Historical Database of Computer Security Evaluations

collected by Richard E. Smith


Secure Computing Corporation


Here is an Excel 97/98 spreadsheet that contains an entry for every product I've been able to track down that completed a published, formal security evaluation in accordance with trusted systems evaluation criteria. At the moment it includes the reported evaluations by the United States (TCSEC/NCSC and Common Criteria), United Kingdom (ITSEC and Common Criteria), Australia, and whatever evaluations were reported from Canada, France, and Germany by the US, UK, and Australian sites.

Key Observations

Help Requested

I've culled this information from the Common Criteria sites in the US, UK, and Canada. I've also collected information from the Australian product evaluation site. My German and French aren't good enough to know if there are more evaluations than the ones I've listed. I have no idea how to collect information on Russian evaluations, though I once heard that they'd evaluated some products.

At one point I thought Canada had published their own criteria but I haven't found a list of products evaluated under it, I've only found Canadian evaluations under the Common Criteria.

Contact me via e-mail if you can help me add missing information to the spreadsheet.

About the Spreadsheet

The spreadsheet contains over 200 entries representing every product evaluation going back to the start of the US National Computer Security Center in 1984. Each entry attempts to give the full product name, year of evaluation, country of evaluation (not the product's country), criteria, rating, a numeric mapping of the rating (1-7), name of evaluation lab. Things are left blank if unknown.

Information for years 1999 and 2000 must be evaluated with caution. Clearly the information available about 1999 evaluations is not complete, since the year isn't over yet. I've used the year 2000 to indicate evaluations that are reported to be "in progress." This was a compromise since I wanted to capture the information.

Observations and Charts

This started out as a brief internal research project, but the results seemed interesting enough to share with the rest of the world.

The following graph illustrates security evaluations by year in the US and in all other countries.

The following graph illustrates evaluations by year according to evaluation levels achieved. Evaluations under criteria other than the Common Criteria are compared to Common Criteria measurements in the usual way, that is, EAL 3 is roughly an NCSC C2 or ITSEC E2, EAL 4 is a B1 or E3, and so on.

The following graph shows the number of evaluations in the traditional areas of OS and DBMS products against newer products, notably for network security, including access control, data com, and networking security products.

The following graph looks at evaluation activities in OSes and DBMSes. Evaluations began in the OS arena and extended to other types of products as the field evolved.

The following graph looks at evaluations of network security products, including firewalls and other "networking" products, access control products, and communications security devices like encryptors.

Back to Data Security Architecture Home Page

Last update: 9/9/99

Creative Commons License

This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike License.

For other rights, contact Richard E. Smith, rick@cryptosmith.com