Common Criteria Assurance Levels: An Overview of the Evaluation Criteria and Methodology

The EUCC scheme, spearheaded by the European Union Agency for Cybersecurity (ENISA), was released in early 2024. It builds on the SOG-IS Common Criteria evaluation framework already used by 17 EU Member States.

The scheme is part of a broader legislative effort, aligning with the NIS2 Directive and the Cyber Resilience Act to ensure comprehensive cybersecurity compliance across the EU. As the first certification initiative under the Cybersecurity Act (CSA) framework, the EUCC sets the stage for future schemes, such as those focused on 5G networks (EU5G) and cloud services (EUCS).

Certifications under the EUCC are valid for up to five years, with requirements for updates if changes occur in the certified product. The scheme continues to use technical domains established by SOG-IS, with a focus on high-assurance areas like smartcards and secure hardware devices. It also introduces measures to address the static nature of traditional certification, incorporating patch management and ongoing assurance continuity, allowing for faster updates and more dynamic security maintenance.

Introduction to Evaluation Assurance Levels (EAL)

Choosing the right EAL is a fundamental part of the Common Criteria certification process. The Common Criteria Assurance Levels are designed to provide a standardized method for evaluating the security of IT products. 

Each level offers a specific set of criteria and methodologies to assess the security features of a product, ranging from basic functionality tests to rigorous, formal verification processes. The seven Common Criteria Evaluation Assurance Levels (from EAL1 to EAL7) represent incremental steps in assurance, with each higher level encompassing all the requirements of the lower levels and adding additional, more stringent criteria.

Changes with the EUCC

The EUCC scheme introduces two primary Common Criteria Assurance Levels derived from the Cybersecurity Act (CSA): substantial and high. These levels correspond to the existing seven Evaluation Assurance Levels (EALs) but place a greater emphasis on dynamic risk assessments and tailored evaluations based on specific risks.

The substantial Common Criteria Assurance Level encompasses EAL1 to EAL3 and requires basic vulnerability analysis, defined as AVA_VAN.1 or AVA_VAN.2. At this level, the focus is on identifying and mitigating fundamental security vulnerabilities through straightforward examination and testing. AVA_VAN.1 involves a basic analysis aimed at uncovering obvious security flaws, while AVA_VAN.2 includes a more detailed review to ensure the product can withstand low-skill attacks and basic threat scenarios.

The high Common Criteria Assurance Level includes EAL4 to EAL7, which involve more rigorous vulnerability assessments, specified as AVA_VAN.3, AVA_VAN.4, or AVA_VAN.5. These higher levels demand comprehensive and sophisticated testing methods to identify potential vulnerabilities and verify the security robustness of the product. AVA_VAN.3 introduces a thorough analysis to uncover vulnerabilities that might be exploited by attackers with significant skills and resources. AVA_VAN.4 and AVA_VAN.5 further increase the rigor of the evaluation, incorporating advanced techniques and formal methods to ensure the highest levels of security assurance.

By differentiating between substantial and high Common Criteria Assurance levels, the EUCC scheme provides a structured approach to cybersecurity certification that aligns with the varying security needs of different ICT products and services. This ensures that products meet appropriate security standards, contributing to a secure and trustworthy digital ecosystem within the EU.

‍

EAL1 - Functionally Tested

The first Common Criteria Evaluation Assurance Level (EAL1) is the entry-level assurance, focusing on confirming that the Target of Evaluation (TOE) functions correctly according to its specifications. This level involves minimal evaluation effort, making it suitable for products where security threats are perceived as low.

Key Criteria and Methodology

The evaluation at EAL1 is based on the functional and interface specifications provided by the developer. The goal is to ensure that the TOE operates as intended without delving deeply into its internal workings. Independent testing is conducted to verify that the security functions operate as described in the Security Target (ST). This testing is straightforward and focuses on checking the basic functionality of the security features. A basic vulnerability analysis is performed to identify obvious security flaws. This involves a cursory examination to detect any glaring vulnerabilities that could compromise the security of the TOE.

At this Common Criteria Evaluation Assurance Level, there are no specific requirements for the development process or environment. The emphasis is on ensuring the completeness and clarity of the Security Target and functional specifications, along with a basic vulnerability analysis to identify obvious security flaws.

EAL2 - Structurally Tested

This Common Criteria Evaluation Assurance Level includes a more detailed review of the TOE’s design and development documentation. It is suitable for environments requiring a moderate level of independently assured security.

At EAL2, the evaluation requires examining the source code and system architecture to confirm the implementation of security functions, involving a more in-depth analysis compared to EAL1. Independent testing and vulnerability analysis are also more thorough at this level. The testing aims to uncover security issues that may not be immediately apparent.

