Which standard set defines a framework for evaluating IT product security using Evaluation Assurance Levels (EALs)?

• A. Cloud Security Alliance's Security Trust Assurance and Risk (CSA STAR)
• B. National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)
• C. Common Criteria (CC)
• D. COPPA

Answer: (C)

Common Criteria defines a framework for evaluating the security of IT products and uses Evaluation Assurance Levels to express how deeply and rigorously an evaluation is performed. The EAL scale ranges from basic testing to highly formal verification, indicating the level of confidence a buyer can have in the product’s security claims. Evaluations look at the product’s design, implementation, and testing evidence, governed by a structured process that includes Protection Profiles and Security Targets. This framework is standardized internationally (ISO/IEC 15408), allowing consistent comparisons across different products. Other options address different objectives—cloud trust programs, general cybersecurity risk management, or privacy law—rather than the specific EAL-based evaluation framework.