Topic

Encrypting data in transit

Applicable to

Official, Protected

History

Priority

must

Mar 2022

Cryptographic equipment or software that has completed a Common Criteria evaluation against a Protection Profile is used to protect OFFICIAL: Sensitive or PROTECTED data when communicated over insufficiently secure networks, outside of appropriately secure areas or via public network infrastructure.

Miscellaneous changes were made to rationale and recommendations throughout the publication to clarify content without changing intent. This included a review from the Guidelines for System Hardening chapter through to the Guidelines for Data Transfers chapter.

Dec 2021

Cryptographic equipment or encryption software that has completed a Common Criteria evaluation against a Protection Profile is used to protect OFFICIAL: Sensitive or PROTECTED data when communicated over insufficiently secure networks, outside of appropriately secure areas or via public network infrastructure.

The recommendation that cryptographic products have completed an ASD Cryptographic Evaluation before being used for the protection of data at rest or in transit has been replaced with a recommendation for the use of cryptographic products that have been evaluated and certified under the Common Criteria against a Protection Profile.

2015

Agencies must use a Common Criteria–evaluated encryption product that has completed anACE if they wish to communicate classified information over public network infrastructure.

2010

Agencies must use an EAL2 encryption product from DSD’s EPL that has completed a DCE if they wish tocommunicate classified information over unclassified or public networks.

2008

Agencies must use encryption products that meet the minimum level of assurance, as shown in the following table, if they wish to use encryption to reduce the requirements for communicating classified information over networks of a lower classification than that of the information.