NIAP certification and EAL certification both deal with the security testing of IT products. However, they vary in their approach and criteria. Learn the difference between these two international standards and why NIAP is now preferred.
NIAP certification comes from the National Information Assurance Partnership, which oversees security testing, evaluation and validation of IT products and systems — including those used in national security systems. NIAP created the Common Criteria Evaluation and Validation Scheme, or CCEVS. This international standard allows for products to be evaluated once and sold in multiple countries. As part of the Common Criteria Recognition Arrangement, accredited laboratories, regardless of their geographic location or national affiliation, test products using the same criteria and testing methodology. The terms “NIAP” and “CCEVS” are commonly used interchangeably.
What Is EAL?
EAL certification, short for Evaluation Assurance Level, was a numerical rating system used to describe the thoroughness of product evaluation. Each EAL certification number corresponded to a rank assigned to an IT product or system, with EAL1 being the most basic and EAL7 the most intense and costly. Although assurance requirements for each product and system were the same, functional requirements were different, and each product could have different levels within the same protection profile. Making comparisons was very difficult.
Starting in 2013, NIAP stopped accepting EAL-based evaluations and transitioned to Protection Profiles, or PPs, in order to provide achievable, repeatable, testable evaluation results. PPs reduce confusion compared to EAL certification. End users and buyers simply look for products that are PP compliant for the PP that matches their requirement.