What is an EAL?
EAL stands for "Evaluation Assurance Level" and indicates the level of assurance that was claimed by the sponsor of the evaluation. Specific information about what EALs are available and what assurance components they encompass can be found in the Common Criteria Part 3 document, downloadable from the Common Criteria Portal.
How long does an evaluation take?
There are many factors that contribute to the length of an evaluation. Some of these factors include the complexity of the product, the suitability of your evidence for evaluation, the stage of development cycle that your product is currently in, and the readiness of the scheme to commit validation resources to the evaluation. An EAL2 can take from 4 - 6 months, an EAL3 can take from 6 to 9 months and an EAL4 may take from 12 to 24 months.
Which Scheme should I choose?
Because the Common Criteria is mutually recognized in over 22 countries, you have a choice as to which scheme to apply to for evaluation. Some things that might factor into your decision include: the EAL that you would like to claim, the experience of the scheme in validating your product type, and the location of the laboratory in relation to the location of your development sites to be visited (if applicable). CSC’s knowledgeable professionals can help you decide which validation scheme will be best for you and your product.
FAQs Specific to the United States
Is the U.S. Scheme currently accepting evaluations?
Beginning 1 October 2007, for FY08, the NIAP CCEVS office will begin accepting US Government PP compliant (basic, medium or high robustnes) and EAL 4 evaluations of products in support of National Security customers. Product submissions meeting the above criteria will be queued and validation resources allocated as they become available. Detailed letters of intent identifying DoD or IC customers will continue to be required.
Why should I have my product evaluated?
In the United States, NSTISSP #11 mandates effective 1 July 2002 that departments and agencies within the Executive Branch shall acquire, for use on national security systems, only those COTS products or cryptographic modules that have been validated with the International Common Criteria for Information Technology Security Evaluation, the National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS), or by the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) Cryptographic Module Validation Program.
Even if certification of your product is not required, there can be many advantages to Common Criteria certification:
- Provide assurance to your customers that your product’s security features function as expected
- Go a step beyond your competitors by voluntarily having your product evaluated against an international standard
For More Information:
Contact us and let our Common Criteria experience help you produce results.