EAL1 — Functionally Tested

EAL1 is the entry assurance level of Common Criteria (ISO/IEC 15408-3). It provides independent confirmation that a Target of Evaluation (TOE) behaves as its documentation describes, based on minimal developer evidence.

See the list of certified products at EAL1 tracked in NenkinTracker.

Key facts

  • Assurance families covered: ADV_FSP.1 (basic functional specification), AGD_OPE.1 / AGD_PRE.1 (guidance and preparative procedures), ALC_CMC.1 / ALC_CMS.1 (configuration list), ATE_IND.1 (independent testing), AVA_VAN.1 (basic vulnerability survey).
  • Typical product categories: low-risk commodity software and components, internal tooling, products where the operational environment carries most of the trust.
  • Relative cost/time: the cheapest and fastest CC level; typically a few months of evaluation effort.
  • Attack potential resisted: Basic attacker with public information.

What this level tests

Evaluators confirm that the TOE performs as stated in its Security Target, check the vendor-supplied guidance, and run a baseline independent test. The AVA_VAN.1 vulnerability survey is limited to public-domain sources — evaluators look for known issues rather than performing new penetration testing.

There is no requirement to review design or source code. The developer provides a functional specification and a basic configuration list; nothing about the internal structure of the TOE is examined.

Typical product categories

EAL1 is uncommon for commercial security products because most procurement requirements ask for at least EAL2. It is occasionally seen for auxiliary software distributed alongside higher-assured components, for products in early programmes where a baseline certificate is sufficient, and for items evaluated only to demonstrate conformance to a minimal Protection Profile.

Common misconceptions

EAL is an assurance level, not a security-strength rating. EAL1 does not mean “a little secure.” It means the evaluator performed a shallow review. A TOE at EAL1 with strong design can be genuinely secure; a TOE at EAL1 with weak design may not be. The certificate attests only that the TOE does what the vendor says it does, to the limited depth of EAL1.

Comparison to adjacent levels

  • vs. EAL2: EAL2 adds a high-level design review (ADV_TDS.1), independent vulnerability analysis beyond a public survey (AVA_VAN.2), and stronger configuration management. Evaluator testing covers a subset of the TSF (ATE_COV.1, ATE_FUN.1); depth of testing (ATE_DPT.1) first appears at EAL3, so neither EAL1 nor EAL2 requires it.
  • vs. no certification: EAL1 still demands an independently written Evaluation Technical Report and a published Certification Report — useful when a customer needs any third-party attestation.

See the EAL Levels overview for the full comparison table, or the glossary for the underlying SAR vocabulary.