Home > Resources > Technical Resources > Black Box Explains > KVM > NIAP Certification vs. EAL Certification for Security Testing

NIAP Certification vs. EAL Certification for Security Testing

Black Box Explains

NIAP certification and EAL certification both deal with the security testing of IT products. However, they vary in their approach and criteria. Learn the difference between these two international standards and why NIAP is now preferred.

NIAP Certification

NIAP certification comes from the National Information Assurance Partnership, which oversees security testing, evaluation and validation of IT products and systems — including those used in national security systems. NIAP created the Common Criteria Evaluation and Validation Scheme, or CCEVS. This international standard allows for products to be evaluated once and sold in multiple countries. As part of the Common Criteria Recognition Arrangement, accredited laboratories, regardless of their geographic location or national affiliation, test products using the same criteria and testing methodology. The terms "NIAP" and "CCEVS" are commonly used interchangeably.

What Is EAL?

EAL certification, short for Evaluation Assurance Level, was a numerical rating system used to describe the thoroughness of product evaluation. Each EAL certification number corresponded to a rank assigned to an IT product or system, with EAL1 being the most basic and EAL7 the most intense and costly. Although assurance requirements for each product and system were the same, functional requirements were different, and each product could have different levels within the same protection profile. Making comparisons was very difficult.

Starting in 2013, NIAP stopped accepting EAL-based evaluations and transitioned to Protection Profiles, or PPs, in order to provide achievable, repeatable, testable evaluation results. PPs reduce confusion compared to EAL certification. End users and buyers simply look for products that are PP compliant for the PP that matches their requirement.

Comparison Chart

NIAP certification EAL certification
All vendors within the same product type must adhere to the same security requirements Vendor individually chooses which security requirements to claim, causing inconsistencies across similar products
Evaluation methods approved by the Common Criteria Recognition Arrangement Limited recognition from the Common Criteria Recognition Arrangement, only up to EAL2
An objective approach in evaluation methods A subjective approach to identify product functional requirements
Relevant, achievable, repeatable results with standard threat models and security functional requirements that must be captured in a Protection Profile Protection profiles not used, and results not repeatable across different products and vendors
Protection Profiles developed by technical communities through the Common Criteria community Generic requirements developed by individual vendors
Threats identified and mandated by the NSA and other international security agencies; hardware requirements based on threats Threats identified after vendor maps product functionality to Common Criteria, causing differing hardware requirements and less assurance

Learn more about the transition from EAL certification to NIAP certification

More About NIAP Common Criteria

NIAP Common Criteria is a set of international guidelines for the security of IT products. It was developed to provide assurance to the buyer and end user that specification, evaluation and implementation of each product were conducted in a thorough and standardized manner. To meet NIAP Common Criteria requirements, each product must be tested and verified by a third-party security lab. NIAP Common Criteria is mandatory for the U.S. federal government and many other international governments.

More About Protection Profiles

NIAP Common Criteria can be applied to many IT products, such as software, network switches and routers, firewalls, email clients and even USB flash drives. Each type of product has an established Protection Profile that determines security requirements for the specific class of equipment. The PP specifies evaluation criteria to confirm the equipment's conformance to the security requirement for that family of products. Protection Profiles establish an internationally recognizable baseline for security requirements and techniques.

Learn more about NIAP Common Criteria and compliant products: