We need to independently review the source code to be confident in the implementation and architecture of the product's security. Providing source code usually expedites the evaluation.
Why do you need source code to perform the evaluation?
When can you begin the High Assurance evaluation?
We will advise vendors when we are starting the High Assurance evaluation.
We encourage vendors to be proactive in seeking advice and to cooperate by providing information to facilitate our evaluation process.
What is a consumer guide?
Consumer guides are found on the EPL. We publish a consumer guide for all products for which we have performed a cryptographic or high assurance evaluation.
Consumer guides give a brief description of the product, detail the scope of the evaluation and include recommendations for secure product usage.
What information and support should vendors provide for a High Assurance evaluation?
Vendors should provide:
- a technical and/or engineering contact within the company (preferably located in Australia) to answer questions
- detailed technical documentation for the product
- offline access to the full source code.
How long does a High Assurance evaluation take?
The High Assurance evaluation process generally takes several months.
The time taken also depends on the level of vendor cooperation and whether any security vulnerabilities are found during the evaluation. If we do find security vulnerabilities, whether we continue the valuation depends on the implementation of a suitable fix.
Do you charge for High Assurance evaluations?
No. We do not charge evaluation fees for conducting a High Assurance evaluation or producing a consumer guide. However, the vendor is responsible for arranging delivery of the information, software and/or hardware to us (if secure electronic means is not a viable option) and providing any licences we need to conduct the evaluation.
Do vendors need a non-disclosure agreement (NDA) in place when the High Assurance evaluation starts?
If requested, we can negotiate an NDA with the vendor. This can be a lengthy process that will postpone the start of the High Assurance evaluation.
To reduce delays, we have a standard NDA template, which is available upon request.