfilled for in-house developments; verified on a best-effort basis for standard software components. |
| AR-14 Alle vorgesehenen Sicherheitsmechanismen defaultmäßig anschalten | Done | |
| AR-15 Verschlüsselte Kommunikation | partially met | Some components communicate unencrypted within the installation. |
| AR-16 Abschirmung unterschiedlicher Vertrauenszonen | Done | Individually configurable |
| AR-17 Integritätsgeschützter Kanal für Deployment | Done | Deployment automated via Pipelines incl. private Registry supported, Image Integrity Check must be done by the Provider |
| CT-1 Container-Hardening | partially met | Fulfilled for in-house developments; verified on a best-effort basis for standard software components. |
| CT-2 Werkzeuggestützte Prüfung auf Container-Sicherheitslücken | Done | Trivy scans container images in CI, results feed GitLab Security Dashboard. |
| CT-3 Basisimages aus vertrauenswürdigen Quellen | Done | |
| CT-4 Minimalistische Basisimages | Done | |
| CT-5 Geheimnisse zur Laufzeit dynamisch bereitstellen | Done | |
| CT-6 Gehärtete Clusterknoten | Not Applicable | CIVITAS/CORE assumes it runs on an existing Kubernetes cluster. Cluster node hardening is operator responsibility. |
| CT-8 Geringstmögliche Privilegien für Container-Images | Done | Pod Security Standards implemented in CIVITAS/CORE v1.3. |
| CT-9 Transportverschlüsselung & Integrität zwischen Pods | Not Applicable | to support this Ende to End a Service Mesh must be provided by the Provider |
| MS-3 Vermeidung fester Credentials für Managed-Service-Zugriffe | Not Applicable | Not applicable — any possible managed service access is outside the scope of CIVITAS/CORE's design. |
| AUT-1 Einheitliche Vertrauensniveaus in der Authentifizierung | Done | All user interfaces treated uniformly. NOTE: Admins with direct cluster access can always bypass application-level authentication. |
| AUT-2 Multi-Faktor-Authentisierung | Done | Uniformly available via Keycloak or upstream identity provider. |
| AUT-3 Dedizierte Serviceaccounts | Done | |
| AUT-4 Kryptografisch abgesicherter Zugriff auf Infrastruktur | Done | Infrastructure access is operator responsibility. CIVITAS/CORE provides Keycloak with WebAuthn support (ES256/RS256). Operators can enable cryptographically secured access for administration. |
| AUT-5 Zugriffskontrollmodell definieren | Done | |
| AUT-6 Sitzungs-IDs invalidieren | Done | |
| AUT-7 Passwortrichtlinien | Done | |
| W-1 Deny All als Default | Done | |
| W-2 Zugriffskontrollmodell definieren | Done | |
| W-3 Einheitlicher Zugriffskontrollmechanismus | Done | Upstream OIDC, central API management at all interfaces. |
| W-4 Restriktive CORS-Policy | Done | |
| W-5 Web-Server-Verzeichnisauflistung deaktivieren | Done | |
| W-6 Nicht benötigte Datei-Metadaten und Sicherungskopien vermeiden | Done | |
| W-7 Sitzungs-IDs nach Logout invalidieren | Done | |
| W-8 Kurzlebige JWTs | Done | |
| W-9 Sichere DB-Zugriffe (ORM/Prepared) | Done | |
| W-10 Vom Benutzer übergebene Objekte defensiv deserialisieren | Done | Assumption: standard software compliant; complete verification not feasible. |
| W-11 Clientseitige Eingabevalidierung | Done | Assumption: standard software compliant; complete verification not feasible. |
| W-12 Serverseitige Eingabevalidierung | partially met | Fulfilled for in-house developments; verified on a best-effort basis for standard software components. |
| W-13 Limitierung Anzahl Ergebnisse Datenbankabfragen | Done | |
| W-14 Standardzugangsdaten ändern | Done | |
