Sorry, you need to enable JavaScript to visit this website.
Skip to main content

Australasian Information Security Evaluation Program

The Australasian Information Security Evaluation Program (AISEP) evaluates products in order to protect systems and information against cyber threats. These evaluation activities are certified by the Australasian Certification Authority (ACA).

For a list of products certified via the AISEP, see the Certified Products List (CPL) on the Common Criteria website.

The Common Criteria

Information on what the Common Criteria is, and its guiding documentation, can be obtained from the Common Criteria website.

Australasian Information Security Evaluation Facilities

An Australasian Information Security Evaluation Facility (AISEF) is a commercial facility licenced by ASD, and accredited by theĀ National Association of Testing Authorities, Australia (NATA), to conduct evaluations under the AISEP.

DXC Australia

Attention: Andrew McLarty
26 Talavera Road
Macquarie Park, NSW 2113
Phone: +61 417 514 282
Email: amclarty@dxc.com
Web: https://www.dxc.technology/security

Teron Labs

Attention: Juan Gonzalez
Level 7, 221 London Circuit
Canberra ACT 2600
Phone: : +61 2 6172 1261
Email: juan@teronlabs.com
Web: https://www.teronlabs.com

International partners

The Common Criteria Recognition Arrangement (CCRA) was established in 1998 in order for certification authorities to mutually recognise each other's certified products. Initially the CCRA was comprised of certification authorities from Canada, France, Germany, the United Kingdom and the United States. Australia and New Zealand joined the CCRA in 1999. A list of current participants can be found on the Common Criteria website.

Consumers can be confident that each participant of the CCRA ensures that evaluations are performed to a high and consistent standard. This eliminates the need for duplicating product evaluations within different countries.

Protection Profiles

A Protection Profile (PP) is a document that stipulates the security functionality that must be included in a product. Organisations can have confidence that evaluations against PPs will cover the expected security functionality of a given product type and address known cyber threats.

In the past, evaluations were conducted at a specified Evaluation Assurance Level (EAL); however, PPs do not incorporate this scale. During the transition from EALs to PPs, a cap of EALĀ 2 will apply to all EAL-based evaluations where a suitable PP does not exist yet. EAL-based evaluations will not considered where a suitable PP already exists.

The ACA endorses all collaborative Protection Profiles that are listed on the Common Criteria website. In addition, the below table includes PPs that are also endorsed by the ACA.

Technology Protection Profile Version Published
Network and Network-Related Devices and Systems Extended Package VPN Gateway (GW EP) V2.1 2017-06-15
Network and Network-Related Devices and Systems Extended Package Intrusion Prevention Systems (IPS EP) V2.11 2017-03-08

Other PPs from the National Information Assurance Partnership may be considered on a case-by-case basis.

A Joint Statement of Support on the use of PPs by the Australian, Canadian, United Kingdom and United States schemes is available for consideration.

Purchasing evaluated products

Organisation looking to purchase products should make a decision as to whether they require independent assurance of a product's security features. If so, purchasers should examine the information available on the CPL (such as the Security Target and Certification Report) for any product that they intend to purchase. On request, the ACA may be able to provide draft versions of the Security Target to potential Australian or New Zealand purchasers while the product is still in evaluation.

Of note, products where the vendor has an ongoing assurance continuity program involving discussion of changes with their certification authority (and conducting re-evaluation activities where necessary), or an evaluated flaw remediation process, will provide a much greater level of continuing assurance than those products that don't.

Products in evaluation

The following products are currently in evaluation within the AISEP.

Vendor Product Assurance Level
Juniper Networks Inc Junos OS 19.2R1 for SRX1500, SRX4100, SRX4200 and SRX4600 Series Junos OS 19.2R1 NDcPPv2.1, FWcPP v2.0+Errata20180314, IPS EPv2.11 and VPN EPv2.1
Juniper Networks Inc Junos OS 19.2R1 for SRX300, SRX320, SRX340, SRX345, SRX345-DUAL-AC, SRX550M, SRX5400, SRX5600 and SRX5800 Series Junos OS 19.2R1 NDcPPv2.1, FWcPP v2.0+Errata20180314, IPS EPv2.11 and VPN EPv2.1
Juniper Networks Inc Junos OS 19.2R1 running on MX204 and EX9251 platforms Junos OS 19.2R1 NDcPP v2.1
Senetas Security Ltd Senetas CN Series Application Software 5.0.1 EAL2 + ALC_FLR.2

Requesting a product evaluation

Organisations can request we evaluate a product via one of our evaluation programs. To request an evaluation, fill out the below form and email it to us at asd.assist@defence.gov.au.

We will work with you and the product vendor to understand the evaluation aims, expectations and timeframes.

Date
September 7th, 2019