Evaluation Assurance Level

The Evaluation Assurance Level (EAL1 through EAL7) of an IT product or system is a numerical grade assigned following the completion of a Common Criteria security evaluation, an international standard in effect since 1999. The increasing assurance levels reflect added assurance requirements that must be met to achieve Common Criteria certification. The intent of the higher levels is to provide higher confidence that the system's principle security features are reliably implemented. The EAL level does not measure the security of the system itself, it simply states at what level the system was tested to see if it meets all the requirements of its Protection Profile.

The [http://www.niap-ccevs.org/ National Information Assurance Partnership (NIAP)] is a U.S. Government initiative by the [http://www.nist.gov/ National Institute of Standards and Technology (NIST)] and the [http://www.nsa.gov/ National Security Agency (NSA).]

To achieve a particular EAL, the computer system must meet specific "assurance requirements". Most of these requirements involve design documentation, design analysis, functional testing, or penetration testing. The higher EALs involve more detailed documentation, analysis, and testing than the lower ones. Achieving a higher EAL certification generally costs more money and takes more time than achieving a lower one. The EAL number assigned to a certified system indicates that the system completed all requirements for that level.

Although every product and system must fulfill the same "assurance" requirements to achieve a particular level, they do not have to fulfill the same "functional" requirements. The functional features for each certified product are established in the "Security Target" document tailored for that product's evaluation. Therefore, a product with a higher EAL is not necessarily "more secure" in a particular application than one with a lower EAL, since they may have very different lists of functional features in their Security Targets. A product's fitness for a particular security application depends on how well the features listed in the product's Security Target fulfill the application's security requirements. If the Security Targets for two products both contain the necessary security features, then the higher EAL "should" indicate the more trustworthy product for that application.

Assurance levels

EAL1: Functionally Tested

EAL1 is applicable where some confidence in correct operation is required, but thethreats to security are not viewed as serious. It will be of value where independentassurance is required to support the contention that due care has been exercised withrespect to the protection of personal or similar information.EAL1 provides an evaluation of the TOE (Target of Evaluation) as made available to the customer, includingindependent testing against a specification, and an examination of the guidancedocumentation provided. It is intended that an EAL1 evaluation could be successfullyconducted without assistance from the developer of the TOE, and for minimal cost. Anevaluation at this level should provide evidence that the TOE functions in a mannerconsistent with its documentation, and that it provides useful protection againstidentified threats.

EAL2: Structurally Tested

EAL2 requires the cooperation of the developer in terms of the delivery of designinformation and test results, but should not demand more effort on the part of thedeveloper than is consistent with good commercial practice. As such it should notrequire a substantially increased investment of cost or time.EAL2 is therefore applicable in those circumstances where developers or users require alow to moderate level of independently assured security in the absence of readyavailability of the complete development record. Such a situation may arise whensecuring legacy systems.

EAL3: Methodically Tested and Checked

EAL3 permits a conscientious developer to gain maximum assurance from positivesecurity engineering at the design stage without substantial alteration of existing sounddevelopment practices.EAL3 is applicable in those circumstances where developers or users require a moderatelevel of independently assured security, and require a thorough investigation of the TOEand its development without substantial re-engineering.

EAL4: Methodically Designed, Tested and Reviewed

EAL4 permits a developer to gain maximum assurance from positive security engineering based on good commercial development practices which, though rigorous, do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line. EAL4 is therefore applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs and are prepared to incur additional security-specific engineering costs.

Commercial operating systems that provide conventional, user-based security features are typically evaluated at EAL4. Examples of such operating systems are AIX, [http://www.commoncriteriaportal.org/products_OS.html#OS Common Criteria certified product list] ] HP-UX, Solaris, Novell NetWare, SUSE Linux Enterprise Server 9, [ [http://www.commoncriteriaportal.org/files/epfiles/0256a.pdf Certification Report for SUSE Linux Enterprise Server 9] ] SUSE Linux Enterprise Server 10, [ [http://www.niap-ccevs.org/cc-scheme/st/?vid=10271 SUSE Linux Enterprise Server 10 EAL4 Certificate] ] Windows 2000 Service Pack 3 and Red Hat Enterprise Linux 5. [ [http://www.niap-ccevs.org/cc-scheme/st/?vid=10125 Red Hat Enterprise Linux Version 5 EAL4 Certificate] ]

