Business Tools

Common Criteria Evaluation Assurance Levels: This is What They Mean

Evaluating the cybersecurity readiness of an IT product or system is crucial nowadays, when technology develops faster than the related regulations. Common Criteria evaluation on different Evaluation Assurance Levels (EAL) is one of the best options to assure the security of eligible cyber products and solutions. In this article we will give you an insight into Common Criteria Evaluation and the Assurance Levels.

What is Common Criteria Evaluation Assurance Level?

Common Criteria Evaluation Assurance Level (EAL1 through EAL7) is a category ranking given to an IT system or product after the Common Criteria security assessment. The rising assurance levels indicate the additional assurance standards that must be complied with in order to obtain Common Criteria certification. It’s important to know that an EAL level does not assess the security of the system, but only indicates the level at which the system was tested. 

EALs are:

  • EAL1: Functionally Tested
  • EAL2: Structurally Tested
  • EAL3: Methodically Tested and Checked
  • EAL4: Methodically Designed, Tested, and Reviewed
  • EAL5: Semi-Formally Designed and Tested
  • EAL6: Semi-Formally Verified Design and Tested
  • EAL7: Formally Verified Design and Tested

What does higher or lower EAL mean?

Although each product and system must meet the same assurance standards during Common Criteria evaluation in order to attain a certain level, they do not have to fulfill the same functional requirements. The functional aspects of each certified product are defined in the Security Target (ST) document, created specifically for the product’s or system’s assessment. A product with a higher EAL doesn’t necessarily mean more secure in a given application than one with a lower EAL. It’s because their Security Targets (ST) may contain completely different lists of functional characteristics.

Which is the most commonly used Assurance Evaluation Level?

In 2021 EAL4 evaluation was the most frequent level based on the latest Common Criteria Statistic Report. A total of 411 products got certified of which 169 were high assurance evaluations (EAL4-EAL7). The report presents 51 EAL5 evaluations, 40 EAL6 evaluations and 1 EAL7 evaluation. That means 41.12% of the certifications were high-assurance. Low assurance evaluations (EAL1-EAL3) represent 22.63% of all the Common Criteria evaluations with a total of 93 certified products. The most common low assurance EAL was EAL2, with 71 certifications, followed by EAL3 with 19 certifications and EAL1 with 3 products or systems. 

It’s important to know that certifications using a Protection Profile (PP) with no EAL assigned were also significantly frequent in 2021: in total, 149 products were certified with only a PP which means 36,25% of all certifications.

Which EAL level to choose?

In general, when it comes to meeting regulatory standards, businesses strive for the bare minimum. Typically, businesses want to reduce their costs and expenditures while ensuring the security of their products and services. However, due to the crucial relevance of their services, several organizations and businesses cannot avoid investing in at least an EAL4+ certification depending on where they want to sell their products or solutions. 

EAL 1-3

EAL 1-3 is often sufficient for broad public and private tech firms when the corporation has to be confident in the correct operation of the product and system and when developers or consumers require a low to moderate level of independently certified security. EAL 1-3 certifications are also useful for validating and testing the security of older systems, or where the focus of the assessment necessitates extensive security analysis without requiring high-level reengineering.

EAL 4+

Sectors such as government agencies, essential services, critical infrastructures, and high-profile organizations most probably need EAL4+ certification for their products or systems. This is because they need to build trust in the product or service they are utilizing, for which Common Criteria evaluation and EAL are among the best options.

Final Thoughts

Evaluation Assurance Level (EAL) shows how thoroughly a security product or system is tested within the Common Criteria evaluation process. There are 7 levels where 1 is the lowest and 7 is the highest. Based on the latest statistics provided EAL4 is the most frequent high-assurance level while EAL 2 is the most common low-assurance level that has been chosen. 

Disqus Comments Loading...

Recent Posts

Tips To Increase Employee Retention

Your team is your biggest asset, and you need to ensure that they are happy…

1 month ago

A Guide To Electronic Product Manufacturing

You're ready to take the plunge into the world of electronic manufacturing. But where do…

3 months ago

How To Maintain Your Excavator Mulching Head For Optimal Performance

A mulching head for an excavator operates at peak efficiency and reduces downtime when adequately…

4 months ago

What are Dedicated Proxies, and how are they Different?

here high-stakes communication and data are involved, people cannot afford to play fast and loose…

6 months ago

An Overview of Mobile vs. Desktop Construction Estimating Solutions

Whether on a skyscraper in Toronto or a residential project in Texas, having the right…

7 months ago

6 Tricks for Implementing New Technology Into Your Business

In this article, we talk about six tricks that will help you implement new technology,…

10 months ago