AISEP FAQs
This page lists frequently asked questions and provides supporting information on the Australasian Information Security Evaluation Program (AISEP).
Contents
The AISEP
What is the AISEP?
Who owns the AISEP?
What is the AISEP mission statement?
Why do we have the AISEP?
Are there policies explaining the AISEP framework for CC evaluations?
How can I contact the AISEP?
Common Criteria and Mutual Recognition
What is the Common Criteria (CC)?
What is the Common Criteria Recognition Arrangement (CCRA) and
mutual recognition?
Which nations participate in the CCRA?
What is the Information Technology Security Evaluation Criteria
(ITSEC)?
The ISM and NZSIT 400: Australia and New Zealand ICT
Security Policies
What is the ISM and how is it related to
the EPL?
What is NZSIT 400 and how is it related to the EPL?
The Evaluated Products List (EPL)
What is the Evaluated Product List (EPL) and where can I find it?
Why doesn’t the EPL publish all mutually
recognised CC evaluations?
What is the Historical EPL and where
can I find it?
What is an Evaluation Assurance Level (EAL)?
How can I get my ICT product AISEP certified and listed on the
EPL?
Is product X being evaluated for the EPL?
DSD Evaluations
What types of evaluations does DSD perform?
What is the difference between an AISEP evaluation and an AISEP
certification?
What is a DSD Cryptographic Evaluation (DCE)?
What is a DSD High Grade and High Assurance Evaluation?
AISEP Functions
ACA: Who is the Australasian Certification Authority and what do
they do?
AISEF: What is an Australasian Information Security Evaluation
Facility?
ESC: What is an Evaluation Support Consultant?
AAP: What is an AISEP Acceptance Package?
TOE: What is a Target of Evaluation?
AAC: What is AISEP Assurance Continuity?
More Information
This is fantastic! Where can I read more about the AISEP?
List of Acronyms
The AISEP
What is the Australasian Information Security Evaluation Program
(AISEP)?
The Australasian Information Security Evaluation Program (AISEP)
is the name of Australia and New Zealand's combined Common
Criteria (CC) evaluation scheme. The Australasian
Certification Authority (ACA) is the
certification body that
administers and manages the AISEP policy and Common Criteria evalutions
performed in Australia.
Who owns the AISEP?
Australia’s Defence Signals Directorate
(DSD) and New Zealand’s Government Communications Security
Bureau (GCSB) are dual signatories to the AISEP as a Common Criteria
(CC) certificate producing scheme. The CC certifying body for Australia
and New Zealand is the Australasian Certification Authority (ACA)
within DSD, which also represents the Information Assurance (IA)
division within GCSB.
What is the AISEP mission statement?
The Australasian Information Security Evaluation Program (AISEP)
exists to ensure the ready availability of a comprehensive list
of independently assured Information Communications Technology
(IT) security products that meet the needs of Australian and
New Zealand government agencies in securing their official resources
in accordance with the Information Security Manual (ISM).
Why do we have the AISEP?
Australian and New Zealand government agencies, as consumers, have
a reasonable expectation that information contained in Information
and Communications Technology (ICT) security products and systems
are secure.
When an independent evaluation is performed on the security functionality
of an ICT securityproduct, consumers have greater confidence in
using the product. AISEP certified products aim to meet Australian
and New Zealand government business and security needs.
Are there policies explaining the AISEP framework for CC evaluations?
The Australasian Certification Authority (ACA)
administers the regulations for conducting Common Criteria (CC)
evaluations through the following AISEP Publications (AP):
AP 1: Program Policy;
AP 2: Certifier Guidance;
AP 3: Evaluator Guidance;
AP 4: Sponsor and Consumer Guidance.
AP 1 and AP 4 are relevant to the Sponsor and Consumer of AISEP
evaluations and certification. These policies can be downloaded
from http://www.dsd.gov.au/infosec/evaluation_services/epl/aisep_doc_guide.html
How can I contact the AISEP?
If this FAQ page does not answer your question or you would like
to make a further enquiry, please email assist@dsd.gov.au and
a member of the Australasian Certification Authority (ACA)
at DSD will assist you.
