A Protection Profile is a document that stipulates the security functionality that must be included in a Common Criteria evaluation. Agencies can have confidence that the scope of an evaluation against an ACSC-approved Protection Profile covers the necessary security functionality expected of the evaluated product and known security threats will have been addressed. The evaluation scope also includes the effectiveness and integrity of cryptographic functions.
In the past, a Common Criteria evaluation has been conducted at a specified Evaluation assurance level (EAL). However, Protection Profiles do not incorporate this scale. The Protection Profile describes the complete set of a products security functionality, against which it is evaluated. Products evaluated against a Protection Profile will still appear on ACSCs Evaluated Products List (EPL) but with the relevant Protection Profile rather than an EAL.
Protection Profiles provide better assurance in the security of evaluated products. During the transition to Protection Profiles, a cap of EAL 2 now applies for all traditional EAL-based evaluations overseen by ACSC.
ACSC-approved Protection profiles
|Network-related devices||Collaborative Protection Profile for Network Devices v2.0 + Errata 20180314 ND cPP Supporting Document (PDF)||V2.0E||2018-03-14|
|Network-related devices||Collaborative Protection Profile for Stateful Traffic Filter Firewalls v2.0 +Errata 20180314
FW cPP Supporting Document(PDF)
|Network-related devices||Extended Package VPN Gateway (GW EP) (PDF)||V2.1||2017-06-15|
|Network-related devices||Extended Package Intrusion Prevention Systems (IPS EP) (PDF)||V2.11||2017-03-08|
Other Protection Profiles the AISEP may consider depending on the needs of Australian government are listed here: https://www.niap-ccevs.org/Profile/PP.cfm
Archived Protection profiles
Protection Profiles listed below are for reference only and are not to be used as the basis for new evaluations in the AISEP. Protection Profiles are reviewed periodically to determine if the security functional and assurance requirements are still acceptable, given rapid technology changes and increasing threat levels.