EAL3 — Methodically Tested and Checked

EAL3 is a Common Criteria assurance level (ISO/IEC 15408-3) that builds on EAL2 with development-environment security controls, a defined product life-cycle, and testing at a deeper level than the functional interface.

See the list of certified products at EAL3 tracked in NenkinTracker.

Key facts

  • Assurance families covered: adds ALC_DVS.1 (development security), ALC_LCD.1 (life-cycle definition), ALC_CMS.3 (CM coverage including implementation representation), and ATE_DPT.1 (testing: basic design) over EAL2.
  • Typical product categories: smart card operating system components in some national schemes, telecom equipment in markets that require EAL3 specifically, legacy certificates maintained for historical reasons.
  • Relative cost/time: moderately expensive; the ALC increment materially affects how the vendor documents and audits its development environment.
  • Attack potential resisted: Basic.

What this level tests

Evaluators confirm the developer applies procedural, physical, and personnel security controls to its development site (ALC_DVS.1) and maintains a documented life-cycle model (ALC_LCD.1). Configuration management scope expands to cover the implementation representation. Evaluator testing (ATE_DPT.1) now exercises the basic TOE design, not just external interfaces.

AVA_VAN.2 still governs vulnerability analysis, so the attacker model remains Basic — the same attack potential as EAL2. AVA_VAN.3, which is the first component to raise the bar to Enhanced-Basic, is the EAL4 baseline. The substantive change at EAL3 is therefore about the developer’s process and the evaluator’s visibility into it, not about attacker strength.

Typical product categories

EAL3 is a middle-ground level. In global CCRA practice it is less common than EAL2 or EAL4, because many vendors that invest in ALC_DVS.1 and ALC_LCD.1 also go on to meet EAL4 requirements. EAL3 persists in specific markets and for legacy product families where a customer has historically required it.

Common misconceptions

EAL is an assurance level, not a security-strength rating. EAL3 tells you the evaluator reviewed more about the development environment and tested the design more deeply than at EAL2. It does not say the product has “higher security” in any absolute sense. Product strength is determined by the Security Target’s objectives and the operational environment.

EAL3 ≠ a CCRA-recognized level for arbitrary TOEs. CCRA mutual recognition for non-cPP evaluations caps at EAL2 plus the ALC_FLR family. EAL3 certificates are valid within their issuing scheme but recognition by other CCRA members is limited.

Comparison to adjacent levels

  • vs. EAL2: EAL3 adds ALC_DVS.1, ALC_LCD.1, ALC_CMS.3, and ATE_DPT.1 — most of the increment is about process, not product.
  • vs. EAL4: EAL4 introduces source-code review (ADV_IMP.1), structured flaw tracking (ALC_FLR requires explicit augmentation, but ALC_TAT.1 is baseline), and an AVA_VAN.3 vulnerability analysis at Enhanced-Basic + design knowledge.

See the EAL Levels overview, or explore the glossary for the SAR vocabulary.