Operating systems that provide multilevel security are evaluated at a minimum of EAL4. Examples include Trusted Solaris, Solaris 10 Release 11/06 Trusted Extensions, [ [http://www.sun.com/software/security/securitycert/docs/Solaris_10_TX_CR_v1.0_11_june_PDF.pdf Solaris 10 Release 11/06 Trusted Extensions EAL 4+ Certification Report] ] and an early version of the XTS-400.

EAL5: Semiformally Designed and Tested

EAL5 permits a developer to gain maximum assurance from security engineering basedupon rigorous commercial development practices supported by moderate application ofspecialist security engineering techniques. Such a TOE will probably be designed anddeveloped with the intent of achieving EAL5 assurance. It is likely that the additionalcosts attributable to the EAL5 requirements, relative to rigorous development withoutthe application of specialized techniques, will not be large.EAL5 is therefore applicable in those circumstances where developers or users require ahigh level of independently assured security in a planned development and require arigorous development approach without incurring unreasonable costs attributable tospecialist security engineering techniques.

Numerous smart card devices have been evaluated at EAL5, as have multilevel secure devices such as the Tenix Interactive Link. XTS-400 (STOP 6) is a general-purpose operating system which has been evaluated at EAL5 augmented.

LPAR on IBM System z is EAL5 Certified. [ [http://www-03.ibm.com/systems/z/security/ccs_certification.html IBM System z Security] ; [http://www-03.ibm.com/systems/z/security/certification.html IBM System z partitioning achieves highest certification] ]

EAL6: Semiformally Verified Design and Tested

EAL6 permits developers to gain high assurance from application of securityengineering techniques to a rigorous development environment in order to produce apremium TOE for protecting high value assets against significant risks.EAL6 is therefore applicable to the development of security TOEs for application inhigh risk situations where the value of the protected assets justifies the additional costs.

EAL7: Formally Verified Design and Tested

EAL7 is applicable to the development of security TOEs for application in extremelyhigh risk situations and/or where the high value of the assets justifies the higher costs.Practical application of EAL7 is currently limited to TOEs with tightly focused securityfunctionality that is amenable to extensive formal analysis. The Tenix Interactive Link Data Diode Device has been evaluated at EAL7 augmented, the only product to do so.

Implications of assurance levels

Technically speaking, a higher EAL means nothing more, or less, than that the evaluation completed a more stringent set of quality assurance requirements. It is often assumed that a system that achieves a higher EAL will provide its security features more reliably (and the required third-party analysis and testing performed by security experts is reasonable evidence in this direction), but there is little or no published evidence to support that assumption.

Impact on cost and schedule

In 2006, the US Government Accountability Office published a report on Common Criteria evaluations that summarized a range of costs and schedules reported for evaluations performed at levels EAL2 through EAL4.

In the mid to late 1990s, vendors reported spending US$1 million and even US$2.5 million on evaluations comparable to EAL4. There have been no published reports of the cost of the various Microsoft Windows security evaluations.

Augmentation of EAL requirements

In some cases, the evaluation may be "augmented" to include assurance requirements beyond the minimum required for a particular EAL. Officially this is indicated by following the EAL number with the word augmented and usually with a list of codes to indicate the additional requirements. As shorthand, vendors will often simply add a "plus" sign (as in EAL4+) to indicate the augmented requirements.

EAL notation

The Common Criteria standards denote EALs as shown in this article: the suffix "EAL" concatenated with a digit 1 through 7 (Examples: EAL1, EAL3, EAL5). In practice, some countries place a space between the suffix and the digit (EAL 1, EAL 3, EAL 5). The use of a plus sign to indicate augmentation is an informal shorthand used by product vendors (EAL4+ or EAL 4+).

