Cryptographic implementation assurance

Securely implementing cryptographic algorithms and protocols is a difficult task that requires expertise and diligence. In doing so, suppliers, and their cyber supply chains, need to carry out their duties competently and honestly as small flaws in cryptographic equipment, applications or libraries can be catastrophic and difficult to detect. Therefore, to provide a degree of cryptographic implementation assurance, cryptographic equipment, applications and libraries should be assessed by one of the following processes, listed in order of preference:

• a Common Criteria evaluation against an ASD-endorsed Protection Profile
• a FIPS 140-3 cryptographic evaluation via the United States and Canada’s Cryptographic Module Validation Program
• a cryptographic evaluation via the United States and Canada’s Cryptographic Algorithm Validation Program
• a Common Criteria evaluation against an Evaluation Assurance Level
• an independent security review by a reputable process or body.

Note, when a suitable Common Criteria evaluated product does not exist, an alternate product capable of securely implementing AACAs and AACPs may be used. However, cyber supply chain security risks still need to be considered to ensure the product does not present a high risk. For example, an organisation should still follow robust and secure procurement processes by selecting a product from a supplier with:

• a history of undertaking Common Criteria evaluations for their other products
• a demonstrated commitment to the security of their products, including by adopting Secure by Design principles and practices, responsively resolving known vulnerabilities, and providing clear end of life advice for consumers
• a demonstrated commitment to transparency for their products
• a strong track record of maintaining the security of their own systems
• sufficient information on how to securely configure their products.