AISEP FAQs
This page lists frequently asked questions and provides supporting information on the Australasian Information Security Evaluation Program (AISEP).
Contents
The AISEP
What is the AISEP?
Who owns the AISEP?
What is the AISEP mission statement?
Why do we have the AISEP?
Are there policies explaining the AISEP framework for CC evaluations?
How can I contact the AISEP?
Common Criteria and Mutual Recognition
What is the Common Criteria (CC)?
What is the Common Criteria Recognition Arrangement (CCRA) and
mutual recognition?
Which nations participate in the CCRA?
What is the Information Technology Security Evaluation Criteria
(ITSEC)?
ACSI 33 and NZSIT 400: Australia and New Zealand ICT Security
Policies
What is ACSI 33 and how is it related to the EPL?
What is NZSIT 400 and how is it related to the EPL?
The Evaluated Products List (EPL)
What is the Evaluated Product List (EPL) and where can I find it?
Why doesn’t the EPL publish all mutually
recognised CC evaluations?
What is the Historical Evaluated Products List and where can I
find it?
What is an Evaluation Assurance Level (EAL)?
How do I search for the right ICT product for my use?
How can I get my ICT product AISEP certified and listed on the
EPL?
DSD Evaluations
What types of evaluations does DSD perform?
What is the difference between an AISEP evaluation and an AISEP
certification?
What is a DSD Cryptographic Evaluation (DCE)?
What is a DSD High Grade Evaluation?
AISEP Functions
ACA: Who is the Australasian Certification Authority and what do
they do?
AISEF: What is an Australasian Information Security Evaluation
Facility?
ESC: What is an Evaluation Support Consultant?
AAP: What is an AISEP Acceptance Package?
TOE: What is a Target of Evaluation?
AAC: What is AISEP Assurance Continuity?
More Information
This is fantastic! Where can I read more about the AISEP?
List of Acronyms
The AISEP
What is the Australasian Information Security Evaluation Program
(AISEP)?
The Australasian Information Security Evaluation Program (AISEP)
is the name of the Common Criteria (CC) evaluation scheme implemented
by Australia and New Zealand. The AISEP is the administrative and
regulatory framework under which the CC is
applied by the Australasian Certification Authority (ACA) that
is represented by Australia and New Zealand.
Who owns the AISEP?
The AISEP is co-owned by Australia’s Defence Signals Directorate
(DSD) and New Zealand’s Government Communications Security
Bureau (GCSB). The CC certifying body for Australia and New Zealand
is the Australasian Certification Authority (ACA) within
DSD, which also represents the Information Assurance (IA) division
within GCSB.
What is the AISEP mission statement?
The Australasian Information Security Evaluation Program (AISEP)
exists to ensure the ready availability of a comprehensive list
of independently assured Information Technology (IT) products
that meet the needs of Australian and New Zealand government
agencies in securing their official resources.
Why do we have the AISEP?
Australian and New Zealand government agencies, as consumers, have
a reasonable expectation that information contained in Information
and Communications Technology (ICT) products and systems are
secure.
When an independent evaluation is performed on the security functionality
of an ICT product, consumers have greater confidence in using the
product. AISEP certified products aim to meet Australian and New
Zealand government business and security needs.
Are there policies explaining the AISEP framework for CC evaluations?
The Australasian Certification Authority (ACA) administers
the regulations for conducting CC evaluations through the following
AISEP Publications:
AP 1: Program Policy;
AP 2: Certifier Guidance;
AP 3: Evaluator Guidance;
AP 4: Sponsor and Consumer Guidance.
AP 1 and AP 4 are relevant to the Consumer and Sponsor of AISEP
evaluations and certification. These policies can be downloaded
from http://www.dsd.gov.au/infosec/evaluation_services/epl/aisep_doc_guide.html
How can I contact the AISEP?
If this FAQ page does not answer your question or you would like
to make a further enquiry, please email aisep@dsd.gov.au and
a member of the Australasian Certification Authority (ACA) at
DSD will assist you.
Common Criteria and Mutual Recognition
What is the Common Criteria (CC)?
The Common Criteria for Information Technology Security Evaluation
is referred to as the CC. The CC is a standard for evaluating ICT
products against two types of criteria:
- Security function requirements; and
- Security assurance requirements.
A CC evaluated ICT product is certified to meet a list of security
functions and satisfies a level of assurance achieved.
