High Assurance Evaluation of Unidirectional Gateways
Ensure diodes used between secure and public networks are highly evaluated for safety.
Plain language
This control is about making sure that devices called diodes, which control which direction data can flow across a network, are thoroughly checked for safety when connecting high-security networks to public ones. This matters because if these diodes fail or aren't properly evaluated, sensitive information could leak out from a secure network, leading to serious breaches of privacy and security.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Evaluated diodes used for controlling the data flow of unidirectional gateways between SECRET or TOP SECRET networks and public network infrastructure complete a high assurance evaluation.
Why it matters
Using non-evaluated diodes in unidirectional gateways can allow data exfiltration from SECRET/TOP SECRET networks to public infrastructure, causing compromise.
Operational notes
Confirm the diode model and version used in the unidirectional gateway retains current high assurance evaluation, and record certificate IDs, scope and expiry in a review log.
Implementation tips
- Security managers should ensure that any network diodes intended for use between secure and public networks undergo a high assurance evaluation. This involves checking the certification or evaluation reports from reputable security organisations, such as the Australian Cyber Security Centre (ACSC).
- IT teams should establish contracts with suppliers that outline the specific safety evaluations required for diodes. They can do this by specifying that the devices must meet certain standards and come with documented proof of evaluation.
- System owners should collaborate with network administrators to perform regular tests and checks on the diodes in use. They can do this by setting a schedule for testing device functionality and logging any maintenance or incidents.
- Procurement officers should only purchase diodes from vendors with a strong track record of high assurance evaluations. They should request and review case studies or references that confirm the vendor's compliance with strict security evaluations.
- Compliance officers should keep records of all evaluations and certifications related to the diodes used. They can ensure this by maintaining a secure, organised repository that archives all documentation and correspondence related to these evaluations.
Audit / evidence tips
-
Askthe diode evaluation reports: Request the documented evaluations that confirm the diodes used between networks meet high assurance standards
GoodReports show recent evaluations by reputable bodies like ACSC or ASD (Australian Signals Directorate)
-
Askthe procurement contracts with diode vendors: Request the contracts to verify they stipulate safety evaluation requirements
GoodContracts include detailed evaluation criteria before purchase is approved
-
Askdiode testing schedules and logs: Request documents that show regular testing and maintenance of diode functionality
GoodA clear schedule with logs documenting tests, findings, and any actions taken
-
Askvendor compliance documentation: Request proofs, like certification or references, demonstrating the vendor’s adherence to high assurance standards
GoodCurrent certificates and positive references from known security organisations
-
Askthe repository of evaluation documentation: Request access to the storage system where evaluation documents are kept
GoodAn orderly digital folder with searchable, well-labeled files by date and diode type
Cross-framework mappings
How ISM-0645 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.22 | ISM-0645 requires high assurance evaluation of evaluated diodes used in unidirectional gateways at SECRET/TOP SECRET to public network bo... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.