Editing Evaluation Assurance Level

{{Short description|Numerical grade assigned following Common Criteria}}
The '''Evaluation Assurance Level''' ('''EAL1''' through '''EAL7''') of an IT product or system is a numerical grade assigned following the completion of a [[Common Criteria]] security evaluation, an [[international standard]] in effect since 1999. The increasing assurance levels reflect added assurance requirements that must be met to achieve Common Criteria certification. The intent of the higher levels is to provide higher confidence that the system's principal security features are reliably implemented.  The EAL level does not measure the security of the system itself, it simply states at what level the system was tested.

To achieve a particular EAL, the computer system must meet specific ''assurance requirements''. Most of these requirements involve design documentation, design analysis, functional testing, or penetration testing. The higher EALs involve more detailed documentation, analysis, and testing than the lower ones. Achieving a higher EAL certification generally costs more money and takes more time than achieving a lower one. The EAL number assigned to a certified system indicates that the system completed all requirements for that level.

Although every product and system must fulfill the same ''assurance'' requirements to achieve a particular level, they do not have to fulfill the same ''functional'' requirements. The functional features for each certified product are established in the ''[[Security Target]]'' document tailored for that product's evaluation. Therefore, a product with a higher EAL is not necessarily "more secure" in a particular application than one with a lower EAL, since they may have very different lists of functional features in their Security Targets. A product's fitness for a particular security application depends on how well the features listed in the product's Security Target fulfill the application's security requirements. If the Security Targets for two products both contain the necessary security features, then the higher EAL ''should'' indicate the more trustworthy product for that application.

== Assurance levels ==

=== EAL1: Functionally tested<span class="anchor" id="EAL1"></span> ===

EAL1 is applicable where some confidence in correct operation is required, but the
threats to security are not viewed as serious. It will be of value where independent
assurance is required to support the contention that due care has been exercised with
respect to the protection of personal or similar information.
EAL1 provides an evaluation of the TOE (Target of Evaluation) as made available to the customer, including
independent testing against a specification, and an examination of the guidance
documentation provided. It is intended that an EAL1 evaluation could be successfully
conducted without assistance from the developer of the TOE, and for minimal cost. An
evaluation at this level should provide evidence that the TOE functions in a manner
consistent with its documentation, and that it provides useful protection against
identified threats.

=== EAL2: Structurally tested<span class="anchor" id="EAL2"></span> ===

EAL2 requires the cooperation of the developer in terms of the delivery of design
information and test results, but should not demand more effort on the part of the
developer than is consistent with good commercial practice. As such it should not
require a substantially increased investment of cost or time.
EAL2 is therefore applicable in those circumstances where developers or users require a
low to moderate level of independently assured security in the absence of ready
availability of the complete development record. Such a situation may arise when
securing legacy systems.

=== EAL3: Methodically tested and checked<span class="anchor" id="EAL3"></span> ===

EAL3 permits a conscientious developer to gain maximum assurance from positive
[[security engineering]] at the design stage without substantial alteration of existing sound
development practices.
EAL3 is applicable in those circumstances where developers or users require a moderate
level of independently assured security, and require a thorough investigation of the TOE
and its development without substantial re-engineering.

=== EAL4: Methodically designed, tested and reviewed<span class="anchor" id="EAL4"></span> ===

EAL4 permits a developer to gain maximum assurance from positive security engineering based on good commercial development practices which, though rigorous, do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line. EAL4 is therefore applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs and are prepared to incur additional security-specific engineering costs.

