assurance level

A rank on a hierarchical scale that judges the confidence someone can have that a TOE adequately fulfills stated security requirements. (See: assurance, certificate policy, EAL, TCSEC.)

Example: U.S. Government guidance [M0404] describes four assurance levels for identity authentication, where each level "describes the [U.S. Federal Government] agency's degree of certainty that the user has presented [a credential] that refers to [the user's] identity." In that guidance, assurance is defined as (a) "the degree of confidence in the vetting process used to establish the identity of the individual to whom the credential was issued" and (b) "the degree of confidence that the individual who uses the credential is the individual to whom the credential was issued."

The four levels are described as follows:

• Level 1: Little or no confidence in the asserted identity.
• Level 2: Some confidence in the asserted identity.
• Level 3: High confidence in the asserted identity.
• Level 4: Very high confidence in the asserted identity.

Standards for determining these levels are provided in a NIST publication [SP12]. However, as noted there, an assurance level is "a degree of confidence, not a true measure of how secure the system actually is. This distinction is necessary because it is extremely difficult -- and in many cases, virtually impossible -- to know exactly how secure a system is."