Sunday, November 16, 2008

Solving Most of Your Questions about the Trusted Computer Systems Evaluation Criteria [TCSEC] or The Pervasive Application of the Orange Book

[Caution ◘ graduate Level reading & Material]

Author: John M. Kennedy T.

[Version 2.13 • Last Review on Nov. 10 2008]


This paper is the report of the first meeting held by this recently hired Information Security Manager with the CIO and the CEO of The Plow of the Sea Inc. [from now on “POS”]. The Information Security Manager, having as mission to secure the POS information system as the highest possible level, discussed during this meeting the role of the so called “Orange Book” and how it could be applied for obtaining the certification and accreditation for the POS information systems. The Information Security Manager explored, as well, with the CIO and CEO, the existence and purpose of other security books that are known as vital parts of the “Rainbow Series”, and then identified the differences between the B-3, and the C2 security divisions, levels or classes. Finally, the Information Security Manager described the term “assurance” as he interpreted from a perspective of the Orange Book with the intention of applying these concepts in the design, implementation and administration of the information system security for the POS computer system infrastructure and the whole organizational procedures in general.


As a recently Information Security Manager of the POS, I arranged a meeting with the CEO and CIO to report them about my decisions on how to successfully and securely convert the POS’s traditional, or legacy, on house database into a much versatile and highly available distributed database with the highest level of security controls possible under a prearranged budget. To convince the POS’s top management of the effectiveness of my security plans, I decided to familiarize the CEO with the role, application and terms of the “Orange Book” and the other “Rainbow Books” for providing assurance to the POS’s computer system and finally to discuss with the CIO and CEO the differences and appropriateness, or importance, of following the security divisions exhibited in the same “Orange Book” at the C2 an B3 classes or categories; therefore, following is the documentation of my research on the abovementioned topics that I have use on my discussion in the aforementioned meeting.

The Relevance of the Orange Book in the information Systems Security: Its origin, applicability & its leading Role in the Field

According to Stone, Hayden, & Feringa (2004), there are eight core principles in information security:

1. Accountability

2. Awareness

3. Multidisciplinary

4. Cost Effectiveness

5. Integration

6. Reassessment

7. Timeliness

8. Societal Factors

These principles appear to be developed from the 1950s and 1960s, at least this is reported by the security computing visionary, William H. Ware, who tell us about the legendary conferences for practitioners and users of computer technology of those times, denominated originally Eastern and Western Joint Computer Conferences, or JCCs and the later Spring and Fall JCCs, since these conferences were done twice a year, then and suddenly the conferences became the annual National Computer Conferences (Pfleeger & Pfleeger, 2003). Ware explained that somehow from and within the ‘scenes’ of these conferences the term Computer Security became know as Information System Security [ISS] and that currently actually refer to as, “protection of the national information infrastructure” and thus the topic gained attention from the “classified defense interests into [the] public view” (Pfleeger & Pfleeger, 2004, p. xix).

Ware characterized his time with other researches at RAND Corporation; he even mentioned some names, e.g., Robert L. Patrick, and John P. Haverty, as a turning point that demarked the ignition of a growing dependence on computer technology and thus as early as those days they were really concerned that this dependence was putting USA at risk of not being able to protect effectively neither its data, and information nor its [physical] systems infrastructure properly or even at all. (Pfleeger & Pfleeger, 2003) Voila! Information security, or ISS, field was born.

We are told by Ware, that under this impression and taking the opportunity of the development of the National Security Agency’s (NSA) remote-access time-sharing system a full set of security access controls were ported by the Univac 494 machine, which served terminals and users around the world. Ware embraced a project with other people from RAND and NSA and presented a group of papers to the Spring JCC so these could be considered as one of the sessions’ topics. In fact ware, finally, chaired the whole panel and it was presented at the Atlantic City, New Jersey, Convention Hall in 1967. This is the real point of origin, for ISS, because since soon after the Atlantic City conference, the Department of Defense [DoD], acting through the Advance Research Project Agency (ARPA), later known as Defense Science Board (DSB), request that Ware included defense classified and business applications in one of its mainframes that was running in a remote-access mode. Thus, Ware organized and chaired a committee to study Information Security controls already, that incidentally, from which study, a seminal paper was produced to serve as the basis for the DoD’s policies. This report was classified and was officially presented to the DSB in 1970. In October 1979, it was declassified and republished by RAND Corporation and then was disseminated, as it known until our days, as the “Ware report”. It is a matter of fact you can still download it from the RAND website. (Pfleeger & Pfleeger, 2003)

The United States Air Force, in case you have forgotten, the USAF, sponsored another similar committee but this was chaired by James P. Anderson, who recommended in 1972 a 6-year research and Development Security Program with a budget of $8 million dollars. The USAF funded some projects that were aimed to harden the Operating Systems (O/Ss) [this still known now as “hardening” also the nature of today’s practices differs from those used in that time] by the application of appropriate security controls.