Commercial [[operating system]]s that provide conventional, user-based security features are typically evaluated at EAL4. Examples with expired Certificate are [[AIX]],<ref name="OSEvaluations">{{Cite web |url=http://www.commoncriteriaportal.org/products_OS.html#OS |title=Common Criteria certified product list |access-date=2008-04-28 |archive-url=https://web.archive.org/web/20131231024938/http://www.commoncriteriaportal.org/products_OS.html#OS |archive-date=2013-12-31 |url-status=dead }}</ref> [[HP-UX]],<ref name="OSEvaluations" /> [[Oracle Linux]], [[NetWare]], [[Solaris (operating system)|Solaris]],<ref name="OSEvaluations" /> [[SUSE Linux Enterprise Server|SUSE Linux Enterprise Server 9]],<ref name="OSEvaluations" /><ref>{{Cite web |url=http://www.commoncriteriaportal.org/files/epfiles/0256a.pdf |title=Certification Report for SUSE Linux Enterprise Server 9 |access-date=2008-04-28 |archive-url=https://web.archive.org/web/20150923205652/http://www.commoncriteriaportal.org/files/epfiles/0256a.pdf |archive-date=2015-09-23 |url-status=dead }}</ref> [[SUSE Linux Enterprise Server|SUSE Linux Enterprise Server 10]],<ref>{{Cite web |url=http://www.niap-ccevs.org/cc-scheme/st/?vid=10271 |title=SUSE Linux Enterprise Server 10 EAL4 Certificate |access-date=2008-04-28 |archive-url=https://web.archive.org/web/20080522040250/http://www.niap-ccevs.org/cc-scheme/st/?vid=10271 |archive-date=2008-05-22 |url-status=dead }}</ref>  [[Red Hat Enterprise Linux|Red Hat Enterprise Linux 5]],<ref>{{Cite web |url=http://www.niap-ccevs.org/cc-scheme/st/?vid=10125 |title=Red Hat Enterprise Linux Version 5 EAL4 Certificate |access-date=2007-06-16 |archive-url=https://web.archive.org/web/20070619182212/http://www.niap-ccevs.org/cc-scheme/st/?vid=10125 |archive-date=2007-06-19 |url-status=dead }}</ref><ref>{{Cite web|url=https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/6.2_Release_Notes/security.html|title = Red Hat Customer Portal}}</ref> [[Windows 2000]] Service Pack 3, [[Windows 2003]],<ref name="OSEvaluations" /><ref name="2003EAL4+">[http://www.microsoft.com/presspass/press/2005/dec05/12-14CommonCriteriaPR.mspx#Microsoft Windows Platform Products Awarded Common Criteria EAL 4 Certification] {{webarchive|url=https://web.archive.org/web/20060420052906/http://www.microsoft.com/presspass/press/2005/dec05/12-14CommonCriteriaPR.mspx |date=2006-04-20 }}</ref> [[Windows XP]],<ref name="OSEvaluations" /><ref name="2003EAL4+" /> [[Windows Vista]],<ref>{{cite web|last=Myers|first=Tim|title=Windows Vista and Windows Server 2008 are Common Criteria Certified at EAL4+|url=http://blogs.msdn.com/b/timmyers/archive/2009/09/23/windows-vista-and-windows-server-2008-are-common-criteria-certified-at-eal4.aspx|publisher=Microsoft|access-date=May 15, 2013}}</ref><ref>{{cite web|title=National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme|url=http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf|access-date=May 15, 2013|archive-url=https://web.archive.org/web/20140327144626/http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf|archive-date=March 27, 2014|url-status=dead}}</ref> 
[[Windows 7]],<ref name="OSEvaluations" /><ref name="2008R2EAL4+">[https://technet.microsoft.com/en-us/library/dd229319.aspx Microsoft Windows 7, Windows Server 2008 R2 and SQL Server 2008 SP2 Now Certified as Common Criteria Validated Products]</ref> [[Windows Server 2008 R2]],<ref name="OSEvaluations" /><ref name="2008R2EAL4+" /> [[z/OS]] version 2.1 and [[z/VM]] version 6.3.<ref name="OSEvaluations" />

Operating systems that provide [[multilevel security]] are evaluated at a minimum of EAL4. Examples with active Certificate include [[SUSE LINUX Enterprise Server|SUSE Linux Enterprise Server 15]] (EAL 4+).<ref>{{cite web |title=SUSE Linux Enterprise Server 15 SP2 |url=https://www.commoncriteriaportal.org/files/epfiles/1151c_pdf.pdf |website=Common Criteria Portal |access-date=9 September 2022}}</ref> Examples with expired Certificate are [[Trusted Solaris]], [[Solaris 10|Solaris 10 Release 11/06 Trusted Extensions]],<ref>[http://www.oracle.com/technetwork/topics/security/solaris-10-tx-cr-v1-134034.pdf Solaris 10 Release 11/06 Trusted Extensions EAL 4+ Certification Report]</ref> an early version of the [[XTS-400]], [[VMware ESXi]] version 4.1,<ref name="VMware Infrastructure Earns Security Certification for Stringent Government Standards">{{Cite web|url=https://www.vmware.com/security/certifications/common-criteria.html|title=VMware Common Criteria Evaluation & Validation (CCEVS)|access-date=2019-01-27}}</ref> 3.5, 4.0, AIX 4.3, AIX 5L, AIX 6, AIX7, Red Hat 6.2 & SUSE Linux Enterprise Server 11 (EAL 4+).  vSphere 5.5 Update 2 did not achieve EAL4+ level it was an EAL2+ and certified on June 30, 2015.

