Skip to main content

High Assurance Evaluation Program

The High Assurance Evaluation program involves rigorous analysis and testing to search for any security vulnerabilities in products.

Requesting a High Assurance Evaluation

To request a High Assurance Evaluation, please complete the sponsorship letter. We will work with you and the vendor to understand the evaluation aims, expectations and timeframes.

Frequently asked questions

Why do you need source code to perform an evaluation?

We need to independently review the source code to be confident in the implementation and architecture of the product's security. Providing source code usually expedites the evaluation.

When can you begin an evaluation?

When we start the evaluation will depend on priorities, when information is provided by the vendor and the type of product itself.

We will advise vendors when we are starting the evaluation.

What is a Consumer Guide?

Consumer Guides are found on the Evaluated Products List. We publish a Consumer Guide for all products for which we have performed a cryptographic or high assurance evaluation.

Consumer Guides give a brief description of the product, detail the scope of the evaluation and include recommendations for secure product usage.

What information and support should vendors provide for an evaluation?

Vendors should provide a technical and/or engineering contact within the company (preferably located in Australia) to answer questions, detailed technical documentation and offline access to the full source code.

How long does an evaluation take?

The evaluation process generally takes several months. The time taken depends on the level of vendor cooperation and whether any security vulnerabilities are found during the evaluation. If we do find security vulnerabilities, whether we continue the evaluation depends on the implementation of a suitable fix.

Do you charge for evaluations?

No. We do not charge fees for conducting an evaluation. However, the vendor is responsible for arranging delivery of information, software and/or hardware to us (if secure electronic means is not a viable option) and providing any licences we need to conduct the evaluation.

Do vendors need a non-disclosure agreement (NDA) in place when the evaluation starts?

No. However, if requested, we can negotiate a NDA with the vendor. This can be a lengthy process that will postpone the start of the evaluation. To reduce delays, we have a standard NDA template which is available upon request.

Date
October 17th, 2019