Trusted Computer System Evaluation Criteria (TCSEC) Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. The TCSEC was used to evaluate, classify and select computer systems being considered for the processing, storage and retrieval of sensitive or classified information.
The TCSEC, frequently referred to as the Orange Book, is the centerpiece of the DoD Rainbow Series publications. Initially issued in 1983 by the National Computer Security Center (NCSC), an arm of the National Security Agency, and then updated in 1985, TCSEC was replaced by the Common Criteria international standard originally published in 2005.
Fundamental objectives and requirements
The Orange Book or DoDD 5200.28-STD was canceled by DoDD 8500.1 on October 24, 2002.
Policy The security policy must be explicit, well-defined and enforced by the computer system. There are two basic security policies:
Mandatory Security Policy - Enforces access control rules based directly on an individual's clearance, authorization for the information and the confidentiality level of the information being sought. Other indirect factors are physical and environmental. This policy must also accurately reflect the laws, general policies and other relevant guidance from which the rules are derived.
Marking - Systems designed to enforce a mandatory security policy must store and preserve the integrity of access control labels and retain the labels if the object is exported.
Discretionary Security Policy - Enforces a consistent set of rules for controlling and limiting access based on identified individuals who have been determined to have a need-to-know for the information.
Accountability Individual accountability regardless of policy must be enforced. A secure means must exist to ensure the access of an authorized and competent agent which can then evaluate the accountability information within a reasonable amount of time and without undue difficulty. There are three requirements under the accountability objective:
Identification - The process used to recognize an individual user.
Authentication - The verification of an individual user's authorization to specific categories of information.
Auditing - Audit information must be selectively kept and protected so that actions affecting security can be traced to the authenticated individual.
Assurance The computer system must contain hardware/software mechanisms that can be independently evaluated to provide sufficient assurance that the system enforces the above requirements. By extension, assurance must include a guarantee that the trusted portion of the system works only as intended. To accomplish these objectives, two types of assurance are needed with their respective elements:
Assurance Mechanisms
Operational Assurance: System Architecture, System Integrity, Covert Channel Analysis, Trusted Facility Management and Trusted Recovery
Life-cycle Assurance : Security Testing, Design Specification and Verification, Configuration Management and Trusted System Distribution
Continuous Protection Assurance - The trusted mechanisms that enforce these basic requirements must be continuously protected against tampering and/or unauthorized changes.
Documentation Within each class there is additional documentation set which addresses the development, deployment and management of the system rather than its capabilities. This documentation includes:
Security Features User's Guide, Trusted Facility Manual, Test Documentation and Design Documentation
Divisions and classes The TCSEC defines four divisions: D, C, B and A where division A has the highest security. Each division represents a significant difference in the trust an individual or organization can place on the evaluated system. Additionally divisions C, B and A are broken into a series of hierarchical subdivisions called classes: C1, C2, B1, B2, B3 and A1.
Each division and class expands or modifies as indicated the requirements of the immediately prior division or class.
D — Minimal protection
Reserved for those systems that have been evaluated but that fail to meet the requirements for a higher division
C — Discretionary protection
C1 — Discretionary Security Protection Identification and authentication
Separation of users and data
Discretionary Access Control (DAC) capable of enforcing access limitations on an individual basis
Required System Documentation and user manuals
C2 — Controlled Access Protection More finely grained DAC
Individual accountability through login procedures
Audit trails
Object reuse
Resource isolation
B — Mandatory protection
B1 — Labeled Security Protection Informal statement of the security policy model
Data sensitivity labels
Mandatory Access Control (MAC) over selected subjects and objects
Label exportation capabilities
All discovered flaws must be removed or otherwise mitigated
Design specifications and verification
B2 — Structured Protection Security policy model clearly defined and formally documented
DAC and MAC enforcement extended to all subjects and objects
Covert storage channels are analyzed for occurrence and bandwidth
Carefully structured into protection-critical and non-protection-critical elements
Design and implementation enable more comprehensive testing and review
Authentication mechanisms are strengthened
Trusted facility management is provided with administrator and operator segregation
Strict configuration management controls are imposed
B3 — Security Domains Satisfies reference monitor requirements
Structured to exclude code not essential to security policy enforcement
Significant system engineering directed toward minimizing complexity
Security administrator role defined
Audit security-relevant events
Automated imminent intrusion detection, notification, and response
Trusted system recovery procedures
Covert timing channels are analyzed for occurrence and bandwidth
An example of such a system is the XTS-300, a precursor to the XTS-400
A — Verified protection A1 — Verified Design Functionally identical to B3
Formal design and verification techniques including a formal top-level specification
Formal management and distribution procedures
An example of such a system is Honeywell's Secure Communications Processor SCOMP, a precursor to the XTS-400
Beyond A1 System Architecture demonstrates that the requirements of self-protection and completeness for reference monitors have been implemented in the Trusted Computing Base (TCB).
Security Testing automatically generates test-case from the formal top-level specification or formal lower-level specifications.
Formal Specification and Verification is where the TCB is verified down to the source code level, using formal verification methods where feasible.
Trusted Design Environment is where the TCB is designed in a trusted facility with only trusted (cleared) personnel.
Trusted Computer System Evaluation Criteria (TCSEC) Rainbow Series The Rainbow Series (sometimes known as the Rainbow Books) is a series of computer security standards and guidelines published by the United States government in the 1980s and 1990s. They were originally published by the U.S. Department of Defense Computer Security Center, and then by the National Computer Security Center.
