Latest  frequently asked questions

Q: Are there particular cryptographic algorithms or protocols that should be implemented in the ICT security product for Australian Government …

A: Yes. All ICT security products implementing cryptography destined for use by Australian Government agencies must use ACSC-approved cryptographic algorithms and ACSC-approved cryptographic protocols. Further information is in the ISM. read more

Q: Are there policies explaining the AISEP framework for CC evaluations?

A: We administer the regulations for conducting Common Criteria (CC) evaluations. You can find more detail in the AISEP Policy Manual. read more

Q: Do vendors need a non-disclosure agreement (NDA) in place with the Cryptographic evaluation starts?

A: No. If requested, we can negotiate an NDA with the vendor. This can be a lengthy process that will postpone the start of the Cryptographic evaluation. To reduce delays, we have a standard NDA template, which is available upon request. read more

Q: Do you charge for Cryptographic evaluations?

A: No. We do not charge evaluation fees for conducting a Cryptographic evaluation or producing a consumer guide. However, the vendor is responsible for arranging delivery of the information, software and/or hardware to us (if secure electronic means is not a viable option) and providing any licences we … read more

Q: Does obtaining FIPS-140 accreditation mean that the ICT product does not need to go through an ACSC Cryptographic evaluation?

A: No. In accordance with the ISM, FIPS-140 accreditation does not replace an ACSC Cryptographic evaluation. However, providing all relevant FIPS accreditation documentation may assist the process. read more

Q: How can I get my ICT product AISEP-certified and listed on the EPL?

A: If you are an Australian or New Zealand government agency that wishes to use a security product that is not on the EPL, you can recommend that product for evaluation in accordance with the recommendation process. read more

Q: How do I know if a product is being evaluated for the EPL?

A: All products that have started evaluation under AISEP will be listed on the EPL with the current status of the evaluation and an expected completion date. If a product you are seeking does not appear on the EPL, check if it published on the CC Portal’s certified product list. To check if the … read more

Q: How long does a Cryptographic evaluation take?

A: The Cryptographic evaluation process generally takes several months. This timeframe is separate to the time taken for the AISEP evaluation. The time taken depends on the level of vendor cooperation and whether any security vulnerabilities are found during the evaluation. If we do find security … read more

Q: If a vendor's ICT security product has been evaluated under a Common Criteria scheme other than the AISEP, how do I have it listed on the …

A: An Australian Government agency must request that we conduct a Cryptographic evaluation of an ICT security product, through our recommendation process. read more

Q: What information and support should vendors provide for an ACSC Cryptographic evaluation?

A: a technical and/or engineering contact within the company (preferably located in Australia) to answer questions  technical documentation including descriptions of protocols, key management, algorithms and data formats  offline access to the full source code. read more

Q: What is AISEP Assurance Continuity (AAC)?

A: AISEP Assurance Continuity (AAC) is a process that allows an AISEP-certified or CCRA mutually-recognised product to extend their assurance when the product has undergone minor changes. The developer is required to submit a proposal to conduct an AAC maintenance task that contains an Impact Analysis … read more