A Short History of Computer Security Standards Leading to the Orange Book

A Short History of Computer Security Standards Leading to the Orange Book

Standards for Secure Systems:

1968 – NBS (National Bureau of Standards) initial study of the US government’s security needs.

1972 – NBS and ACM (Association for Computing Machinery) First conference on computer security

1973 – NBS begins program to research standards for computer security.

NBS invites vendors to submit a data encryption standard.

1974 – TEMPEST establishes standards for shielding emanations. The term TEMPEST was coined in the late '60s and early '70s as a codename for the NSA operation to secure electronic communications equipment from potential eavesdroppers.

1977 – NBS Sponsors workshops to audit and evaluate computer systems.

• Topics of concern include:

◦  Confidentiality of data and services

◦  Preserving data accuracy (integrity)

◦  Reliability of access to data and services (availability)

◦  Policy

◦  Mechanisms to enforce policy

◦  Assurance – assurance that the policies and mechanisms actually work.

• ANSI (American national standards institute) adopts the DES, data encryption standard. The DES standard is broken by the *Electronic Frontier Foundation (et. al.) in January 1999. The DES standard is finally abandoned in 2004.
• GAO and other government agencies participate

1981 – DoD established the computer security center (CSC) within the NSA. Out of this comes the NCSC (National Computer Security Center). The NCSC has the following charter:

• Provide tools to evaluate the capabilities of trusted computer systems.
• Provide technical support for government agencies and industry groups engaged in computer security research.
• Conduct and sponsor research in computer and network security technology.
• Establish criteria for evaluating the security of computing systems
• Conduct training in areas of computer security.
• This includes disseminating computer security information to government agencies and industry.

1983 – Release of the “Orange Book” by NCSC.

• The US government DOD Orange Book (August 1983) developed as the TCSEC, Trusted Computer System Evaluation Criteria. Superseded by the FIPS, Federal Information Processing Standards publication.
• The Orange Book was followed by a series of documents known as the Rainbow Series: 1. Green – Password management; 2. Tan – Auditing trusted systems; 3. Purple – Verification Systems; 4. Burgundy – Understanding Design Documentation. The Red book covers network security.