EAL Certification is Dead

In October of 2009, the National Information Assurance Partnership (NIAP), transitioned away from Evaluation Assurance Levels (EAL) and moved to Protection Profiles (PP). NIAP made the move to PPs because EAL requirements gave a false level of security. With EAL, vendors were able to dictate the Target of Evaluation (TOE) and define the boundary for their product’s EAL evaluation. To accelerate their evaluation process, vendors typically defined a narrow TOE scope. Once certified, vendor would claim a high level of security assurance without advertising the narrow scope of their self-defined TOE.

EAL diminished Common Criteria and NIAP’s credibility. To restore and strengthen their brand, NIAP created Protection Profiles with security assurance requirements to provide more consistent, repeatable and objective testing methodologies. As part of the Protection Profile creation process, technical communities are sponsored by NIAP to help build, maintain and manage the protection profiles instead of letting vendors unilaterally dictate the scope of evaluations. There are currently 22 approved protection profiles: https://www.niap-ccevs.org/pp/. If a PP does not exist for a certain category, NIAP will work with vendor/lab/customer to determine the best way to move forward. This stricter Protection Profile approach ensures that when vendors achieve PP certifications, they are all evaluated against a well-defined and standardized criteria.

Forum Sentry API Gateway is the first API gateway to attain Network Device Protection Profile (NDPP) Compliance and can be found on NIAP’s Product Compliance List.