AISEP Frequently Asked Questions

Supporting information on the Australasian Information Security Evaluation Program (AISEP).

The AISEP
What is the AISEP?
Who owns the AISEP?
What is the AISEP mission statement?

Why do we have the AISEP?
Are there policies explaining the AISEP framework for CC evaluations?
What is the difference between an AISEP evaluation and an AISEP certification?
How can I contact the AISEP?

Common Criteria and mutual recognition
What is the Common Criteria (CC)?
What is the Common Criteria Recognition Arrangement (CCRA) and mutual recognition?
Which nations participate in the CCRA?
What is the Information Technology Security Evaluation Criteria (ITSEC)?

ISM and NZ ISM: Australia and New Zealand ICT security policies
What is the ISM and how is it related to the EPL?
What is NZ ISM and how is it related to the EPL?

Evaluated Products List (EPL)
What is the Evaluated Product List (EPL) and where can I find it?
Why doesn’t the EPL publish all mutually-recognised CC evaluations?
What is the archived EPL and where can I find it?
What is an Evaluation Assurance Level (EAL)?
How can I get my ICT product AISEP-certified and listed on the EPL?
Is product X being evaluated for the EPL?

AISEP functions
ACA: Who is the Australasian Certification Authority and what do they do?
AISEF: What is an Australasian Information Security Evaluation Facility?
AAP: What is an AISEP Acceptance Package?
TOE: What is a Target of Evaluation?
AAC: What is AISEP Assurance Continuity?

More information
List of acronyms

AISEP

What is the Australasian Information Security Evaluation Program (AISEP)?
The Australasian Information Security Evaluation Program (AISEP) is the name of Australia and New Zealand's combined Common Criteria (CC) evaluation scheme. The Australasian Certification Authority is the certification body that administers and manages the AISEP policy and Common Criteria evaluations performed in Australia.

Who owns the AISEP?
Australia’s Australian Signals Directorate (ASD) and New Zealand’s Government Communications Security Bureau (GCSB) are dual signatories to the AISEP as a Common Criteria (CC) certificate producing scheme. The CC certifying body for Australia and New Zealand is the Australasian Certification Authority within ASD, which also represents the Information Assurance (IA) division within GCSB.

What is the AISEP mission statement?
AISEP exists to ensure the ready availability of a comprehensive list of independently-assured ICT security products that meet the needs of Australian and New Zealand government agencies in securing their official resources in accordance with the Information Security Manual (ISM).

Why do we have the AISEP?
Australian and New Zealand government agencies, as consumers, have a reasonable expectation that information contained in ICT security products and systems are secure. When an independent evaluation is performed on the security functionality of an ICT security product, consumers have greater confidence in using the product. AISEP-certified products aim to meet Australian and New Zealand government business and security needs.

Are there policies explaining the AISEP framework for CC evaluations?
The Australasian Certification Authority administers the regulations for conducting Common Criteria (CC) evaluations through the following AISEP publications:

What is the difference between an AISEP evaluation and an AISEP certification?
AISEP evaluations are conducted by an AISEF. AISEP certification is performed by the ACA. An AISEP evaluation applies the CC Evaluation Methodology (CEM) against CC assurance requirements. The evaluation aims to produce a standardised and repeatable result that facilitates mutual recognition of certifications across CCRA participating schemes. An AISEP certification represents the validation of the evaluation activities and results to the certifying body’s regulatory framework. The ACA’s regulatory framework is defined in the AISEP Policy Manual.

How can I contact the AISEP?
Email ASD Advice and Assistance and Australasian Certification Authority staff at ASD will assist you.


Common Criteria and mutual recognition

What is the Common Criteria (CC)?
The Common Criteria for Information Technology Security Evaluation is referred to as the CC. The CC is a standard for evaluating ICT security products against two types of requirements:

  • security functional requirements
  • security assurance requirements.

A CC-evaluated ICT security product is certified to meet a list of vendor-claimed security functions and satisfies a level of assurance. The CC also has an International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) equivalent standard of ISO/IEC 15408.
The CC has three parts and the CC Evaluation Methodology (CEM):

  • Part 1: Introduction and general model
  • Part 2: Security functional components
  • Part 3: Security assurance components.

These documents are used by the certifying body of a CC scheme and the evaluation facilities.

What is the Common Criteria Recognition Arrangement (CCRA) and mutual recognition?
The CCRA is an international agreement between CC certificate-producing and certificate-consuming nations to recognise CC certifications for Evaluation Assurance Levels (EAL) 1 through 4. Through the AISEP scheme, Australia and New Zealand are joint certificate-producing members of the CCRA. Certificate-consuming nations do not administer a CC scheme but recognise CC certificates issued by certificate-producing nations. Participants of the CCRA benefit from shared certification results without the need to duplicate an evaluation. Information about the CCRA may be found on the CC Portal.

