Sorry, you need to enable JavaScript to visit this website.
Skip to main content

Evaluation Assurance Levels (EAL)

3D line chart

The Common Criteria have seven assurance levels: from EAL1, the lowest, to EAL7, the highest. At present, only assurance levels up to EAL2 have been incorporated within the international Common Criteria Recognition Arrangement (CCRA). The seven levels are described below. The CCRA is moving away from EAL-based evaluations in favour of Protection Profile evaluations.

Level Purpose
EAL1 Functionally Tested. Provides analysis of the security functions, using afunctional and interface specification of the target of evaluation (TOE), tounderstand the security behaviour. The analysis is supported by independenttesting of the security functions.
EAL2 Structurally Tested. Analysis of the security functions using a functional and interface specification and the high level design of the subsystems of the TOE. Independent testing of the security functions, evidence of developer 'black box' testing, and evidence of a development search for obvious vulnerabilities.
EAL3 Methodically Tested and Checked. The analysis is supported by 'grey box' testing, selective independent confirmation of the developer test results, and evidence of a developer search for obvious vulnerabilities. Development environment controls and TOE configuration management are also required.
EAL4 Methodically Designed, Tested and Reviewed. Analysis is supported by the low-level design of the modules of the TOE, and a subset of the implementation. Testing is supported by an independent search for obvious vulnerabilities. Development controls are supported by a life-cycle model, identification of tools, and automated configuration management.
EAL5 Semi-formally Designed and Tested. Analysis includes all of the implementation. Assurance is supplemented by a formal model and a semi-formal presentation of the functional specification and high level design, and a semi-formal demonstration of correspondence. The search for vulnerabilities must ensure relative resistance to penetration attack. Covert channel analysis and modular design are also required.
EAL6 Semi-formally Verified Design and Tested. Analysis is supported by a modular and layered approach to design, and a structured presentation of the implementation. The independent search for vulnerabilities must ensure high resistance to penetration attack. The search for covert channels must be systematic. Development environment and configuration management controls are further strengthened.
EAL7 Formally Verified Design and Tested. The formal model is supplemented by a formal presentation of the functional specification and high level design showing correspondence. Evidence of developer 'white box' testing and complete independent confirmation of developer test results are required. Complexity of the design must be minimised.
July 1st, 2018