Common Criteria EAL Levels

There is no way to say it, I found this system assurance evaluation stuff incredibly boring.

It’s probably not going to be tested heavily on the CISSP exam, but there are a few things they might want you to know.

Think of this post as a place where you can come to to get some quick memory-refreshing facts about the Common Criteria EAL levels instead of having to comb through a giant book or technical Google search.

Why Do We Need the Common Criteria?

Common Criteria is now the industry standard measure for system evaluation.

When we say “system”, think of an operating system like Windows.

TCSEC and ITSEC either had too many levels of evaluation (confusing), or didn’t cover all the issues in a growing security world(frustrating).

Common Criteria solves both these issues by asking “What’s the issue these days and how can it be resolved?” through the use of protection profiles.

Programmers use protection profiles to design the system.

The Different Assurance Levels for Common Criteria

Memorize more the EAL levels, rather than the bullet points.

EAL1 – Functionally Tested

  • Security is not a serious concern

  • Some confidence in correct operations of system

EAL2 – Structurally Tested

  • Some developer insight and cooperation is required, mostly for legacy systems

EAL3 – Methodically Tested and Checked

  • Some level of assured security

  • Thorough analysis of TOE without extra engineering

EAL4 – Methodically Designed, Tested and Reviewed

  • Some to high level of security assurance

  • MOST operating systems today are evaluated at EAL4 < Remember this!

EAL5 – Semiformally Designed and Tested

  • High level of security assurance

  • Thorough development cycle process without extra cost

  • TOE is most likely customized to meet EAL5

EAL6 – Semiformally Verified Design and Tested

  • Designed for high value systems that are at high risk

  • Could be for custom military operating systems

EAL7 – Formally Verified Design and Tested

  • For extremely high value assets which are vulnerable to high security risks

  • The assets the system is used to protect are worth the costs

Keep studying!