Historical Perspective
The U.S. Government supports the security and trustworthiness of IT products that are part of the national information infrastructure, both in the public and private sectors. In fulfilling their responsibilities under Public Law 100-235 (Computer Security Act of 1987), NIST and NSA have worked with government and industry to develop and apply information security technology, assurance metrics and standards necessary for the protection of information critical to the overall economic and national security interests of the United States. For over two decades, NIST and NSA have promoted security in commercial off-the-shelf IT products. These efforts have focused primarily on government-sponsored initiatives to produce effective IT security evaluation criteria, (e.g., the Trusted Computer System Evaluation Criteria and the Federal Criteria for Information Technology Security), and to evaluate products developed by industry in response to those criteria. The development of similar IT security evaluation criteria by Canada and several European nations during the last decade and recognition of the increasing worldwide markets for U.S. manufacturers of IT products, prompted the effort to begin harmonizing existing evaluation criteria into common criteria -- internationally-accepted and standards based. The Common Criteria is the result of a multi-year effort by the governments of the U.S., Canada, United Kingdom, France, Germany, and the Netherlands to develop a harmonized security criteria for IT products. At the same time the Common Criteria were being developed, there was a parallel effort to transition trusted product evaluations from the government to the private sector. NSA began the transition of its commercial IT product evaluation capability (i.e., the Trusted Product Evaluation Program) to the private sector with the establishment of the Trust Technology Assessment Program (TTAP). Under this program, IT security evaluations were conducted by commercial testing laboratories using the Trusted Computer Systems Evaluation Criteria (TCSEC) in accordance with cooperative research and development agreements. The transition continued under the Common Criteria Evaluation and Validation Scheme (CCEVS) with commercial testing laboratories conducting Common Criteria-based evaluations of IT products on a fee-for-service basis using the Common Evaluation Methodology. |
![[X]](/assets/images/button_close.gif){kind=small}