Firewalls are one of your company’s product lines. You are responsible for submitting a new web application firewall (WAF) that supports large scale web traffic for certification against the Common Criteria (CC) to get an Evaluation Assurance Level (EAL). You have sent the product as Target of Evaluation (TOE), Security Target (ST), and related documentation to an approved CC laboratory for certification. After waiting for a prolonged period of four months, you finally received a CC certification report. Which of the following EAL is most likely?
A. EAL 1
B. EAL 2
C. EAL 2+
D. EAL 3
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. EAL 1.
CC PART3 V3.1 R5
According to CC PART3 V3.1 R5, the EAL1 evaluation is conducted without the assistance from the developer of the TOE. The fact that you have waited for four months for the evaluation results implies you did not assist in the CC evaluation.
Common Criteria for Information Technology Security Evaluation – Part 3: Security assurance components
EAL1 provides an evaluation of the TOE as made available to the customer, including independent testing against a specification, and an examination of the guidance documentation provided. It is intended that an EAL1 evaluation could be successfully conducted without assistance from the developer of the TOE, and for minimal outlay.