Payne, C.N. ``Security Policy Model, a chapter of the Handbook for the Computer Security Certification of Trusted Systems'', NRL Technical Memorandum 5540:080A, 24 January 1995, Naval Research Laboratory, Washington, DC. PostScript, PDF
To avoid hidden safety problems in future large scale systems, we must be able to identify the crucial assumptions underlying the development of their components and to enunciate straightforward rules for safe component interconnection.
The history of attempts to secure computer systems against threats to confidentiality, integrity, and availability of data is breifly surveyed, and the danger of repeating a portion of that history is noted. Areas needing research attention are highlighted, and a new approach to developing certified systems is described.Payne, C., J.N. Froscher, and C. E. Landwehr, "Toward a comprehensive INFOSEC certification methodology," Proc. Sixteenth National Computer Security Conference, Baltimore, MD, Sept., 1993. pp. 165-172. PostScript
Accreditors want to know what vulnerabilities will exist if they decide to turn on a system. TCSEC evaluations address products, not systems. Not only the hardware and software of a system are of concern; the accreditor needs to view the system components in relation to the environment in which they operate and in relation to the system's mission. This paper proposes an informal but comprehensive approach that can provide the accreditor with the necessary information. First, we discuss the identification of assumptions and assertions that reflect system INFOSEC requirements. Second, we propose the definition of an assurance strategy to integrate security engineering and system engineering. The assurance strategy initially documents the set of assumptions and assertions derived from the requirements It is elaborated and refined throughout the development, yielding the assurance argument, delivered with the system, which provides the primary technical basis for the certification decision. With the assurance strategy in place, certification of the trusted system can become an audit of the development process.
The Navy has designated the Naval Research Laboratory (NRL) as its Center for Computer Security Research and Evaluation. NRL is actively developing a Navy capability to certify trusted systems. This paper describes the NRL effort to understand assurance, certification, and trusted system certification criteria through the production of the Handbook for the Computer Security Certification of Trusted Systems. Through this effort, NRL hopes to discover new and more efficient ways of satisfying the assurance requirement for a high assurance system.