Common Criteria and Mutual Recognition
What is the Common Criteria (CC)?
The Common Criteria for Information Technology Security Evaluation
is referred to as the CC. The CC is a standard for evaluating
ICT security products against two types of requirements:
- Security functional requirements; and
- Security assurance requirements.
A CC evaluated ICT security product is certified to
meet a list of vendor claimed security functions and satisfies
a level of assurance.
The CC also has an International Organization for Standardization/International
Electrotechnical Commission (ISO/IEC) equivalent standard of
ISO/IEC:15408.
The CC has three parts and the CC Evaluation Methodology (CEM):
- Part 1: Introduction and general model;
- Part 2: Security functional components;
- Part 3: Security assurance components.
These documents are used by the certifying body of a CC scheme and the evaluation facilities.
What is the Common Criteria Recognition Arrangement (CCRA) and mutual
recognition?
The CCRA is an international agreement between CC certificate producing
and consuming nations to recognise CC certifications for Evaluation
Assurance Levels (EAL) 1 through 4. Through
the AISEP scheme, Australia
and New Zealand are joint members of the CCRA as certificate
producing. Certificate consuming nations do not administer
a CC scheme but recognise the CC certificates issued by certificate
producing nations. Participants of the CCRA benefit from shared
certification results without the need to duplicate an evaluation.
Information about the CCRA may be found on the CC portal at http://www.commoncriteriaportal.org/theccra.html.
Which nations participate in the CCRA?
The CCRA membership includes CC certificate
producing and certificate
consuming nations. All CCRA participants are listed on the CC portal
with the name and contact details of each CC scheme, which may be
found at http://www.commoncriteriaportal.org/members.html.
What is the Information Technology Security Evaluation Criteria (ITSEC)?
The ITSEC is a standard for IT security evaluation criteria agreed
between the United Kingdom (UK), Germany, France and the Netherlands.
ITSEC is a separate evaluation standard to the CC.
ITSEC is managed by the Communications-Electronics Security Group
(CESG) within the Government Communications Headquarters (GCHQ).
Australia and New Zealand have a Memorandum of Understanding
(MoU) through Bi-lateral agreement with the UK to mutually recognise
ITSEC evaluation and certification E1 through E6. In Australia,
ITSEC was the predecessor evaluation program to CC and the AISEP
focuses largely on CC as it's primary evaluation program.
Information about ITSEC may be found at http://www.cesg.gov.uk/products_services/iacs/cc_and_itsec/index.shtml
The ISM and NZSIT 400: Australia and New Zealand ICT Security Policies
What is the ISM and how is it related to the EPL?
The Information Security Manual (ISM) was
previously called the Australian Government Information and Communications
Technology Security Manual or ACSI 33. The ISM provides
policies and guidance on security controls to Australian government
agencies on how to protect their ICT systems. The ISM can be
found at http://www.dsd.gov.au/library/infosec/ism.html. The
Product Selection chapter in the ISM provides guidance on selecting
ICT security products on the EPL.
What is NZSIT 400 and how is it related to the EPL?
The New Zealand Government Information Technology Security Manual
(NZSIT 400) provides policy and guidance for New Zealand government
agencies. The NZSIT 400 series can be found at http://www.gcsb.govt.nz/newsroom/nzsits.html.
The Evaluated Products List (EPL)
What is the EPL and where can I find it?
The EPL serves two purposes:
- It fulfils the AISEP's requirement of the CCRA to publish a list of AISEP certified products; AND
- It provides a comprehensive list of DSD evaluated ICT security products that meet the needs of Australian and New Zealand government agencies in securing official resources in accordance with the Information Security Manual (ISM).
The EPL fulfils the stated purposes through publication of the following:
- A completed or progressing AISEP evaluation;
- Previously completed ITSEC evaluations;
- A CC evaluation up to EAL 4, that is progressing through or has completed a DSD Cryptographic Evaluation (DCE);
- A completed DSD High-Grade or High Assurance evaluation;
- A completed discrete DSD recognised evaluation;
- A link to the CC Portal's certified product list, which includes CCRA mutually recognised evaluated products EAL 1 through 4;
- A link to the Historical EPL for ICT products retired from
the EPL.
