Evaluated product acquisition
An evaluated product provides a level of assurance in its security functionality that an unevaluated product does not. To assist in providing this assurance, the Australian Signals Directorate (ASD) performs product evaluations through the following programs:
- ASD Cryptographic Evaluation program, for software and ICT equipment that contains cryptographic functionality.
- High Assurance evaluation program, for ICT equipment protecting highly classified information.
The Australian Cyber Security Centre (ACSC) also certifies product evaluations conducted by licensed commercial facilities, in accordance with the Common Criteria, as part of the Australasian Information Security Evaluation Program (AISEP). All Common Criteria certified products are listed on the Common Criteria website.
A protection profile is a technology-specific document that defines the security functions that must be included in a Common Criteria certified product to mitigate specific cyber threats. Protection profiles can be published by a recognised Common Criteria Recognition Arrangement (CCRA) scheme or by the CCRA body itself. Protection profiles published by the CCRA body are referred to as collaborative protection profiles.
The ACSC recognises Common Criteria evaluations against all protection profiles listed on the Common Criteria website. However, the AISEP only evaluates products against ACSC-endorsed protection profiles that are published on the ACSC’s website. Where a protection profile does not exist, an evaluation based on an Evaluation Assurance Level (EAL) may be accepted. Such evaluations are capped at EAL2+ as this represents the best balance between completion time and meaningful security assurance gains.
Organisations choosing to use Common Criteria certified products can determine their suitability by reviewing their evaluation documentation. This includes the protection profile, security target, certification report and consumer guide.
Products that are undergoing a Common Criteria evaluation will not have published evaluation documentation. However, documentation can be obtained from the ACSC if a product is being evaluated through the AISEP. For a product that is in evaluation through a foreign scheme, the product’s vendor can be contacted directly for further information.
Evaluated product selection
A Common Criteria evaluation is traditionally conducted at a specified EAL; however, evaluations against a protection profile exist outside of this scale. Notably, while products evaluated against a protection profile will fulfil the Common Criteria EAL requirements, the EAL number will not be published.
Security Control: 0280; Revision: 6; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Should
If procuring an evaluated product, a product that has completed a protection profile evaluation is selected in preference to one that has completed an EAL-based evaluation.
Delivery of evaluated products
It is important that organisations ensure that products they purchase are the actual products that are delivered. In the case of evaluated products, if the product delivered differs from an evaluated version then the assurance gained from the evaluation may not necessarily apply.
Packaging and delivery practices can vary greatly from product to product. For most evaluated products, standard commercial packaging and delivery practices are likely to be sufficient. However, in some cases more secure packaging and delivery practices, including tamper-evident seals and secure transportation, may be required. In the case of the digital delivery of evaluated products, vendor-supplied checksums can often be used to ensure the integrity of software that was delivered.
Security Control: 0285; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Should
Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation.
Security Control: 0286; Revision: 5; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Must
When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures.
Further information on the AISEP is available at https://www.cyber.gov.au/programs/australasian-information-security-evaluation-program-aisep.
The Common Criteria website is available at https://www.commoncriteriaportal.org/.