A Protection Profile is a document that stipulates the security functionality that must be included in a Common Criteria evaluation. Agencies can have confidence that the scope of an evaluation against an ACSC-approved Protection Profile covers the necessary security functionality expected of the evaluated product and known security threats will have been addressed. The evaluation scope also includes the effectiveness and integrity of cryptographic functions.
In the past, a Common Criteria evaluation has been conducted at a specified Evaluation assurance level (EAL). However, Protection Profiles do not incorporate this scale. The Protection Profile describes the complete set of a products security functionality, against which it is evaluated. Products evaluated against a Protection Profile will still appear on ACSCs Evaluated Products List (EPL) but with the relevant Protection Profile rather than an EAL.
Protection Profiles provide better assurance in the security of evaluated products. During the transition to Protection Profiles, a cap of EAL 2 now applies for all traditional EAL-based evaluations overseen by ACSC.