Payne, C., J.N. Froscher, and C. E. Landwehr, "Toward a comprehensive 
 INFOSEC certification methodology," Proc. Sixteenth National Computer 
 Security Conference, Baltimore, MD, Sept., 1993. pp. 165-172.  
 <a href="1993payne-ncsc.ps">
  PostScript</a>

<blockquote>
Accreditors want to know what vulnerabilities will exist if they decide
to turn on a system.  TCSEC evaluations address products, not systems.
Not only the hardware and software of a system are of concern;  the
accreditor needs to view the system components in relation to the
environment in which they operate and in relation to the system's
mission.  This paper proposes an informal but comprehensive approach
that can provide the accreditor with the necessary information.  First,
we discuss the identification of assumptions and assertions that
reflect system INFOSEC requirements.  Second, we propose the definition
of an assurance strategy to integrate security engineering and system
engineering.  The assurance strategy initially documents the set of
assumptions and assertions derived from the requirements  It is
elaborated and refined throughout the development, yielding the
assurance argument, delivered with the system, which provides the
primary technical basis for the certification decision. With the
assurance strategy in place, certification of the trusted system can
become an audit of the development process.
</blockquote>