Evaluating the cybersecurity readiness of an IT product or system is crucial nowadays, when technology develops faster than the related regulations. Common Criteria evaluation on different Evaluation Assurance Levels (EAL) is one of the best options to assure the security of eligible cyber products and solutions. In this article we will give you an insight into Common Criteria Evaluation and the Assurance Levels.
What is Common Criteria Evaluation Assurance Level?
Common Criteria Evaluation Assurance Level (EAL1 through EAL7) is a category ranking given to an IT system or product after the Common Criteria security assessment. The rising assurance levels indicate the additional assurance standards that must be complied with in order to obtain Common Criteria certification. It’s important to know that an EAL level does not assess the security of the system, but only indicates the level at which the system was tested.
- EAL1: Functionally Tested
- EAL2: Structurally Tested
- EAL3: Methodically Tested and Checked
- EAL4: Methodically Designed, Tested, and Reviewed
- EAL5: Semi-Formally Designed and Tested
- EAL6: Semi-Formally Verified Design and Tested
- EAL7: Formally Verified Design and Tested
What does higher or lower EAL mean?
Although each product and system must meet the same assurance standards during Common Criteria evaluation in order to attain a certain level, they do not have to fulfill the same functional requirements. The functional aspects of each certified product are defined in the Security Target (ST) document, created specifically for the product’s or system’s assessment. A product with a higher EAL doesn’t necessarily mean more secure in a given application than one with a lower EAL. It’s because their Security Targets (ST) may contain completely different lists of functional characteristics.
Which is the most commonly used Assurance Evaluation Level?
In 2021 EAL4 evaluation was the most frequent level based on the latest Common Criteria Statistic Report. A total of 411 products got certified of which 169 were high assurance evaluations (EAL4-EAL7). The report presents 51 EAL5 evaluations, 40 EAL6 evaluations and 1 EAL7 evaluation. That means 41.12% of the certifications were high-assurance. Low assurance evaluations (EAL1-EAL3) represent 22.63% of all the Common Criteria evaluations with a total of 93 certified products. The most common low assurance EAL was EAL2, with 71 certifications, followed by EAL3 with 19 certifications and EAL1 with 3 products or systems.
It’s important to know that certifications using a Protection Profile (PP) with no EAL assigned were also significantly frequent in 2021: in total, 149 products were certified with only a PP which means 36,25% of all certifications.
Which EAL level to choose?
In general, when it comes to meeting regulatory standards, businesses strive for the bare minimum. Typically, businesses want to reduce their costs and expenditures while ensuring the security of their products and services. However, due to the crucial relevance of their services, several organizations and businesses cannot avoid investing in at least an EAL4+ certification depending on where they want to sell their products or solutions.
EAL 1-3 is often sufficient for broad public and private tech firms when the corporation has to be confident in the correct operation of the product and system and when developers or consumers require a low to moderate level of independently certified security. EAL 1-3 certifications are also useful for validating and testing the security of older systems, or where the focus of the assessment necessitates extensive security analysis without requiring high-level reengineering.
Sectors such as government agencies, essential services, critical infrastructures, and high-profile organizations most probably need EAL4+ certification for their products or systems. This is because they need to build trust in the product or service they are utilizing, for which Common Criteria evaluation and EAL are among the best options.
Evaluation Assurance Level (EAL) shows how thoroughly a security product or system is tested within the Common Criteria evaluation process. There are 7 levels where 1 is the lowest and 7 is the highest. Based on the latest statistics provided EAL4 is the most frequent high-assurance level while EAL 2 is the most common low-assurance level that has been chosen.