The development environment and the security features implemented within the TOE are scrutinized. Evaluating the processes and controls in place ensures the secure development of the product.

Configuration management and secure delivery procedures are evaluated to ensure they meet security standards. This involves checking that the product is securely managed and delivered to prevent unauthorized modifications.

EAL3 - Methodically Tested and Checked

EAL3 involves systematic testing and a detailed analysis of the development process. This level focuses on the implementation and architectural design to identify potential security issues.

The Common Criteria Evaluation Assurance Level EAL3 involves systematic testing to verify that the TOE operates as intended and that the security functions are correctly implemented. A thorough analysis of the detailed design and architectural documents is completed, including an in-depth review of how the security functions are integrated into the overall architecture.

Independent vulnerability testing can identify potential security issues – this testing is more rigorous and thorough than lower Common Criteria Evaluation Assurance Levels. The development environment is evaluated to ensure it adheres to secure design and development practices. This includes verifying that the processes and controls in place are sufficient to develop a secure product.

At this Common Criteria Evaluation Assurance Level, it is crucial to verify configuration management and secure handling of the TOE throughout its lifecycle to ensure the product's security from development to deployment and maintenance.

EAL4 - Methodically Designed, Tested, and Reviewed

The fourth Common Criteria Evaluation Assurance Level emphasizes extensive testing and formalization of the development process. This level is suitable for products that require a higher level of assurance and are subject to increasing cybersecurity threats.

EAL4 focuses on extensive testing and review of the security architecture. This includes a detailed examination of the security policy model and the TOE's security architecture. Independent testing is conducted in a controlled environment to verify the security functions. 

A rigorous development process analysis, including configuration management and lifecycle support, ensures that the product is developed securely. A thorough vulnerability assessment is conducted, including an analysis of potential covert channels, to examine the product and mitigate exploitable vulnerabilities thoroughly.

EAL5 - Semi-Formally Designed and Tested

EAL5 requires semi-formal design descriptions and rigorous development procedures, making it suitable for high-assurance systems with the potential for sophisticated attacks.

This Common Criteria Evaluation Assurance Level emphasizes verifying the design through semi-formal methods. Semi-formal design specifications provide unambiguous descriptions of the security functions.

Comprehensive vulnerability analysis and sophisticated independent testing are performed to ensure robustness. A detailed examination of the configuration management and secure delivery procedures ensures that the product is securely managed and delivered.

A rigorous analysis of the TOE's security functions and their implementation against the semi-formal design descriptions is performed, confirming that the security mechanisms are correctly implemented and operate as intended.

EAL6 - Semi-Formally Verified Design and Tested

EAL6 involves high-level security engineering and formal methods for design verification. This level is suitable for environments facing significant security threats requiring high assurance.

EAL6 focuses on semi-formal and formal verification techniques to ensure security. Semi-formal and formal design specifications thoroughly describe the security functions and their interactions.

Extensive testing, including in-depth vulnerability analysis and penetration testing, is conducted. A formal security policy model and verification of the design and implementation against this model are required. This ensures that the security functions are correctly specified and implemented.

A thorough review of the development, maintenance, and operational procedures is essential to ensure consistent security. This involves verifying that the processes and controls are sufficient to maintain the product's security throughout its lifecycle.

EAL7 - Formally Verified Design and Tested

EAL7 is the highest Common Criteria Evaluation Assurance Level, requiring formal methods for design and implementation verification. This level is suitable for extremely high-risk environments where utmost security is critical.

EAL7 focuses on the formal verification of the TOE's security functions. Formal and mathematically verified design and implementation ensure that the security functions are correctly specified and implemented.

A comprehensive security policy model that is formally verified is required, ensuring that the security functions are correctly specified and implemented.

Rigorous and exhaustive testing includes formal verification methods and sophisticated vulnerability analysis. 

A detailed and systematic review of the TOE’s lifecycle, including development, maintenance, and operational procedures, is performed to ensure consistent and ongoing security. This involves verifying that the processes and controls are sufficient to maintain the product's security throughout its lifecycle.

Summary

In conclusion, understanding the Common Criteria Evaluation Assurance Levels and their corresponding criteria under the EUCC scheme is essential for IT professionals seeking to ensure the security of their products. By adhering to these structured evaluation processes, organizations can achieve higher levels of assurance and contribute to a secure and trustworthy digital ecosystem within the EU.

From EAL1’s basic functionality testing to EAL7’s formal and exhaustive verification processes, each level builds on the previous one, adding more stringent criteria and methodologies to ensure robust security. The EUCC scheme’s mapping of substantial and high Common Criteria Assurance Levels further enhances the evaluation process, ensuring that ICT products meet the highest cybersecurity standards.

‍