NIAP Certification vs. EAL Certification for Security Testing

NIAP certification and EAL certification both deal with the security testing of IT products. However, they vary in their approach and criteria. Learn the difference between these two international standards and why NIAP is now preferred.

NIAP Certification

The National Information Assurance Partnership (NIAP) is the U.S. organization responsible for the implementation of Common Criteria framework. The Common Criteria Evaluation and Validation Scheme (CCEVS) is the U.S. evaluation scheme implemented under NIAP to meet the requirements of the Common Criteria Recognition Arrangement (CCRA). NIAP CCEVS oversees evaluations of commercial IT products for use in national security systems. The advantage of using the Common Criteria international standard is that products can be evaluated once and sold in multiple nations. This allows for efficient use of both government and industry resources. The CCRA ensures that accredited laboratories, regardless of their geographic location or national affiliation, will test products against the same criteria and use the same testing methodology. The terms “NIAP” and “CCEVS” are commonly used interchangeably.

EAL Certification

Evaluation Assurance Level (EAL) is a numerical rating system that was used to describe the range and severity of product evaluation. Each EAL number corresponded to a categorical rank assigned to an IT product or system consisting of seven levels: EAL1 was the most basic and lowest cost to evaluate and implement, whereas EAL7 was the most intense and costly to implement.

Starting in 2013, NIAP no longer accepted EAL-based evaluations and transitioned to evaluations with exact compliance to technology-specific Protection Profiles (PP) in order to provide achievable, repeatable, testable evaluation results. This reduced confusion for buyers/end users that was caused by EAL.

Although assurance requirements for each product and system were the same, functional requirements were different, and each product could have different levels within the same protection profile, making comparisons very difficult. End users and buyers now only have to look for products that are PP compliant for the Protection Profile that matches their requirement, rather than trying to understand the meaning of the previous EAL numbering scheme.

Comparison Chart

NIAP certification EAL certification
All vendors within the same product type must adhere to the same security requirements Vendor individually chooses which security requirements to claim, causing inconsistencies across similar products
Evaluation methods approved by the Common Criteria Recognition Arrangement Limited recognition from the Common Criteria Recognition Arrangement, only up to EAL2
An objective approach in evaluation methods A subjective approach to identify product functional requirements
Relevant, achievable, repeatable results with standard threat models and security functional requirements that must be captured in a Protection Profile Protection profiles not used, and results not repeatable across different products and vendors
Protection Profiles developed by technical communities through the Common Criteria community Generic requirements developed by individual vendors
Threats identified and mandated by the NSA and other international security agencies; hardware requirements based on threats Threats identified after vendor maps product functionality to Common Criteria, causing differing hardware requirements and less assurance

What is Common Criteria?

Internationally recognized, Common Criteria is a set of guidelines for the security of information technology products. Common Criteria was developed to provide assurance to the buyer and end user that specification, evaluation, and implementation of each product was conducted in a thorough and standardized manner. To meet Common Criteria requirements, each product must be independently tested and verified by a third-party security lab to behave securely against internationally agreed standard.

Common Criteria ensures consistent results that are verified by a third-party testing facility to meet specific security requirements. These requirements are currently mandatory for the U.S. Federal Government as well as many other international governments.

What is a Protection Profile (PP)?

The Common Criteria can be applied to many different information technology (or computer) products such as software, network switches/routers, firewalls, email clients, and even USB flash drives. A Protection Profile (PP) is created for each type of product to determine security requirements for the specific class of equipment. The Protection Profile specifies generic security evaluation criteria to confirm the equipment’s conformance to the security requirement for that family of products.  Protection Profiles are used to establish an internationally recognizable baseline for security requirements and techniques.

Learn more about NIAP Common Criteria and compliant products:

Why purchase a Common Criteria-certified product such as Black Box Secure KVM Switches?

Black Box Secure KVM Switches have been rigorously tested and evaluated by an Accredited Testing and Evaluation (AT&E) security lab that has been accredited by the National Institute of Standards and Technology (NIST). The switches are tested in accordance with internationally accepted criteria and government (NSA) managed framework. This means that all Black Box NIAP Peripheral Sharing Devices (PSD) v4.0 Secure KVM products’ security features have been independently verified; the product has been assessed for vulnerability, has successfully passed threat penetration tests and rigorous inspection of the engineering development process as defined by the PSD v4.0 Protection Profile.

Subscribe Now
v>