Cryptographic evaluations

We analyse products intended to be used by Australian and New Zealand government agencies to determine whether the security architecture and cryptographic algorithms they use have been implemented correctly and are strong enough for the products intended use.

What our cryptographic evaluations do

We perform an unconstrained search and test for cryptographic vulnerabilities, so Australian and New Zealand government agencies can rely on the strength and quality of the cryptographic security they use to protect official information and systems.

For each evaluation, we publish a consumer guide on the Evaluated Products List (EPL) that provides guidance on the security classification of information that can be stored or transmitted using the product, in accordance with the Information Security Manual (ISM).

An ACSC Cryptographic evaluation is required if:

  • an ICT security product undergoing evaluation through the AISEP contains cryptographic functionality, and an Australian Government agency will rely on this functionality for reducing the storage and physical transfer and/or electronic transit encryption requirements of PROTECTED information or higher
  • an Australian Government agency selects a product on the EPL that is not AISEP-evaluated (including products from the Common Criteria Portal) and the ICT security product contains cryptographic functionality that will be used to reduce the storage and physical transfer and/or electronic transit encryption requirements of PROTECTED information.

The depth of testing in our cryptographic evaluations depends on the risks associated with using the product, based on the planned deployment of the product and the classification handling involved.

The results and certification or validation of other nations’ cryptographic evaluations are not a replacement for our cryptographic evaluation for Australian Government agencies.

How to get a product evaluated

We perform cryptographic evaluations where appropriate as part of other ICT product security evaluations.