Which nations participate in the CCRA?
All CCRA participants are listed on the CC Portal with the name and contact details of each CC scheme.

What is the Information Technology Security Evaluation Criteria (ITSEC)?
ITSEC is a standard for ICT security evaluation criteria agreed between the United Kingdom, Germany, France and the Netherlands. ITSEC is a separate evaluation standard to the CC. ITSEC is managed by the Communications Electronics Security Group (CESG) within the UK Government Communications Headquarters (GCHQ). Australia and New Zealand have a Memorandum of Understanding (MoU) through a bilateral agreement with the UK to mutually recognise ITSEC evaluation and certification E1 through E6. In Australia, ITSEC was the predecessor evaluation program to CC. AISEP now focuses solely on CC as its evaluation program.


Australian and New Zealand ICT security policies

What is the ISM and how is it related to the EPL?
The Australian Government Information Security Manual (ISM) provides policies and guidance on security controls to Australian government agencies on how to protect their ICT systems. It was called ACSI 33 until 2005. The product selection chapter in the ISM provides guidance on selecting ICT security products from the EPL.

What is NZ ISM and how is it related to the EPL?
The New Zealand Government Information Security Manual (NZ ISM) provides policy and guidance for New Zealand government agencies.


Evaluated Products List (EPL)

What is the EPL and where can I find it?
The Evaluated Products List (EPL) serves two purposes:

  1. It fulfils the AISEP's requirement of the CCRA to publish a list of AISEP-certified products
  2. It provides a comprehensive list of ASD-evaluated ICT security products that meet the needs of Australian and New Zealand government agencies in securing official resources in accordance with the Information Security Manual (ISM).

The EPL fulfils the stated purposes through publication of the following:

  • a completed or progressing AISEP evaluation
  • previously completed ITSEC evaluations
  • a CC evaluation up to EAL 4, that is progressing through or has completed an ASD Cryptographic Evaluation
  • a completed ASD High Assurance evaluation
  • a completed discrete ASD-recognised evaluation
  • a link to the CC Portal's certified product list, which includes CCRA mutually-recognised evaluated products EAL 1 through 4
  • a link to the historical EPL for ICT products retired from the EPL.

The CC Portal's certified product list can be found on the CC Portal.

Why doesn’t the EPL publish all mutually-recognised CC evaluations?
Common Criteria Recognition Arrangement (CCRA) participating nations do not duplicate the publication of mutually-recognised certified products on each of their certified products lists (for the AISEP, this is the EPL). In accordance with the CCRA, certificates published on the CC Portal that are EAL 1 through 4 are instantly mutually recognised by Australia and New Zealand and, therefore, the Evaluated Products List (EPL) is not required to repeat published evaluations and certifications.

What is the historical EPL and where can I find it?
The historical EPL contains certified products that were previously listed on the EPL on the ASD website. These products were removed from the EPL for one or more of the following reasons:

  • the evaluated product and/or version is no longer available in the original evaluated form
  • the evaluated product is no longer sold and/or supported by the developer, manufacturer or vendor
  • the environment that the evaluated product was designed to operate in has had major changes
  • the evaluated product is no longer able to support Australian government ICT security policy requirements as specified in the Information Security Manual (ISM).

What is an Evaluation Assurance Level (EAL)?
An Evaluated Assurance Level (EAL) is a number assigned to a Common Criteria (CC) evaluation and certificate. It is being superseded by Protection Profiles.

How can I get my ICT product AISEP-certified and listed on the EPL?
If you are an Australian or New Zealand government agency that wishes to use a security product that is not on the EPL, you may recommend that product for evaluation at ASD. All ASD evaluations must be recommended by an Australian or New Zealand government agency in accordance with the recommendation process.

If you are an industry consultant or a product developer and would like your product AISEP evaluated and certified you can use the following checklist:

Step 1

Step 2

  • Contact Australian and/or New Zealand government agencies to gauge their interest in using and recommending your product into the AISEP.
  • If your product does not present a benefit to Australian and New Zealand government agency use, then it will not be considered for AISEP evaluation.
  • All ASD evaluations must be recommended by an Australian or New Zealand government agency in accordance with the recommendation process.