The EPL can be found on the DSD website at http://www.dsd.gov.au/infosec/evaluation_services/epl/epl.html.
The CC Portal's certified product list can be found on the CC portal at http://www.commoncriteriaportal.org/products.html.
Why doesn’t the EPL publish all mutually
recognised CC evaluations?
Common Criteria Recognition Arrangement (CCRA)
participating nations do not duplicate the publication of mutually
recognised certified products on each of their certified products
lists (for the AISEP, this is the EPL). In accordance with the
CCRA, certificates published on the CC portal that are EAL 1
through 4 are instantly mutually recognised by Australia and New
Zealand and therefore, the Evaluated Products List (EPL)
is not required to repeat published evaluations and certifications.
The EPL can be found on the DSD website at http://www.dsd.gov.au/infosec/evaluation_services/epl/epl.html.
What is the Historical EPL and where can
I find it?
The Historical EPL contains certified products that were previously
listed on the EPL on the DSD website. These products were removed
from the EPL for one or more of the following reasons:
- The evaluated product and/or version is no longer available in the original evaluated form;
- The evaluated product is no longer sold and/or supported by the Developer, Manufacturer or Vendor;
- The environment that the evaluated product was designed to operate in has had major changes;
- The evaluated product is no longer able to support Australian government ICT security policy requirements as per the guidance in the Information Security Manual (ISM).
The Historical EPL can be found at http://www.dsd.gov.au/infosec/evaluation_services/epl/historical.html.
What is an Evaluation Assurance Level (EAL)?
An Evaluated Assurance Level (EAL) is a number
from 1 to 7 assigned to a Common Criteria (CC)
evaluation and certificate. Higher EAL numbers represent greater
assurance in the evaluation through more vigorous testing and vulnerability
assessment in the product's target of the evaluation. Higher EALs
also provide greater assurance in the assessment of the development
environment and security development processes of the product developer.
How can I get my ICT product AISEP certified and listed on the EPL?
If you are an Australian or New Zealand government
agency that
wishes to use a security product that is not on the EPL, you
may sponsor that product into evalaution at DSD. All DSD evaluations must have an Australian or New Zealand
government sponsor using this sponsorship letter template (PDF
60Kb). Information about the sponorship letter is found on the
following page sponsorship_for_evaluation.
If you are an industry consultant or a product developer and would like your product AISEP evaluated and certified you can use the following checklist:
STEP 1. Conduct background research on Australian government agencies security needs through the Information Security Manaul (ISM) found at http://www.dsd.gov.au/library/infosec/ism.html. Refer to NZSIT 400 for New Zealand government requirements at http://www.gcsb.govt.nz/newsroom/nzsits.html. Refer to the AISEP Publications (AP) found at http://www.dsd.gov.au/infosec/evaluation_services/epl/aisep_doc_guide.htm to understand the management and operations of the AISEP.
STEP 2. Contact Australian and/or New Zealand government agencies to gauge their interest in using and sponsoring your product into the AISEP. If your product does not present a benefit to Australian and New Zealand government agency use, then it will not be considered for AISEP evaluation. All DSD evaluations must have an Australian or New Zealand government sponsor using this sponsorship letter template (PDF 60Kb). Information about the sponorship letter is found on the following page sponsorship_for_evaluation.
STEP 3. Arrange for an Australian or New Zealand sponsoring government agency to submit the sponsorship letter to DSD and email DSD on assist@dsd.gov.au to advise of your involvement in the evaluation request, indicating if you are the product developer or a support consultant acting on behalf of a product developer.
Note that AISEP evaluation entry requirements differ to DSD Cryptographic Evaluation (DCE) and High Assurance Evaluation. The sponsorship letter provides detail on this.
STEP 4. If you are a product developer, contact as many Evaluation Support Consultants (ESCs) and Australasian Information Security Evaluation Facilities (AISEFs) as you wish to discuss the costs, time frames and advice on potential AISEP evaluation.
STEP 5. When you are prepared to accept the responsibilities, costs and time commitment of an AISEP evaluation, engage an ESC and AISEF to prepare the Acceptance Package (AAP) deliverables for Australasian Certicaition Authority (ACA) submission.