The CC is based on the International Organization for Standardization/International
Electrotechnical Commission (ISO/IEC) 15408.
The CC has three parts and the CC Evaluation Methodology (CEM):
- Part 1: Introduction and general model;
- Part 2: Security functional components;
- Part 3: Security Assurance Components.
These documents are used by the certifying body of a CC scheme and the evaluation facilities.
What is the Common Criteria Recognition Arrangement (CCRA) and mutual
recognition?
The CCRA is an international agreement between CC certificate producing
and/or consuming nations to recognise CC evaluations for Evaluation
Assurance Levels (EAL) 1 through 4. Through the AISEP scheme, Australia
and New Zealand are joint members of the CCRA as a certificate producing
nation. Certificate consuming nations do not administer a CC scheme
but recognise the evaluation results conducted by CC certificate producing
nations. Participants of the CCRA benefit from shared certification
results without the need to duplicate an evaluation. Information about
the CCRA may be found on the CC portal at http://www.commoncriteriaportal.org/theccra.html.
Which nations participate in the CCRA?
The CCRA membership includes CC certificate
producing and certificate
consuming nations. All CCRA participants are listed on the CC portal
with the name and contact details of each CC scheme, which may be
found at http://www.commoncriteriaportal.org/members.html.
What is the Information Technology Security Evaluation Criteria (ITSEC)?
The ITSEC is a standard for IT security evaluation criteria agreed
between the United Kingdom (UK), Germany, France and the Netherlands.
ITSEC is a separate evaluation standard to the CC. ITSEC is managed
by the Communications-Electronics Security Group (CESG) within the
Government Communications Headquarters (GCHQ). Australia and New
Zealand have a Memorandum of Understanding (MoU) through Bi-lateral
agreement with the UK to mutually recognise ITSEC evaluation and
certification E1 through E6.
Information about ITSEC may be found at http://www.cesg.gov.uk/products_services/iacs/cc_and_itsec/index.shtml
ACSI 33 and NZSIT 400: Australia and New Zealand ICT Security Policies
What is ACSI 33 and how is it related to the EPL?
The Australian Government Information and Communications Technology
Security Manual is commonly known as ACSI 33. ACSI 33 provides policies
and guidance to Australian government agencies on how to protect
their ICT systems and guidance on ICT product selection. ACSI 33
can be found at http://www.dsd.gov.au/library/infosec/acsi33.html.
ICT products selected from the EPL are the preferred choice for
securing government information because of the added assurance a
security evaluation provides.
What is NZSIT 400 and how is it related to the EPL?
The New Zealand Government Information Technology Security Manual
(NZSIT 400) provides policy and guidance for New Zealand government
agencies. The NZSIT 400 series can be found at http://www.gcsb.govt.nz/newsroom/nzsits.html.
ICT products selected from the EPL are the preferred choice for
securing government information because of the added assurance a
security evaluation provides.
The Evaluated Products List (EPL)
What is the EPL and where can I find it?
The EPL serves two purposes:
- It fulfils Australia and New Zealand’s requirement of the CCRA to publish a list of AISEP certified products; AND
- It provides a comprehensive list of DSD evaluated ICT products that meet the needs of Australian and New Zealand government agencies in securing official resources.
The EPL fulfils the stated purposes through publication of the following:
- A completed or progressing AISEP evaluation;
- A completed ITSEC evaluation;
- A CC evaluation up to EAL 4, that is progressing through or has completed a DSD Cryptographic Evaluation (DCE);
- A completed DSD High-Grade evaluation;
- A completed discrete DSD recognised evaluation;
- A link to the CC Certified product list, which includes CCRA mutually recognised evaluated products EAL 1 through 4;
- A link to the Historical EPL for ICT products retired from
the EPL.
The EPL can be found on the DSD website at http://www.dsd.gov.au/infosec/evaluation_services/epl/epl.html.
The CC Certified product list can be found on the CC portal at http://www.commoncriteriaportal.org/products.html.
Why doesn’t the EPL publish all mutually
recognised CC evaluations?
Common Criteria Recognition Arrangement (CCRA) participating nations
do not duplicate the publication of mutually recognised certified
products on each of their certified products lists. In accordance
with the CCRA, certified products published on the CC portal that
are EAL 1 through 4 are mutually recognised by Australia and New
Zealand and therefore, the Evaluated Products List (EPL) is not
required to repeat published evaluations. The EPL can be found on
the DSD website at http://www.dsd.gov.au/infosec/evaluation_services/epl/epl.html.
