NSTISSP #11 took effect in July 2002, and since then, all new IT product purchases for use in national security systems must be evaluated and validated under the Common Criteria.
Following in the footsteps of NSTISSP #11, DoD Directive 8500.1 and DoD Instruction 8500.2 included provisions and guidance for CC evaluations as part of their direction for information assurance within the DoD.
Its three main tenets state that all IA or IA-enabled products incorporated into DoD information systems must comply with NSTISSP #11; products must be satisfactorily evaluated and validated prior to purchase or as a condition of purchase; and purchase contracts must specify that validation will be maintained for subsequent releases of the product.
(242) Despite consistent resistance of the commercial satellite industry to voluntarily comply with NSTISSP
12 requirements for business reasons (namely associated cost and complexity of satellites and ground systems), DOD officials have drafted a policy that would require all satellite systems used by DOD to meet these requirements and would require a waiver prior to DOD use of a non-compliant system.