Which statement below is accurate about Evaluation Assurance Levels
(EALs) in the Common Criteria (CC)?

A.
A security level equal to the security level of the objects to which the subject has both read and
write access

B.
Requirements that specify the security behavior of an IT product or system

C.
A statement of intent to counter specified threats

D.
Predefined packages of assurance components that make up security confidence rating scale

Explanation:
An Evaluation Assurance Level (EAL) is one of seven increasingly
rigorous packages of assurance requirements from CC Part 3. Each
numbered package represents a point on the CCs predefined assurance
scalE. An EAL can be considered a level of confidence in the security
functions of an IT product or system. The EALs have been developed
with the goal of preserving the concepts of assurance drawn from the
source criteria, such as the Trusted Computer System Evaluation
Criteria (TCSEC), Information Technology Security Evaluation Criteria
(ITSEC), or Canadian Trusted Computer Evaluation Criteria (CTCPEC),
so that results of previous evaluations remain relevant. EAL levels 2Ö7
are generally equivalent to the assurance portions of the TCSEC C2-A1
scale, although exact TCSEC mappings do not exist.
*Answer “A security level equal to the security level of the objects to which the subject has both
read and write access” is the definition of Subject Security Level. Asubjects security
level is equal to the security level of the objects to which it has both
read and write access. A subjects security level must always be dominated
by the clearance of the user with which the subject is associated.
* Answer “A statement of intent to counter specified threats” describes a Security Objective, which
is a statement of
intent to counter specified threats and/or satisfy specified organizational
security policies and assumptions.
*Answer “Requirements that specify the security behavior of an IT product or system” describes
Security Functional Requirements. These are
requirements, preferably from CC Part 2, that when taken together
specify the security behavior of an IT product or system.
Source: CC Project and DoD 5200.28-STD.