The certified product list on the CC portal can be found at http://www.dsd.gov.au/infosec/evaluation_services/epl/dsdcproducts.html.
What is the Historical Evaluated Products List (EPL) and where can
I find it?
The Historical EPL contains certified products that were previously
listed on the EPL on the DSD website. These products were removed
from the EPL for one or more of the following reasons:
- The evaluated product and/or version is no longer available in the original evaluated form,
- The evaluated product is no longer sold and/or supported by the Developer;
- The environment that the evaluated product was designed to operate in has had major changes;
- The evaluated product is no longer able to support Australian government ICT security policy requirements.
The Historical EPL can be found at http://www.dsd.gov.au/infosec/evaluation_services/epl/historical.html.
What is an Evaluation Assurance Level (EAL)?
An Evaluated Assurance Level (EAL) us a grade,
from EAL 1 to EAL 7, that is assigned to the product following the
completion of a Common Criteria (CC) evaluation. The higher the EAL
means that there has been more detailed documentation, analysis, and
testing of the product than those with a lower EAL. The aim of the
higher levels is to provide increased confidence for consumers that
the product’s
security features perform as claimed. In many cases, ACSI
33 and
NZSIT 400 require ICT products to meet a specified evaluated assurance
level when used for securing Australian and New Zealand government
information.
How do I search for the right ICT product for my use?
Australia and New Zealand government agencies that are compliant
with ACSI 33/NZSIT 400 select ICT products according to their information
classification requirements AND from an organisation Threat and
Risk Assessment (TRA).
The following checklist may be used by Australian government agencies;
New Zealand government agencies may follow the same steps and substitute
NZSIT 400:
STEP 1. Download and read the latest release of ACSI 33 from http://www.dsd.gov.au/library/infosec/acsi33.html to determine the ICT protective security product requirements for your organisation’s information classification. Consider the following:
- Do you have cryptographic requirements?
- Do you need to reduce the classification of your information to transmit or store on a lower classification product or network?
STEP 2. Consult the ACSI 33 ICT Product Lifecycle chapter. The section titled Selection Preference Order provides guidance on EPL product selection to meet your requirements from STEP 1.
STEP 3. Go to the EPL at http://www.dsd.gov.au/infosec/evaluation_services/epl/epl.html and the CC portal at http://www.commoncriteriaportal.org/products.html to search for ICT products that meet your requirements from STEP 1.
STEP 4. Check that your selected ICT product from STEP 3 meets ACSI 33 requirements for your information classification handling.
STEP 5. IF your product has cryptographic functionality OR you require cryptographic functionality to meet requirements from STEP 1 then:
- Check if your selected product has completed a DSD Cryptographic Evaluation (DCE); OR
- Write a sponsorship letter to DSD requesting a DCE on the
ICT product you have selected. An example sponsorship letter
can be found at http://www.dsd.gov.au/infosec/evaluation_services/epl/dsdcproducts.html.
IF your selected product has a completed DCE then you are able to use the product in accordance with its associated Consumer Guide. Where a Consumer Guide has not been provided, seek guidance from ACSI 33 to determine if the ICT product’s cryptographic functionality meets your information classification requirements in STEP 1.
Contact details for DSD Information Security can be found at http://www.dsd.gov.au/contact_dsd/index.html for assistance in evaluated product selection for Australian and New Zealand government use.
How can I get my ICT product AISEP certified and listed on the EPL?
AISEP certified products aim to fulfil the business and security
needs of the Australian and New Zealand governments. If you are
a Sponsor or Developer of an ICT product and would like your product
AISEP evaluated and certified you can use the following checklist:
STEP 1. Check with the product developer that the product contains security functionality such as cryptography, authentication and access controls as examples.
STEP 2. Download and read the latest release of ACSI 33 from http://www.dsd.gov.au/library/infosec/acsi33.html to determine an evaluation assurance level that will serve Australian and New Zealand government security needs. Refer to NZSIT 400 for New Zealand government requirements at http://www.gcsb.govt.nz/newsroom/nzsits.html.
