The history of Computer Security Certification and Common Criteria Standard are often-times neglected, and this page aims at offering users an overview of the other standards that preceded the Common Criteria, and how these standards helped shape what is today, one of the most widely spread IT security evaluation frameworks.

Initially the Common Criteria originated from three different standards, each with different particularities and characteristics.

  • The Information Technology Security Evaluation Criteria (ITSEC), which represents a set of structured criteria that evaluates computing security levels within any given product and system, which was first made public in 1990, in several countries, including Germany, France, the Netherlands and the United Kingdom, where previous security evaluation work had been carried out.
  • The Trusted Computer System Evaluation Criteria (TCSEC), was a standard development which was released by the U.S. Government Department of Defense. It offers a set of basic requirements needed for assessing the effectiveness of computing security protocols and controls that are built in any given computer system. Its main uses were evaluation, classification and selection of computer systems that were chosen for tasks involving processing, storage or even retrieval of highly sensitive or classified data. Another name for this standard is the “Orange Book.” This represents a central part in the series of publications covering the subject of computer security by the National Computer Security Center;
  • The Canadian Trusted Computer Product Evaluation Criteria (CTCPEC), another computer security standard, was developed and published in 1993, in order to offer a set of evaluation criteria for multiple IT products, combining both of the characteristics of ITSEC and TCSEC.

In order to better amalgamate and unify the three standards, the Common Criteria standard was developed, thereby enabling companies that offered computer products mainly for the government market, the possibility to evaluate the said products against a single set of security standards.