Incidentally, from this Milieu, the “Criteria and Evaluation” concepts and programs were originated, and were sponsored by the NSA. This is how the “Orange book” and that security colorful book palette, called the “Rainbow Books Series” were altogether born.

The Orange book, which was entitled, “Trusted Computer Security Evaluation Criteria” (TCSEC) was presented on 1983 but was not published by the DoD until 1985 (Pfleeger & Pfleeger, 2003). As these concepts were internationalized, the ISO or International Organization for Standardization developed, between the late 1980s and early 1990s, a set of standards known as the “Common Criteria” or CC. (Pfleeger & Pfleeger)

A good proof, about the argument that posits William H. Ware as being one of the primary source, is found in the references section of the same Orange book itself; Ware’s work was cited in the bibliography as “Ware, W. H., ed., Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security, AD # A076617/0, Rand Corporation, Santa Monica, Calif., February 1970, reissued October 1979.” The origins of the “Orange book” are very relevant because they described the prominent role in the Information Systems Security for the organizations and those professionals responsible for the Computer Security at large. “Trusted Computer System Evaluation Criteria” (TSEC) is considered a seminal study whereby a “rainbow of books” has been written and evolved, upon which many organizations that are specialized in conducting certification and accreditation operatives and programs for information systems are primarily [but not only] based evenly today.

Specialized organizations that independently assess and determine what is the security level or adequacy, and operational state or condition in which commercial transactions are carried on rely on the precepts of the “Orange Book”. Thus effectively the DoD TCSEC provides not only a simply criteria but serves and its is used as a platform of well defined “requirements”, constraints and controls that allows Information Systems Security Authorities and practitioners to grant or deny organizations’ Computer and Information Systems authorization to operate (ATO) in accordance as their ability to prove beyond reasonable doubt that they have implemented ISS within at a certain seemed acceptable level of risk and thus be allowed to offer their services to their users and other stakeholders. Otherwise, in case these were estimated necessary by Designated Authorization Authorities [DAAs], recommend corrective actions or sanctions could be applied according to a well defined Evaluation Criteria (Pfleeger & Pfleeger, 2003, Trusted computer system, December 1985, Ross, Swanson, Stoneburner, Katzke, & Johnson, 2004).

In its totality or as a whole, the “Orange Book” could be thought as a set of principles for management the risk of information systems therein with the purpose to increase the confidence in reaching desired prearranged outcomes and to constrain those foreseeable threats to acceptable levels, as to make adequate decisions accordingly to the pressing issues or events presented at hand. (The Orange Book, 2006) To clarify this explanation furthermore about its role, I will quote the mere DoD TCSEC or “Orange Book” (1985):

"Department of Defense Trusted Computer System Evaluation Criteria" forms the basis upon which the Computer Security Center will carry out the commercial computer security evaluation process. This process is focused on commercially produced and supported general-purpose operating system products that meet the needs of government departments and agencies. The formal evaluation is aimed at "off-the-shelf" commercially supported products and is completely divorced from any consideration of overall system performance, potential applications, or particular processing environments. The evaluation provides a key input to a computer system security approval/accreditation. However, it does not constitute a complete computer system security evaluation (Trusted computer system, 1985, Appendix A, ¶ 1).

The Way of Orange book

The DoD TCSEC is considered an important cornerstone for designing and setting together a set of evaluations or as a tool for testing the implementation of a sound certification & accreditation process; also, the TCSEC can be used for supporting the documentation of its results through the recommendation of its requirements that can be utilized to develop: System Security Plans or Initial Risk Management, Security Assessment Reports and evenly and consequently, Plan of Actions and Milestones; all of these aforementioned terms are documents that actually put them together constitute an accreditation package. (Pfleeger & Pfleeger, 2003, Ross, Swanson, Stoneburner et al., 2004)

The purpose, function and role are specified very well on the Trusted Program Evaluation Program’s (TPEP) overview which defines the TCSEC as a standard who serves three purposes (TPEP Overview: Background, 1998):

1. Provide product manufacturers with a standard of security features to build into their products.

2. Provide DoD components with a metric to evaluate how much trust can be placed in an automated information system for secure processing of classified or other sensitive data.