STEP 6. DSD, through the ACA will send the AISEF and sponsoring government agency a letter to show formal acceptance of the product into AISEP evaluation and the EPL will be updated to show the product as in evaluation in table 2.
Is product X being evaluated for the EPL?
If a product has entered into evaluation under AISEP then it will be listed on the EPL with the current status of the evaluation and an expected completion date. If a product you are seeking does not appear on the EPL, then you should check if it published on the Common Criteria Portal's certified product list found at http://www.commoncriteriaportal.org/products.html. To check if the product you are seeking is being evaluated in another Common Criteria schemes overseas, you should contact the manufacturer or the Australian reseller of the product to ascertain if this is the case.
DSD Evaluations
What types of evaluations does DSD perform?
DSD performs the following types of evaluations and publishes the
results on the EPL:
- AISEP evaluations and certificates;
- DSD Cryptographic Evaluations (DCE);
- High grade cryptographic evaluation;
- High assurance evaluation;
- Other DSD discrete evaluations.
What is the difference between an AISEP evaluation and an AISEP certification?
AISEP evaluations are conducted by an AISEF. AISEP certification
is performed by the ACA. An AISEP evaluation applies the CC Evaluation
Methodology (CEM) against CC assurance requirements. The evaluation
aims to produce a standardised and repeatable result that facilitates
mutual recognition of certifications across CCRA participating
schemes. An AISEP certification represents the validation of the
evaluation activities and results to the certifying
body’s regulatory framework. The ACA’s regulatory framework
is defined in the AISEP Publications (AP) 1 to 4 found at http://www.dsd.gov.au/infosec/evaluation_services/epl/aisep_doc_guide.html.
What is a DSD Cryptographic Evaluation (DCE)?
DSD performs cryptographic evaluations independently of the AISEP;
although a DCE may compliment an AISEP evaluation. ICT products
progressing through or completed a DCE are listed on the Evaluated
Products List (EAL). For more information see the Cryptographic Evaluations FAQ found at vendors_guide_to_cryptographic_evaluations. All DSD evaluations, including DCEs must have an Australian or New Zealand
government sponsor using this sponsorship letter template (PDF
60Kb). Information about the sponorship letter is found on the
following page sponsorship_for_evaluation.
What is a DSD High Grade or High Assurance evaluation?
A DSD High Grade evaluation is a form of DSD Cryptographic Evaluation
(DCE) that is performed independently of the AISEP. A High Assurance evaluation encompasses evaluation of security in a product excluding the cryptographic component, which is treated as High Grade cryptography. High Grade and High Assurance are usually performed together (where cryptography is included in the product). DSD determines
the method and strength of testing required for DSD High Grade and High Assurance evaluation.
ICT products progressing through or completed a DSD High Grade evaluation
are listed on the Evaluated Products List (EPL). All DSD evaluations, including High Grade and High Assurance must have an Australian or New Zealand
government sponsor using this sponsorship letter template (PDF
60Kb). Information about the sponorship letter is found on the
following page sponsorship_for_evaluation.
AISEP Functions
ACA: Who is the Australasian Certification Authority and what do
they do?
The Australasian Certification Authority (ACA) is
the certifying body in Australia and New Zealand for CC evaluations.
The ACA resides within DSD and implements the AISEP scheme by setting
the standards and monitoring the quality of evaluations conducted
by the Australasian Information Security Evaluation Facilities (AISEFs).
AISEF: What is an Australasian Information Security Evaluation Facility?
An Australasian Information Security Evaluation Facility (AISEF)
is an ACA approved commercial facility that is licenced to perform
AISEP evaluations and has been accredited by the National Association
of Testing Authorities (NATA) to conduct CC evaluations. A list
of AISEFs and their contact details can be found at http://www.dsd.gov.au/infosec/evaluation_services/aisep_pages/aisep_aisef.html
ESC: What is an Evaluation Support Consultant?
Evaluation Support Consultants (ESC) provides consulting services to Developers and government agency Sponsors of AISEP evaluations.
