Evaluation Assurance Level (EAL)

The Evaluation Assurance Level (EAL1 through EAL7) of an IT product or system is a numerical grade assigned following the completion of a Common Criteria security evaluation, an international standard in effect since 1999. The increasing assurance levels reflect added assurance requirements that must be met to achieve Common Criteria certification. The intent of the higher levels is to provide higher confidence that the system’s principle security features are reliably implemented. The EAL level does not measure the security of the system itself, it simply states at what level the system was tested to see if it meets all the requirements of its Protection Profile.

The National Information Assurance Partnership (NIAP) is a U.S. Government initiative by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA).

To achieve a particular EAL, the computer system must meet specific assurance requirements. Most of these requirements involve design documentation, design analysis, functional testing, or penetration testing. The higher EALs involve more detailed documentation, analysis, and testing than the lower ones. Achieving a higher EAL certification generally costs more money and takes more time than achieving a lower one. The EAL number assigned to a certified system indicates that the system completed all requirements for that level.

EAL4: Methodically Designed, Tested and Reviewed

EAL4 permits a developer to gain maximum assurance from positive security engineering based on good commercial development practices which, though rigorous, do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line. EAL4 is therefore applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs and are prepared to incur additional security-specific engineering costs.

Information Technology Security Criteria (ITSEC)

The Information Technology Security Evaluation Criteria (ITSEC) are European-developed criteria. Its aim is to demonstrate conformance of a product or system (referred to in evaluation-speak as a target of evaluation, or TOE) against its Security Target. The TOE is evaluated as to whether it is both an effective and a correct implementation.

As can be seen from the summary requirements described here, achieving ITSEC certification can be a complex and time consuming process, so why bother? Well, in certain sensitive application areas, the UK government for one will not buy a product unless it carries an ITSEC certificate. So, certain markets may be closed to your product unless it is certified. In addition, as an ITSEC evaluation is carried out by a third party (a commercial licensed evaluation facility or CLEF), and as it is designed to demonstrate conformance to a set of security claims made about a product, it is an independent quality mark. Also, in some quarters, ITSEC certification is an effective marketing technique.