=== EAL5: Semi-formally designed and tested<span class="anchor" id="EAL5"></span> ===

EAL5 permits a developer to gain maximum assurance from security engineering based
upon rigorous commercial development practices supported by moderate application of
specialist security engineering techniques. Such a TOE will probably be designed and
developed with the intent of achieving EAL5 assurance. It is likely that the additional
costs attributable to the EAL5 requirements, relative to rigorous development without
the application of specialized techniques, will not be large.
EAL5 is therefore applicable in those circumstances where developers or users require a
high level of independently assured security in a planned development and require a
rigorous development approach without incurring unreasonable costs attributable to
specialist security engineering techniques.

Numerous [[smart card]] devices have been evaluated at EAL5, as have multilevel secure devices such as the Tenix Interactive Link. [[XTS-400]] (STOP 6) is a general-purpose operating system which has been evaluated at EAL5 augmented.

[[LPAR]] on [[IBM System z]] is EAL5 Certified.<ref>[https://web.archive.org/web/20060423231416/http://www-03.ibm.com/systems/z/security/ccs_certification.html IBM System z Security]; [https://web.archive.org/web/20060512150638/http://www-03.ibm.com/systems/z/security/certification.html IBM System z partitioning achieves highest certification]</ref>

=== EAL6: Semi-formally verified design and tested<span class="anchor" id="EAL6"></span> ===

EAL6 permits developers to gain high assurance from application of security
engineering techniques to a rigorous development environment in order to produce a
premium TOE for protecting high-value assets against significant risks.
EAL6 is therefore applicable to the development of security TOEs for application in
high risk situations where the value of the protected assets justifies the additional costs.

[[Green Hills Software]]'s [[INTEGRITY-178B]] RTOS has been certified to EAL6 augmented.<ref name="OSEvaluations"/>

=== EAL7: Formally verified design and tested<span class="anchor" id="EAL7"></span> ===

EAL7 is applicable to the development of security TOEs for application in extremely high risk situations and/or where the high value of the assets justifies the higher costs.

Practical application of EAL7 is currently limited to TOEs with tightly focused security functionality that is amenable to extensive formal analysis.
The ProvenCore OS, developed by ProvenRun, has been certified to EAL7 in 2019 by the [[ANSSI]].<ref name="ProvenCoreCertification">
{{ cite web |url=https://provenrun.com/wp-content/uploads/2021/09/ProvenCore-Certificat-CC-EAL7.pdf |archive-url=https://web.archive.org/web/20221204113622/https://provenrun.com/wp-content/uploads/2021/09/ProvenCore-Certificat-CC-EAL7.pdf | archive-date=2022-12-04 |title=Certifications ANSSI - ProvenCore }}
</ref>  The Tenix Interactive Link ''Data Diode Device,'' the Fox-IT ''Fox Data Diode'' (one-way data communications device) and the Arbit Cyber Defence Systems ''Data Diode 10GbE'' claimed to have been evaluated at EAL7 augmented (EAL7+).<ref>{{cite web |url=https://www.fox-it.com/en/certifications/ |url-status=dead |archive-url=https://web.archive.org/web/20200923095140/https://www.fox-it.com/en/certifications/ |archive-date=2020-09-23 |title=Certifications - Fox-IT}}</ref>

== Implications of assurance levels ==

Technically speaking, a higher EAL means nothing more, or less, than that the evaluation completed a more stringent set of [[quality assurance]] requirements. It is often assumed that a system that achieves a higher EAL will provide its security features more reliably (and the required third-party analysis and testing performed by security experts is reasonable evidence in this direction), but there is little or no published evidence to support that assumption.