STEP 3. Download and read the AISEP Publication (AP) 1: Program Policy from http://www.dsd.gov.au/infosec/evaluation_services/epl/aisep_doc_guide.html to understand the management and operations of the AISEP. AP 1 will provide an overall explanation of the AISEP scheme and outline the responsibilities of the stakeholders involved. AP 4: Sponsor and Consumer Guidance can also be downloaded from the same web page and it is recommended that Sponsors read this publication as it explains the process of evaluation with the ESC and AISEF.
STEP 4. Contact Australian and New Zealand government agencies to gauge their interest in using, and or sponsoring your product into an AISEP evaluation. If your product does not present a benefit to Australian and New Zealand government agency use, then it will not be considered for AISEP evaluation.
STEP 5. Contact as many ESCs and AISEFs as you wish to discuss the costs, time frames and advice on evaluation.
STEP 6. Decide on the ESC and AISEF to best conduct your evaluation.
STEP 7. WHEN you are prepared to accept the responsibilities, costs and time commitment of an AISEP evaluation, it is advisable to conduct a meeting with the ACA to discuss your intended evaluation. This is an opportunity to ask questions about the scheme in relation to your product evaluation.
STEP 8. Engage an ESC and an AISEF to prepare and coordinate AISEP
Acceptance Package (AAP) deliverables for ACA submission.
DSD Evaluations
What types of evaluations does DSD perform?
DSD performs the following types of evaluations and publishes the
results on the EPL:
- AISEP evaluations and certificates;
- DSD Cryptographic Evaluations (DCE);
- High grade cryptographic evaluation;
- Other DSD recognised evaluations.
What is the difference between an AISEP evaluation and an AISEP certification?
AISEP evaluations are conducted by an AISEF. AISEP certification
is performed by the ACA. An AISEP evaluation applies the CC Evaluation
Methodology (CEM) against CC assurance requirements. The evaluation
aims to produce a standardised and repeatable result that facilitates
mutual recognition of evaluation results across CCRA participating
schemes. An AISEP certification represents the validation of the
evaluation activities and results and is tailored to the certifying
body’s regulatory framework. The ACA’s regulatory framework
is defined in the AISEP Publications (AP) 1 to 4.
What is a DSD Cryptographic Evaluation (DCE)?
DSD performs cryptographic evaluations independently of the AISEP;
although a DCE may compliment an AISEP evaluation. DSD determines
the method and strength of testing based on the Evaluation Assurance
Level (EAL) of the ICT product. ICT products
progressing through or completed a DCE are listed on the Evaluated
Products List (EAL).
The following describes the conditions for conducting a DCE:
- If an ICT product enters the AISEP containing cryptographic functionality in the Target of Evaluation (TOE), a DCE MUST be performed on the ICT product before it can be used; OR
- If an Australian or New Zealand government agency selects a product on the EPL that is not AISEP evaluated (including from the CC certified products list) and the product contains cryptography, a DCE MUST be performed on the ICT product before it can be used;
Australian and New Zealand government agencies may request a DCE through a sponsorship letter. An example sponsorship letter is provided on http://www.dsd.gov.au/infosec/evaluation_services/epl/dsdcproducts.html. Requests for a DCE are considered based on need and priority and are at no cost.
What is a DSD High Grade evaluation?
A DSD High Grade evaluation is a form of DSD Cryptographic Evaluation
(DCE) that is performed independently of the AISEP. DSD determines
the method and strength of testing required for DSD High Grade evaluation.
ICT products progressing through or completed a DSD High Grade evaluation
are listed on the Evaluated Products List (EPL).
AISEP Functions
ACA: Who is the Australasian Certification Authority and what do
they do?
The Australasian Certification Authority (ACA) is
the certifying body in Australia and New Zealand for CC evaluations.
The ACA resides within DSD and implements the AISEP scheme by setting
the standards and monitoring the quality of evaluations conducted
by the Australasian Information Security Evaluation Facilities (AISEFs).
AISEF: What is an Australasian Information Security Evaluation Facility?
An Australasian Information Security Evaluation Facility (AISEF)
is an ACA approved commercial facility that is licenced to perform
AISEP evaluations and has been accredited by the National Association
of Testing Authorities (NATA) to conduct CC evaluations. A list
of AISEFs and their contact details can be found at http://www.dsd.gov.au/infosec/evaluation_services/aisep_pages/aisep_aisef.html
ESC: What is an Evaluation Support Consultant?