ESCs should be qualified to write the Security Target (ST) and other required Common Criteria document deliverables in consultation
with the product Developer. A
list of ESCs can be found at http://www.dsd.gov.au/infosec/evaluation_services/aisep_pages/aisep_aisef.html
ESCs are not endorsed by the ACA, although it is recommended to
consult with an ESC who maintains regular and current experience with the AISEP.
AAP: What is an AISEP Acceptance Package?
The AISEP Acceptance Package (AAP) contains documents prepared
by the Developer and AISEF for submission to the ACA which contains the Security Target (ST) and Protection Profile (PP) (if relevant) and proposed timelines for evaluation. The ST is
a major component of the AAP and specifies the security requirements of the Target of
Evaluation (TOE) to be evaluated against the CC security and assurance
requirements. A PP is an implementation-independent document of
security requirements for a category of TOEs that meet specific
consumer needs. Developers should consult with their ESC and AISEF to negotiate the time frame for producing an ST or PP and discuss
expectations and the scope of the TOE.
TOE: What is a Target of Evaluation (TOE)?
The Target of Evaluation (TOE) specifies the components of an ICT
product that is being evaluated. CC evaluations
require the TOE to be identified through security functions,
interfaces and policies. AISEP Publication (AP)
1 provides additional information about the TOE. ICT product
Developers may consult with an ESC or
AISEF to gain a greater understanding
of TOE definition for product evaluation.
AAC: What is AISEP Assurance Continuity?
AISEP Assurance Continuity (AAC) is a process that allows an AISEP
certified or CCRA mutually recognised product to extend their assurance
when the product has undergone minor changes. The Developer is required
to submit a proposal to conduct an AAC maintenance task that contains
an Impact Analysis Report (IAR) and a covering letter providing
the Developer ’s details. The ACA will review the IAR to determine
if the changes are minor or major. A minor result can be accepted
by the ACA as a maintenance update and a major result will warrant
a re-evaluation. Details of an AAC maintenance task can be found
in AP 1: Program Policy at http://www.dsd.gov.au/infosec/evaluation_services/epl/aisep_doc_guide.html
More Information
This is fantastic! Where can I read more about the AISEP?
Full details on the AISEP are available on the DSD web site at
the following:
DSD: http://www.dsd.gov.au/index.html.
AISEP: http://www.dsd.gov.au/infosec/evaluation_services/aisep_pages/aisep.html
AISEP and CC Publications:
http://www.dsd.gov.au/infosec/evaluation_services/epl/aisep_doc_guide.html.
Was this FAQ page helpful? Please send us your feedback at assist@dsd.gov.au.
List of Acronyms
AAB |
AISEP Advisory Board |
AAC |
AISEP Assurance Continuity |
AAP |
AISEP Acceptance Package |
ACA |
Australasian Certification Authority |
ACC |
AISEP Certificate Continuity |
ACSI 33 |
Australian Government Information and Communications Technology Security Manual |
AISEF |
Australasian Information Security Evaluation Facility |
AISEP |
Australasian Information Security Evaluation Program |
AP 1-4 |
AISEP Publications 1-4 |
CC |
Common Criteria |
CCRA |
Common Criteria Recognition Arrangement |
CEM |
Common Criteria (CC) Evaluation Methodology |
CR |
Certification Report |
DACA |
DSD Approved Cryptographic Algorithm |
DCE |
DSD Cryptographic Evaluations |
DSD |
Defence Signals Directorate |
EAL |
Evaluation Assurance Level |
EPL |
Evaluated Products List |
EPS/R |
Evaluation Progress Statement/Report |
ETR |
Evaluation Technical Report |
GCSB |
Government Communications Security Bureau |
IAR |
Impact Analysis Report |
ICT |
Information and Communications Technology |
IS |
Information Security (a section within DSD) |
ISO |
International Organization for Standardization |
ITSEC |
Information Technology Security Evaluation Criteria |
MoU |
Memorandum of Understanding |
MR |
Mutual Recognition |
NATA |
National Association of Testing Authorities |
PP |
Protection Profile |
ST |
Security Target |
TOE |
Target of Evaluation |
TRA or RTA |
Threat and Risk Assessment |