Certain agencies and bureaus within the DoD do ask for this and pay for it, but most are good enough with EAL4.

Most attacks can be resolved by following the bare minimum recommendations of the MITRE ATTACK framework (marketing buzzwords aside).

Least Priviliged Access, Entitelement Management, Identity Enforcement, etc are all much easier wins and concepts that haven't been tackled yet.

Companies will provide EAL5+ if the opportunity is large enough, but it won't be publicized. Iykyk. If not, chat with your SI.

They were forced to relax them because Microsoft could not make bids that met the minimum requirements for DoD and high security projects and that made their Senators mad. They relaxed them to EAL4+ because that was the most that Microsoft could do.

They since relaxed them further to EAL2 because that is all the most large AV and cybersecurity appliance vendors could achieve. They justified it under the "swiss cheese" model where if you stack multiple EAL2 then you get EAL4 overall, which is insane. The government has since relaxed them even further since none of the companies want to do any certification since none of them can achieve a decisive edge over the others that they can write into the requirements thus disqualifying their competition, so certification is just a zero-sum game.

Outside some very limited cases, we don't have the tools to go there yet. EAL4+ is what people should aim for.

EAL6-7 certifications are basically the only known, existing certifications that have any evidence supporting that they are adequate to defend against the known and expected threats. As far as I am aware, there are no other certifications even able to distinguish products that can viably protect against organized crime and commercial spyware companies. Existing products max out every other certification and we know for a fact those products are ineffective against these threat actors. Therefore, we can conclude that those certifications are useless for identifying actual high security products adequate for the prevailing threat landscape.

Sure, if we had some other certification that could certify at that level and was more direct, that would be nice. But we do not, the only ones that we know to work and that products have been certified against are Common Criteria EAL6-7 (and maybe EAL5). We can either choose certifications that are cheap and do not work, or ones that work. Then, from the ones that work, we can maybe relax the requirements carefully to identify useful intermediate levels, or identify if some of the requirements are excessive and unnecessary for achieving the desired level of assurance.

However, the key takeaway from this is not whether we can certify products to EAL5 and higher or whether those certifications work or the cost-benefit of that certification process. The key takeaway is that EAL4 is certainly inadequate. Any product in commercial use targeting that level or lower is doomed to be useless against the threat actors who we know will attack it.

Hold on a second. Assurance level is about, well, level of assurance the developers can provide. It is in most cases just paperwork.

CC has a different mechanism to define attacker capability & resources (cant recall what it's called) and set the security goals accordingly

You could individually incorporate a higher AVA_VAN into a lower EAL as a augmentation, but few do that. You also do not get any of the other conformance assurances that a higher EAL gives you. There is a reason we use EAL as a whole instead of just quoting the AVA_VAN at each other.

Though maybe you are talking about the Security Functional Requirements (SFR) which define the security properties of your system? That is somewhat orthogonal. You have properties and assurance you conform to the properties. Conformance more closely maps to “level of security” as seen in the AVA_VAN SAR. However, the properties are just as important for the usage of the final product because you might be proving you absolutely certainly do nothing useful.

EAL4 is known to be too low against modern threats that will attack commercial users. We know this from experience where EAL4 systems are routinely defeated. Higher certification levels, such as the SKPP at EAL6/7, are known to be able to resist against much harder threats such as state actors like the NSA (defeating a NSA penetration test was a explicit requirement tested in the SKPP by the NSA themselves).

Low certification levels, like EAL4 and lower, that are the limit of the abilities of companies such as Apple and Microsoft are known to be useless against commercial threats. They are uncorrelated with protection against commercial threats because they are inadequate in much the same way that having a piece of paper in front of you is uncorrelated with surviving a gunshot. Systems that can only be certified to EAL4 and lower are certifiably useless.

I guess I don't know enough to say but I just doubt that, knowing what I know about other certifications. I expect that they're perhaps lightly correlated with security.

For example, a squat test is a reasonable measure of leg strength. Only squatting 20 kg means your leg strength is extremely weak. The test procedure is fine, getting results like that is not. If that is all you can do, that is quite problematic.

As to the certification itself, it is pretty good. Easily hacked products like iOS, Linux, and Windows are consistently unable to certify as moderately secure. That is vastly different than basically every other certification where products like Windows pass with flying colors even though we all know that is nonsense.

So, at the very least, low certification levels like EAL4 provide high confidence of lackluster security. You can withhold judgement of high assurance levels corresponding to high security if you like, but low assurance levels corresponding to low security is pretty clearly established.