Abstract :
This article traces the origins of US government-sponsored computer security research and the path that led from a focus on government-funded research and system development to a focus on the evaluation of commercial products. That path led to the creation of the Trusted Computer System Evaluation Criteria (TCSEC), or Orange Book. The TCSEC placed great emphasis on requirements for mandatory security controls and high assurance, and the resulting TCSEC evaluation process was time-consuming and costly for commercial vendors and emphasized product features not valued by customers. As a result, vendor commitment to evaluations waned. The TCSEC was eventually supplanted by the international Common Criteria, which after almost 15 years, have moved to a model based on more straightforward requirements and a more deterministic evaluation process.
Keywords :
government policies; security of data; trusted computing; Orange Book; TCSEC evaluation process; US government-sponsored computer security research; commercial product evaluation; government-funded research and system development; international common criteria; trusted computer system evaluation criteria; Computer security; Operating systems; Research and development; US Department of Defense; Common Criteria; Orange Book; TCSEC; access controls; computer security; history of computing; information flow controls; security kernels;