A Protection Profile is a document that stipulates the security functionality that must be included in a Common Criteria evaluation. Agencies can have confidence that the scope of an evaluation against an ASD-approved Protection Profile covers the necessary security functionality expected of the evaluated product and known security threats will have been addressed. The effectiveness and integrity of cryptographic functions are also within the scope of product evaluations performed in line with Protection Profiles.
In the past a Common Criteria evaluation has been conducted at a specified Evaluation Assurance Level (EAL). However, Protection Profiles do not incorporate this scale as the Protection Profile describes the complete set of a product’s security functionality, against which it is evaluated. Products evaluated against a Protection Profile will still appear on ASD’s Evaluated Products List (EPL) but with the relevant Protection Profile rather than an EAL.
Protection Profiles provide better assurance in the security of evaluated products. During the transition to Protection Profiles, a cap of EAL 2 now applies for all traditional EAL-based evaluations overseen by ASD.
ASD-Approved Protection Profiles
Protection Profiles listed below are for reference only and are not to be used as the basis for new evaluations in the AISEP. Protection Profiles are reviewed periodically to determine if the security functional and assurance requirements are still acceptable, given rapid technology changes and increasing threat levels.
USB Position Statement, March 2014
The ACA has made available, via the Common Criteria Portal, a position statement on the development of a collaborative Protection Profile (cPP) for USB storage devices.
Protection Profile Extended Package for Stateful Traffic Filter Firewalls, May 2012
This Extended Package for the Network Devices Protection Profile (PDF) addresses a range of security threats related to infiltration into a protected network and exfiltration from a protected network.
DSD Approved Protection Profiles, March 2012
Note: The Defence Signals Directorate (DSD) was renamed the Australian Signals Directorate in May 2013.
DSD approves the following three documents:
- Protection Profile for Full Disk Encryption (PDF)
This Protection Profile addresses the threat that an adversary will obtain a lost or stolen hard disk (eg, a disk contained in a laptop or a portable external hard disk drive) containing sensitive data.
- Protection Profile for Wireless Local Area Network (WLAN) Access Systems (PDF) and
- Protection Profile for Wireless Local Area Network (WLAN) Clients (PDF)
These Protection Profiles address the threats against Wireless Local Area Network (WLAN) access systems and clients.
DSD Approved Protection Profiles, February 2012
DSD approves the Protection Profile for USB Flash Drives (PDF). This Protection Profile addresses the primary threats that an adversary could obtain a misplaced or stolen USB flash drive and extract sensitive data or could attempt to place malicious system files on the device that could be used to compromise host environments. Email ASD, attention AISEP, for advice.
DSD Approved Protection Profiles, June 2011
DSD approves the Security Requirements for Network Devices (PDF) using Protection Profiles for Common Criteria evaluation in the AISEP. From December 2011, this is required for network infrastructure connected products operating at Layer 3. Email ASD, attention AISEP, for advice.
DSD and the international Common Criteria community are developing technology-specific Protection Profiles to enhance Common Criteria evaluations. Rather than relying on Evaluation Assurance Levels, DSD is raising the benchmark for security evaluations to meet Australian government information security needs.