ISA 2004 Standard Edition has achieved EAL4+ Common Criteria

The wait has been long as those of you who are familiar with the time it takes to achieve EAL4 approval will understand.

Common Criteria is an assessment/approval programme for the security capability of software products as agreed by many governments around the world (at least fifteen countries including the USA, UK, and Germany). The levels range from 1 (least comprehensive) to 7 (most comprehensive). EAL 4 is the highest mutually recognised level - above this each government customer takes their own approach. I gather that most EAL 6 and 7 systems are in orbit - that somewhat reduces their attack surface!

The assessment was carried out by an independent testing laboratory known as a CLEF - there's debate as to the meaning of the "L" in the acronym (according to the two UK CLEF Managers!) the rest stands for Commercial Evaluation Facility.

Few Firewalls have EAL4 certificates and those that do often require specific hardware appliances to comply. Many Government customers (defence being a good example) often mandate EAL4 compliance for any network edge security software. Be aware that whilst EAL4 is a good indicate of the quality of the software the CONFIGURATION/IMPLEMENTATION BY YOU/YOUR SUPPLIER must match the requirements of your security policy to have benefit.

ISA Standard Edition has EAL4+ which means that it was evaluated for at least one higher level assurance requirement - in this case we added "Flaw remediation" to the assessment criteria as welll as deeper independent vulnerability assessment (AVA_VLA 3 instead of the required AVA_VLA 2).

A complete list of Common Criteria evaluated products can be found by clicking here

The certification will be mentioned on Germany's BSI site following their next update. It will be listed here.

One last point - when assessing the value of a product's Common Criteria certification inquire about the "target of evaluation" - this is a definition of the functions and features to be assessed - some products only go for assessment of a small subset of features.

Comments (0)

Skip to main content