References and footnotes

External links

* cite paper
author = GAO
title = INFORMATION ASSURANCE: National Partnership Offers Benefits, but Faces Considerable Challenges
publisher = United States Government Accountability Office
version = Report GAO-06-392
date = March 2006
url = http://www.gao.gov/new.items/d06392.pdf
format = PDF
accessdate = 2006-07-10

*cite conference
first = Richard
last = Smith
title = Trends in Government Endorsed Security Product Evaluations
booktitle = Proc. 20th National Information Systems Security Conference
month = October | year = 2000
url = http://www.csrc.nist.gov/nissc/2000/proceedings/papers/032.pdf
accessdate = 2006-07-10

* [http://www.niap-ccevs.org/cc-scheme/vpl/ CCEVS Validated Products List]
* [http://www.cesg.gov.uk/site/iacs/index.cfm?menuSelected=1&displayPage=13 Common Criteria Assurance Level information from IACS]
* [http://www-03.ibm.com/servers/aix/products/aixos/certifications/ IBM AIX operating system certifications]
* [http://www.windowsecurity.com/articles/Windows-Common-Criteria-Certification-Part-I.html Microsoft Windows and the Common Criteria Certification]
* [http://www.linuxsecurity.com/content/view/118374/65/ SUSE Linux awarded government security cert]
* [http://www.digitalnet.com/solutions/information_assurance/xts400_trusted_sys.htm XTS-400 information]
* [http://web.archive.org/web/20060527063317/http://eros.cs.jhu.edu/~shap/NT-EAL4.html Understanding the Windows EAL4 Evaluation]


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Evaluation Assurance Level — Die Common Criteria for Information Technology Security Evaluation (kurz auch Common Criteria oder CC; deutsch etwa: Gemeinsame Kriterien für die Bewertung der Sicherheit von Informationstechnologie) sind ein internationaler Standard über die… …   Deutsch Wikipedia

  • Evaluation Assurance Level — Pour les articles homonymes, voir EAL. Evaluation Assurance Level (EAL) est un système d évaluation. Il existe 7 niveaux d’assurance d’évaluation – selon les Critères communs: EAL1 : testé fonctionnellement EAL2 : testé structurellement …   Wikipédia en Français

  • Evaluation (disambiguation) — Evaluation is the process of characterizing and appraising something of interest or of determining the value of an expression (mathematics). Computer science * determining the value of an expression (programming) * Eager evaluation or strict… …   Wikipedia

  • Niveaux d'évaluation d'assurance — Evaluation Assurance Level Pour les articles homonymes, voir EAL. Evaluation Assurance Level (EAL) est un système d évaluation. Il existe 7 niveaux d’assurance d’évaluation – selon les Critères communs: EAL1 : testé fonctionnellement… …   Wikipédia en Français

  • Common Criteria for Information Technology Security Evaluation — Critères communs Common Criteria (CC) est un standard international (ISO/CEI 15408) pour la sécurité des systèmes d information. Le nom complet du standard est Common Criteria for Information Technology Security Evaluation. En français, on… …   Wikipédia en Français

  • Common Criteria for Information Technology Security Evaluation — Die Common Criteria for Information Technology Security Evaluation (kurz auch Common Criteria oder CC; deutsch etwa Allgemeine Kriterien für die Bewertung der Sicherheit von Informationstechnologie) sind ein internationaler Standard über die… …   Deutsch Wikipedia

  • Standards für Evaluation — Evaluationen setzen bestimmte Standards voraus, damit sie vom Ergebnis her objektiv verglichen werden können. Die Homogenität der Ergebnisse soll durch die verschiedenen Auswertungen der Daten gewährleistet werden. Die DeGEval Gesellschaft für… …   Deutsch Wikipedia

  • Software Assurance — (SwA) is defined as “the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at anytime during its lifecycle, and that the software functions in the intended… …   Wikipedia

  • Trusted Computer System Evaluation Criteria — (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. The TCSEC was used to evaluate, classify and… …   Wikipedia

  • Course evaluation — A course evaluation is a paper or electronic questionnaire, which requires a written or selected response answer to a series of questions in order to evaluate the instruction of a given course. The term may also refer to the completed survey form …   Wikipedia


Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”

We are using cookies for the best presentation of our site. Continuing to use this site, you agree with this.