An Evaluation Support Consultant (ESC) has received ACA approval
to provide support consulting to Sponsors of AISEP evaluations.
ESCs are qualified to write the Security Target (ST) in consultation
with the Sponsor or Developer of the product to be evaluated. A
list of ESCs can be found at http://www.dsd.gov.au/infosec/evaluation_services/aisep_pages/aisep_aisef.html
ESCs are not endorsed by the ACA, although it is recommended to
consult with an ESC.
AAP: What is an AISEP Acceptance Package?
The AISEP Acceptance Package (AAP) contains documents prepared
by the Sponsor and AISEF for submission to the ACA as a formal
request for an AISEP evaluation. One major component of the AAP
is the Security Target (ST) or Protection Profile (PP). The ST is
a document specifying the security requirements of the Target of
Evaluation (TOE) to be evaluated against the CC security and assurance
requirements. A PP is an implementation-independent document of
security requirements for a category of TOEs that meet specific
consumer needs. Sponsors should consult with their ESC and AISEF to negotiate the time frame for producing an ST or PP and discuss
expectations and the scope of the TOE.
TOE: What is a Target of Evaluation (TOE)?
The Target of Evaluation (TOE) specifies the components of an ICT
product that is being evaluated. CC evaluations
require the TOE to be identified through security functions,
interfaces and policies. AISEP Publication (AP)
1 provides additional information about the TOE. ICT product
Developers may consult with an ESC or
AISEF to gain a greater understanding
of TOE definition for product evaluation.
AAC: What is AISEP Assurance Continuity?
AISEP Assurance Continuity (AAC) is a process that allows an AISEP
certified or CCRA mutually recognised product to extend their assurance
when the product has undergone minor changes. The Sponsor is required
to submit a proposal to conduct an AAC maintenance task that contains
an Impact Analysis Report (IAR) and a covering letter providing
the Sponsor’s details. The ACA will review the IAR to determine
if the changes are minor or major. A minor result can be accepted
by the ACA as a maintenance update and a major result will warrant
a re-evaluation. Details of an AAC maintenance task can be found
in AP 1: Program Policy at http://www.dsd.gov.au/infosec/evaluation_services/epl/aisep_doc_guide.html
More Information
This is fantastic! Where can I read more about the AISEP?
Full details on the AISEP are available on the DSD web site at
the following:
DSD: http://www.dsd.gov.au/index.html.
AISEP: http://www.dsd.gov.au/infosec/evaluation_services/aisep_pages/aisep.html
AISEP and CC Publications:
http://www.dsd.gov.au/infosec/evaluation_services/epl/aisep_doc_guide.html.
Was this FAQ page helpful? Please send us your feedback at aisep@dsd.gov.au.
List of Acronyms
AAB |
AISEP Advisory Board |
AAC |
AISEP Assurance Continuity |
AAP |
AISEP Acceptance Package |
ACA |
Australasian Certification Authority |
ACC |
AISEP Certificate Continuity |
ACSI 33 |
Australian Government Information and Communications Technology Security Manual |
AISEF |
Australasian Information Security Evaluation Facility |
AISEP |
Australasian Information Security Evaluation Program |
AP 1-4 |
AISEP Publications 1-4 |
CC |
Common Criteria |
CCRA |
Common Criteria Recognition Arrangement |
CEM |
Common Criteria (CC) Evaluation Methodology |
CR |
Certification Report |
DACA |
DSD Approved Cryptographic Algorithm |
DCE |
DSD Cryptographic Evaluations |
DSD |
Defence Signals Directorate |
EAL |
Evaluation Assurance Level |
EPL |
Evaluated Products List |
EPS/R |
Evaluation Progress Statement/Report |
ETR |
Evaluation Technical Report |
GCSB |
Government Communications Security Bureau |
IAR |
Impact Analysis Report |
ICT |
Information and Communications Technology |
IS |
Information Security (a section within DSD) |
ISO |
International Organization for Standardization |
ITSEC |
Information Technology Security Evaluation Criteria |
MoU |
Memorandum of Understanding |
MR |
Mutual Recognition |
NATA |
National Association of Testing Authorities |
PP |
Protection Profile |
ST |
Security Target |
TOE |
Target of Evaluation |
TRA or RTA |
Threat and Risk Assessment |