Step 3

  • Arrange for an Australian or New Zealand government agency to write a letter of recommendation for evaluation to ASD and email ASD Advice and Assistance to advise of your involvement in the evaluation request, indicating that you are the product developer.
  • Note that AISEP evaluation entry requirements differ to ASD Cryptographic Evaluation and High Assurance evaluation. The letter template provides detail on this.

Step 4

Step 5

  • When you are prepared to accept the responsibilities, costs and time commitment of an AISEP evaluation, engage an AISEF to prepare the AISEP Acceptance Package (AAP) deliverables for Australasian Certification Authority submission.

Step 6

  • ASD, through the Australasian Certification Authority, will send the AISEF and recommending government agency a letter to show formal acceptance of the product into AISEP evaluation and the EPL will be updated to show the product as In Evaluation.

Is product X being evaluated for the EPL?

If a product has entered into evaluation under AISEP then it will be listed on the EPL with the current status of the evaluation and an expected completion date. If a product you are seeking does not appear on the EPL, then you should check if it published on the CC Portal's certified product list. To check if the product you are seeking is being evaluated in another Common Criteria schemes overseas, you should contact the manufacturer or the Australian reseller of the product to ascertain if this is the case.


AISEP Functions

ACA: Who is the Australasian Certification Authority and what do they do?
The Australasian Certification Authority (ACA) is the certifying body in Australia and New Zealand for CC evaluations. The ACA resides within ASD and implements the AISEP scheme by setting the standards and monitoring the quality of evaluations conducted by the Australasian Information Security Evaluation Facilities (AISEF).

AISEF: What is an Australasian Information Security Evaluation Facility?
An Australasian Information Security Evaluation Facility (AISEF) is an ACA-approved commercial facility that is licenced to perform AISEP evaluations and has been accredited by the National Association of Testing Authorities (NATA) to conduct CC evaluations.

AAP: What is an AISEP Acceptance Package?
The AISEP Acceptance Package (AAP) contains documents prepared by the developer and AISEF for submission to the ACA which contains the Security Target (ST) and Protection Profile (PP) (if relevant) and proposed timelines for evaluation. The ST is a major component of the AAP and specifies the security requirements of the Target of Evaluation (TOE) to be evaluated against the CC security and assurance requirements. A Protection Profile (PP) is an implementation-independent document of security requirements for a category of TOEs that meet specific consumer needs. Developers should consult with their AISEF to negotiate the time frame for producing an ST or PP and discuss expectations and the scope of the TOE.

TOE: What is a Target of Evaluation (TOE)?
The Target of Evaluation (TOE) specifies the components of an ICT product that is being evaluated. CC evaluations require the TOE to be identified through security functions, interfaces and policies. The AISEP Policy Manual provides additional information about the TOE. ICT product developers may consult with an AISEF to gain a greater understanding of TOE definition for product evaluation.

AAC: What is AISEP Assurance Continuity?
AISEP Assurance Continuity (AAC) is a process that allows an AISEP-certified or CCRA mutually-recognised product to extend their assurance when the product has undergone minor changes. The developer is required to submit a proposal to conduct an AAC maintenance task that contains an Impact Analysis Report (DOC) and a covering letter providing the developer’s details.

The ACA will review the IAR to determine if the changes are minor or major. A minor result can be accepted by the ACA as a maintenance update and a major result will warrant a re-evaluation. Details of an AAC maintenance task can be found in the AISEP Policy Manual.


List of acronyms

AAB
AISEP Advisory Board
AAC
AISEP Assurance Continuity
AAP
AISEP Acceptance Package
ACA
Australasian Certification Authority
ACC
AISEP Certificate Continuity
AISEF
Australasian Information Security Evaluation Facility
AISEP
Australasian Information Security Evaluation Program
APM
AISEP Policy Manual
CC
Common Criteria
CCRA
Common Criteria Recognition Arrangement
CEM
Common Criteria (CC) Evaluation Methodology
CR
Certification Report
DACA
ASD Approved Cryptographic Algorithm
DCE
DSD Cryptographic Evaluations (superseded title)
ASD
Australian Signals Directorate
EAL
Evaluation Assurance Level
EPL
Evaluated Products List
EPS/R
Evaluation Progress Statement/Report
ETR
Evaluation Technical Report
GCSB
Government Communications Security Bureau
IAR
Impact Analysis Report
ICT
Information and Communications Technology
IS
Information Security (a section within ASD)
ISO
International Organization for Standardization
ITSEC
Information Technology Security Evaluation Criteria
MoU
Memorandum of Understanding
MR
Mutual Recognition
NATA
National Association of Testing Authorities
PP
Protection Profile
ST
Security Target
TOE
Target of Evaluation
TRA or RTA
Threat and Risk Assessment