EAL4 — Methodically Designed, Tested, and Reviewed

EAL4 is widely regarded as the highest Common Criteria assurance level that can be achieved on commercially engineered products without designing specifically for evaluation. It adds source-code-level review, life-cycle tool controls, and Enhanced-Basic vulnerability analysis with access to design.

See the list of certified products at EAL4 tracked in NenkinTracker.

Key facts

  • Assurance families covered: adds ADV_IMP.1 (implementation representation, a subset), ADV_TDS.3 (basic modular design), ALC_CMC.4 (production support, acceptance procedures, automation), ALC_CMS.4, ALC_DVS.1, ALC_LCD.1, ALC_TAT.1, ATE_DPT.1, ATE_FUN.1, ATE_IND.2, AVA_VAN.3 over EAL3.
  • Typical product categories: smart cards and secure ICs (often EAL4+ with AVA_VAN.5), HSMs, certified operating systems, virtualization platforms, payment and identity products.
  • Relative cost/time: substantial; source-code review and developer-tool discipline are significant investments.
  • Attack potential resisted: Enhanced-Basic (EAL4 baseline); Moderate or High in common augmentations (EAL4+ with AVA_VAN.4 or AVA_VAN.5).

What this level tests

Evaluators review a subset of the implementation representation (ADV_IMP.1) — in practice, source code for security-relevant modules. The TOE design must be presented at a modular level (ADV_TDS.3). Life-cycle rigor includes tool and technique controls (ALC_TAT.1) and automated configuration management (ALC_CMC.4). AVA_VAN.3 allows the evaluator to use design knowledge when crafting attacks.

Typical product categories

EAL4 is the common target for high-assurance commercial products. Smart card ICs and embedded secure elements are typically evaluated at EAL4 augmented with AVA_VAN.5 (EAL4+) because their deployment threat model requires High attack potential resistance. HSMs, certified operating systems, and certain network and storage products are likewise frequently evaluated at EAL4+ with augmentations aligned to their Protection Profile.

Common misconceptions

EAL is an assurance level, not a security-strength rating. An EAL4 certificate describes how rigorously the evaluator examined the product. It does not declare that the product will resist every threat — only the threats defined in the Security Target, analyzed to the Enhanced-Basic attack potential that AVA_VAN.3 prescribes.

EAL4+ is not a single thing. “EAL4+” is shorthand for EAL4 augmented with one or more specific assurance components. The meaningful question is which components. An EAL4+ certificate augmented with ALC_FLR.2 is very different from one augmented with AVA_VAN.5: the former adds process for flaw handling; the latter increases vulnerability-analysis attacker potential from Enhanced-Basic to High.

Comparison to adjacent levels

  • vs. EAL3: EAL4 introduces source-level review, more automated CM, and AVA_VAN.3 design-aware vulnerability analysis.
  • vs. EAL5: EAL5 requires semiformal design notation, full implementation representation (ADV_IMP.2), and substantially more evaluation effort; few products outside smart cards and high-assurance OS kernels reach EAL5.

See the EAL Levels overview and the glossary.