The Evaluated Products List (EPL) is the definitive list of certified information and communications technology (ICT) products for use by Australian and New Zealand government agencies in the protection of government information, as required by the Information Security Manual (ISM).
As the authoritative source for guidance on ICT security matters for Australian government agencies, the ISM states the circumstances in which Australian government consumers should or must use products from the EPL, and also discusses product selection. New Zealand government consumers should consult the New Zealand Information Security Manual (NZISM).
What the EPL provides
The EPL has three components:
b. In evaluation: all Australasian Information Security Evaluation Program (AISEP) evaluations that are currently underway, along with associated Cryptographic evaluation indicators. Evaluations completed with a CC certification through a recognised overseas scheme can be recommended for evaluation by an Australian or New Zealand government agency, requesting ACSC to write a consumer guide for the product and to evaluate the product's cryptographic functions where applicable. We make no claims as to the likelihood of the product successfully completing an evaluation.
c. Archived: evaluated products that may no longer be available in the original evaluated form, are no longer supportable, or the environment that they are designed to operate in has changed. If you are considering using a product on the archived EPL, contact us to verify whether the product will meet your security needs. Products that have been moved to the archived EPL will be listed for at least one year before being withdrawn from the list. These products might not be appropriate for Australian and New Zealand government use. ACSC and the Government Communication Security Bureau (GCSB) are able to help respective government users with selecting appropriate products from the EPL.
Consumer guides are developed as part of the evaluation help Australian and New Zealand government agencies to choose appropriate products, and include:
the product's functions that have been evaluated
Australian Government Information Security Manual (ISM) policy relevant to the product
any findings from a cryptographic evaluation (where relevant)
any additional product settings that will enhance the security of the device.
The Common Criteria have seven assurance levels: from EAL1, the lowest, to EAL7, the highest. At present, only assurance levels up to EAL2 have been incorporated within the international Common Criteria Recognition Arrangement (CCRA). The CCRA is moving away from EAL-based evaluations in favour of Protection Profile evaluations.