=== Impact on cost and schedule ===

In 2006, the US [[Government Accountability Office]] published a report on Common Criteria evaluations that summarized a range of costs and schedules reported for evaluations performed at levels EAL2 through EAL4.

[[Image:Common Criteria evaluation costs.gif|frame|none| Range of completion times and costs for Common Criteria evaluations at EAL2 through EAL4.]]

In the mid to late 1990s, vendors reported spending US$1 million and even US$2.5 million on evaluations comparable to EAL4. There have been no published reports of the cost of the various [[Microsoft Windows]] security evaluations.

=== Augmentation of EAL requirements ===

In some cases, the evaluation may be ''augmented'' to include assurance requirements beyond the minimum required for a particular EAL. Officially this is indicated by following the EAL number with the word '''augmented''' and usually with a list of codes to indicate the additional requirements. As shorthand, vendors will often simply add a "plus" sign (as in '''EAL4+''') to indicate the augmented requirements.

=== EAL notation ===

The Common Criteria standards denote EALs as shown in this article: the prefix "EAL" concatenated with a digit 1 through 7 (Examples: EAL1, EAL3, EAL5). In practice, some countries place a space between the prefix and the digit (EAL 1, EAL 3, EAL 5). The use of a plus sign to indicate augmentation is an informal shorthand used by product vendors (EAL4+ or EAL 4+).

==References==
<references/>

== External links ==

* {{Cite report |url=https://www.gao.gov/assets/gao-06-392.pdf |title=INFORMATION ASSURANCE: National Partnership Offers Benefits, but Faces Considerable Challenges |last=CAO |date=March 2006 |issue=GAO-06-392 |access-date=2006-07-10 }}
*{{cite conference
  | first = Richard
  | last = Smith
  | title = Trends in Government Endorsed Security Product Evaluations
  | book-title = Proc. 20th National Information Systems Security Conference
  | date = October 2000
  | url = http://www.csrc.nist.gov/nissc/2000/proceedings/papers/032.pdf
  | access-date = 2006-07-10
  | archive-url = https://web.archive.org/web/20061001084038/http://www.csrc.nist.gov/nissc/2000/proceedings/papers/032.pdf
  | archive-date = 2006-10-01
  | url-status = dead
}}
* [https://web.archive.org/web/20130508170117/http://www.niap-ccevs.org/vpl/ CCEVS Validated Products List]
* [https://web.archive.org/web/20041012181256/http://www.cesg.gov.uk/site/iacs/index.cfm?menuSelected=1&displayPage=13 Common Criteria Assurance Level information from IACS]
* [http://www.cisco.com/web/strategy/government/security_certification/net_business_benefit_seccert_common_criteria.html Cisco Common Criteria Certifications] 
* [https://web.archive.org/web/20130604043619/http://www-03.ibm.com/systems/power/software/aix/certifications/ IBM AIX operating system certifications]
* [http://www.windowsecurity.com/articles/Windows-Common-Criteria-Certification-Part-I.html Microsoft Windows and the Common Criteria Certification] {{Webarchive|url=https://web.archive.org/web/20130117012423/http://windowsecurity.com/articles/Windows-Common-Criteria-Certification-Part-I.html |date=2013-01-17 }}
* [http://www.linuxsecurity.com/content/view/118374/65/  SUSE Linux awarded government security cert]
* [https://web.archive.org/web/20120221222220/http://www.baesystems.com/ProductsServices/bae_prod_csit_xts400.html  XTS-400 information]
* [https://web.archive.org/web/20060527063317/http://eros.cs.jhu.edu/~shap/NT-EAL4.html Understanding the Windows EAL4 Evaluation]
* {{Cite report |url=https://vmware.com/pdf/vi3_security_architecture_wp.pdf |title=Security Design of the VMware Infrastructure 3 Architecture |last=Chaubal |first=Charu |date=February 2007 |issue=20070215 Item: WP-013-PRD-01-01 |access-date=2008-11-19 }}

[[Category:Computer security procedures]]
[[Category:Evaluation of computers]]
[[Category:Management cybernetics]]

[[de:Evaluation Assurance Level]]