| W-15 Whitelisting für Eingabedaten | Done | |
| W-16 Whitelisting für URLs in Eingabedaten | partially met | Fulfilled for in-house developments; verified on a best-effort basis for standard software components. |
| W-17 Whitelisting für Allow-Origin | Not Applicable | Should be done at ingress — operator responsibility. Recommended CORS settings: Allow-Origin to specific domains only, explicit Allow-Methods and Allow-Headers, Allow-Credentials only when required. |
| W-18 Detaillierte Fehlermeldungen Produktivsystemen vermeiden | partially met | Fulfilled for in-house developments; verified on a best-effort basis for standard software components. |
| W-19 Minimale Auskunft über Komponenten | partially met | Fulfilled for in-house developments; verified on a best-effort basis for standard software components. |
| W-21 Keine sensiblen Daten in URLs | Done | |
| W-22 Clientseitiges Caching und Autocomplete abschalten | partially met | Fulfilled for in-house developments; verified on a best-effort basis for standard software components. |
| W-23 HSTS aktivieren | Not Applicable | Must be set at the egress — operator responsibility. |
| IoT-1 Zugang allen IoT-Ressourcen standardmäßig verweigern | Not Applicable | No direct traffic from IoT devices to CIVITAS/CORE. |
| IoT-2 Einheitlicher Zugriffskontrollmechanismus | Not Applicable | No direct traffic from IoT devices to CIVITAS/CORE. |
| IoT-3 Authentifizierung und Autorisierung für IoT-Geräte | Not Applicable | No direct traffic from IoT devices to CIVITAS/CORE. |
| IoT-4 Standardzugangsdaten ändern | Not Applicable | No direct traffic from IoT devices to CIVITAS/CORE. |
| IoT-5 Device Onboarding | Not Applicable | No direct traffic from IoT devices to CIVITAS/CORE. |
| IoT-6 Generierung von Netzschlüsseln nach Zufallsprinzip | Not Applicable | No direct traffic from IoT devices to CIVITAS/CORE. |
| IoT-7 Erneuerung Netzschlüssel | Not Applicable | No direct traffic from IoT devices to CIVITAS/CORE. |
| IoT-8 Replay-Schutz | Not Applicable | No direct traffic from IoT devices to CIVITAS/CORE. |
| IoT-9 Eindeutige Identifikation von IoT-Geräten | Not Applicable | No direct traffic from IoT devices to CIVITAS/CORE. |
| VPN-1 VPN-Verschlüsselungsverfahren gemäß TR-02101-1 | Not Applicable | VPN handled by the Operator at an infrastructure level. Document in a suitable "Product Scope" type document. |
| VPN-2 Sichere Konfiguration VPN-Gateway | Not Applicable | VPN handled by the Operator at an infrastructure level. Document in a suitable "Product Scope" type document. |
| L-1 Logging von Sicherheitsereignissen | Done | To be maintained for future in-house developments. |
| L-2 Logging von fehlgeschlagenen Authentisierungsvorgängen und allen Authorisierungvorgängen | Done | |
| L-3 Schutz von Logs vor unbefugtem Zugriff | Done | |
| L-4 Sensible Informationen nicht loggen | partially met | Fulfilled for in-house developments; verified on a best-effort basis for standard software components. |
| DH-1 Verschlüsselung At-Rest | Not Applicable | Operator responsibility. CIVITAS/CORE assumes encryption handled transparently at the volume level. |
| DH-2 Schutz geheimer Schlüssel | Done | |
| DH-4 Data Governance-Vorgaben etablieren | Done | |
| ORG-7 Tests nur auf dedizierter Umgebung | Not Applicable | Civitas Connect does not provide a production environment. All tests run on dedicated environments with synthetic data. Synthetic data requirement is part of the Security Architecture Principles. |
| ORG-8 Penetrationstests | Not Applicable | Must be planned by providers |