The CC represents the outcome of a series of efforts to develop criteria for evaluation of IT security that are broadly useful within the international community. In the early 1980's the Trusted Computer System Evaluation Criteria (TCSEC) was developed in the United States. In the succeeding decade, various countries began initiatives to develop evaluation criteria that built upon the concepts of the TCSEC but were more flexible and adaptable to the evolving nature of IT in general.
In Europe, the Information Technology Security Evaluation Criteria (ITSEC) version 1.2 was published in 1991 by the European Commission after joint development by the nations of France, Germany, the Netherlands, and the United Kingdom. In Canada, the Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) version 3.0 was published in early 1993 as a combination of the ITSEC and TCSEC approaches. In the United States, the draft Federal Criteria for Information Technology Security (FC) version 1.0 was also published in early 1993, as a second approach to combining North American and European concepts for evaluation criteria.
Work had begun in 1990 in the International Organization for Standardization (ISO) to develop an international standard evaluation criteria for general use. The new criteria was to be responsive to the need for mutual recognition of standardised security evaluation results in a global IT market. This task was assigned to Working Group 3 (WG 3) of subcommittee 27 (SC 27) of the Joint Technical Committee 1 (JTC 1). Initially, progress was slow within WG3 because of the extensive amount of work and intensive multilateral negotiations required.
In June 1993, the sponsoring organisations of the CTCPEC, FC, TCSEC and ITSEC (which are identified in the next subclause) pooled their efforts and began a joint activity to align their separate criteria into a single set of IT security criteria that could be widely used. This activity was named the CC Project. Its purpose was to resolve the conceptual and technical differences found in the source criteria and to deliver the results to ISO as a contribution to the international standard under development. Representatives of the sponsoring organisations formed CC Editorial Board (CCEB) to develop the CC. A liaison was then established between the CCEB and WG 3, and the CCEB contributed several early versions of the CC to WG 3 via the liaison channel. As a result of the interaction between WG 3 and the CCEB, these versions were adopted as successive working drafts of various Parts of the ISO criteria beginning in 1994.
Version 1.0 of the CC was completed by the CCEB in January 1996 and was approved by ISO in April 1996 for distribution as a Committee Draft (CD). The CC Project then performed a number of trial evaluations using CC Version 1.0, and an extensive public review of the document was conducted. The CC Project subsequently undertook an extensive revision of the CC based on the comments received from trial use, public review and interaction with ISO. The revision work has been carried out by the successor to the CCEB, now called the CC Implementation Board (CCIB).
The CCIB completed CC version 2.0 "Beta" in October 1997 and presented it to WG 3, which approved it as a Second Committee Draft. Subsequent intermediate draft versions were provided informally to WG 3 experts for feedback as they were produced by the CCIB. The CCIB received and responded to a series of comments that came both directly from WG 3 experts and from ISO National Bodies via the CD balloting. The culmination of this process is CC Version 2.0.
For historical and continuity purposes, ISO/IEC JTC 1/SC 27/WG 3 has accepted the continued use of the term "Common Criteria" (CC) within the document, while recognising that its official name in the ISO context is "Evaluation Criteria for Information Technology Security".
The seven European and North American governmental organisations listed below constitute the CC project sponsoring organisations. These organisations have provided nearly all of the effort that went into developing the CC from its inception to its completion. These organisations are also "evaluation authorities" for their respective national governments. They have committed themselves to replacing their respective evaluation criteria with the CC version 2.0 now that its technical development has been completed and it is in the final stages of acceptance as an International Standard.
CANADA:
|
FRANCE:
|
GERMANY:
|
NETHERLANDS:
|
UNITED KINGDOM:
|
UNITED STATES - NIST:
|
UNITED STATES - NSA:
|
|