ABSTRACT
The Common Criteria, referred to as “the standard for
information security,”[1] represent the culmination of a 30
year saga involvingmultiple organizations from around the
world. The major events are discussed below and summar-
ized in Table 1. A common misperception is that computer
and network security began with the Internet. In fact, the
need for and interest in computer security or COMPUSEC
have been around as long as computers. Likewise, the
Orange Book is often cited as the progenitor of the com-
mon criteria (CC); actually, the foundation for the CC was
laid a decade earlier. One of the first COMPUSEC stan-
dards, DoD 5200.28-M,[2] Techniques and Procedures for
Implementing, Deactivating, Testing, and Evaluating
Secure Resource-Sharing ADP Systems, was issued in
January 1973. An amended version was issued June
1979.[3] DoD 5200.28-M defined the purpose of security
testing and evaluation as:[2]
To develop and acquire methodologies, techniques, and standards for the analysis, testing, and evaluation
of the security features of ADP systems
To assist in the analysis, testing, and evaluation of the security features of ADP systems by developing factors
for the Designated Approval Authority concerning the
effectiveness of measures used to secure the ADP sys-
tem in accordance with Section VI of DoD Directive
5200.28 and the provisions of this Manual
To minimize duplication and overlapping effort, improve the effectiveness and economy of security
operations, and provide for the approval and joint
use of security testing and evaluation tools and
equipment
As shown in the next section, these goals are quite similar
to those of the Common Criteria.