Objective These standards describe a process of evaluation for trusted systems. In some cases, U.S. government entities (as well as private firms) would require formal validation of computer technology using this process as part of their procurement criteria. Many of these standards have influenced, and have been superseded by, the Common Criteria.
The books have nicknames based on the color of its cover. For example, the Trusted Computer System Evaluation Criteria was referred to as "The Orange Book." In the book entitled Applied Cryptography, security expert Bruce Schneier states of NCSC-TG-021 that he "can't even begin to describe the color of [the] cover" and that some of the books in this series have "hideously colored covers." He then goes on to describe how to receive a copy of them, saying "Don't tell them I sent you."
Most significant Rainbow Series booksRainbow SeriesDocument Title Date Color5200.28-STD DoD Trusted Computer System Evaluation Criteria 1983 August 15 Orange Book
CSC-STD-002-85 DoD Password Management Guideline 1985 April 12 Green Book
CSC-STS-003-85 Guidance for applying TCSEC in Specific Environments 1985 June 25 Light Yellow Book
CSC-STS-004-85 Technical Rationale Behind CSC-STD-003-85: Computer Security Requirements 1985 June 25 Yellow Book
NCSC-TG-001 A Guide to Understanding Audit in Trusted Systems 1988 June 1 Tan Book
NCSC-TG-002 Trusted Product Security Evaluation Program 1990 June 22 Bright Blue Book
NCSC-TG-003 Discretionary Access Control in Trusted Systems 1987 September 30 Neon Orange Book
NCSC-TG-004 Glossary of Computer Security Terms 1988 October 21 Teal Green
NCSC-TG-005 Trusted Network Interpretation 1987 July 31 Red Book
NCSC-TG-006 Configuration Management in Trusted Systems 1988 March 28 Amber Book
NCSC-TG-007 A Guide to Understanding Design Documentation in Trusted Systems 1988 October 6 Burgundy Book
NCSC-TG-008 A Guide to Understanding Trusted Distribution in Trusted Systems 1988 December 15 Dark Lavender Book
NCSC-TG-009 Computer Security Subsystem Interpretation of the TCSEC 1988 September 16 Venice Blue Book
NCSC-TG-010 A Guide to Understanding Security Modeling in Trusted Systems 1992 October Aqua Book
NCSC-TG-011 Trusted Network Interpretation Environments Guideline (TNI) 1990 August 1 Red Book
NCSC-TG-013 RAMP Program Document 1989 Pink Book
NCSC-TG-013 V2 RAMP Program Document version 2 1995 March 1 Pink Book
NCSC-TG-014 Guidelines for Formal Verification Systems 1989 April 1 Purple Book
NCSC-TG-015 Guide to Understanding Trusted Facility Management 1989 October 18 Brown Book
NCSC-TG-016 Guidelines for Writing Trusted Facility Manuals 1992 October Yellow-Green Book
NCSC-TG-017 Identification and Authentication in Trusted Systems 1991 September Light Blue Book
NCSC-TG-018 Object Reuse in Trusted Systems 1992 July Light Blue Book
NCSC-TG-019 Trusted Product Evaluation Questionnaire 1992 May 2 Blue Book
NCSC-TG-020 Trusted UNIX Working Group (TRUSIX) Rationale for Selecting Access Control List Features for the UNIX System 1989 July 7 Silver Book
NCSC-TG-021 Trusted Database Management System Interpretation of the TCSEC (TDI) 1991 April Purple Book
NCSC-TG-022 Trusted Recovery in Trusted Systems 1991 December 30 Yellow Book
NCSC-TG-023 Security Testing and Test Documentation in Trusted Systems 1993 July Bright Orange Book
NCSC-TG-024 Vol. 1/4 Procurement of Trusted Systems: An Introduction to Procurement Initiators on Computer Security Requirements 1992 December Purple Book
NCSC-TG-024 Vol. 2/4 Procurement of Trusted Systems: Language for RFP Specifications and Statements of Work 1993 June 30 Purple Book
NCSC-TG-024 Vol. 3/4 Procurement of Trusted Systems: Computer Security Contract Data Requirements List and Data Item Description 1994 February 28 Purple Book
NCSC-TG-024 Vol. 4/4 Procurement of Trusted Systems: How to Evaluate a Bidder's Proposal Document Publication TBA Purple Book
NCSC-TG-025 Guide to Understanding Data remanence in Automated Information Systems. 1991 September Forest Green Book
NCSC-TG-026 Writing the Security Features User's Guide for Trusted Systems 1991 September Hot Peach Book
NCSC-TG-027 Information System Security Officer Responsibilities for Automated Information Systems 1992 May Turquoise Book
NCSC-TG-028 Assessing Controlled Access Protection 1992 May 25 Violet Book
NCSC-TG-029 Certification and Accreditation Concepts 1994 January Blue Book
NCSC-TG-030 Covert channel Analysis of Trusted Systems 1993 November Light Pink Book
In popular culture The 1995 movie Hackers contained a reference to the Rainbow Books that showed Dade naming off a series of six books, the second of them being the Orange Book ("Computer security criteria, DoD standards") and the sixth being the Red Book ("NSA Trusted Networks. Otherwise known as the Ugly Red Book that won’t fit on a shelf") from this series. Phreak called them "those Crayola books" and Cereal replied, "Oh yeah, Technicolor rainbow." However the other books, such as the Peter Norton "pink shirt book", are not part of the Rainbow Series.
Total Members: 14197
Topic: Trusted Computer System Evaluation Criteria (TCSEC) (Read 6623 times)