3. Provide a basis for specifying security requirements in acquisition specifications.

A Security palette with a rainbow of purposes

A continuation I am presenting a matrix describing the designation, color and the purpose of each book in the series of what is now known as the “Rainbow Books”, i.e. a plethora of specific guidelines for achievement desirable level of computer or Information Security Systems technology. The publication of the “Rainbow Books” series followed the publication by the DoD of the TCSEC “colored” as Orange Book, which was reissued on 1985 and coded as “DoD Standard DOD 5200.28-STD” [Here you have even another name for the “Orange Book” ]. The table below has been compiled from the information found in the TPEP webpage of the National Computer Security Center (NCSC) Web (Rainbow Series Library, 2000):

Rainbow Color



Orange Book


DoD Trusted Computer System Evaluation Criteria, 26 December 1985 (Supersedes CSC-STD-001-83, dtd 15 Aug 83).

Green Book


DoD Password Management Guideline, 12 April 1985.

Light Yellow Book


Computer Security Requirements -- Guidance for Applying the DoD TCSEC in Specific Environments, 25 June 1985.

Yellow Book


Technical Rational Behind CSC-STD-003-85: Computer Security Requirements -- Guidance for Applying the DoD TCSEC in Specific Environments, 25 June 1985.

Tan Book


Ver. 2

A Guide To Understanding Audit In Trusted Systems 1 June 1988, Version 2.

Bright Blue Book


Trusted Product Evaluations - A Guide for Vendors, 22 June 1990.
see also TPEP Procedures which supersedes parts of this document.

Neon Orange Book


A Guide to Understanding Discretionary Access Control in Trusted Systems, 30 September 1987.

Teal Green Book


Glossary of Computer Security Terms, 21 October 1988. (NCSC-WA-001-85 is obsolete)

Red Book


Trusted Network Interpretation of the TCSEC (TNI), 31 July 1987.

Amber Book


A Guide to Understanding Configuration Management in Trusted Systems, 28 March 1988.

Burgundy Book


A Guide to Understanding Design Documentation in Trusted Systems, 6 October 1988.
see also Process Guidelines for Design Documentation which may supercede parts of this document.

Dark Lavender Book


A Guide to Understanding Trusted Distribution in Trusted Systems 15 December 1988.

Venice Blue Book


Computer Security Subsystem Interpretation of the TCSEC 16 September 1988.

Aqua Book


A Guide to Understanding Security Modeling in Trusted Systems, October 1992.

Red Book


Trusted Network Interpretation Environments Guideline - Guidance for Applying the TNI, 1 August 1990.

Pink Book

NCSC-TG-013 Ver.2

RAMP Program Document, 1 March 1995, Version 2

Purple Book


Guidelines for Formal Verification Systems, 1 April 1989.

Brown Book


A Guide to Understanding Trusted Facility Management, 18 October 1989.

Yellow-Green Book


Guidelines for Writing Trusted Facility Manuals, October 1992.

Light Blue Book


A Guide to Understanding Identification and Authentication in Trusted Systems, September 1991.

Light Blue Book


A Guide to Understanding Object Reuse in Trusted Systems, July 1992.

Blue Book

NCSC-TG-019 Ver. 2

Trusted Product Evaluation Questionnaire, 2 May 1992, Version 2.

Silver Book


Trusted UNIX Working Group (TRUSIX) Rationale for Selecting Access Control List Features for the UNIX® System, 7 July 1989.

Purple Book


Trusted Database Management System Interpretation of the TCSEC (TDI), April 1991.

Yellow Book


A Guide to Understanding Trusted Recovery in Trusted Systems, 30 December 1991.

Bright Orange Book


A Guide to Understanding Security Testing and Test Documentation in Trusted Systems
see also Process Guidelines for Test Documentation which may supersede parts of this document.

Purple Book

NCSC-TG-024 Vol. 1/4

A Guide to Procurement of Trusted Systems: An Introduction to Procurement Initiators on Computer Security Requirements, December 1992.

NCSC-TG-024 Vol. 2/4

A Guide to Procurement of Trusted Systems: Language for RFP Specifications and Statements of Work - An Aid to Procurement Initiators, 30 June 1993.

NCSC-TG-024 Vol. 3/4

A Guide to Procurement of Trusted Systems: Computer Security Contract Data Requirements List and Data Item Description Tutorial, 28 February 1994.

NCSC-TG-024 Vol. 4/4

A Guide to Procurement of Trusted Systems: How to Evaluate a Bidder's Proposal Document - An Aid to Procurement Initiators and Contractors (publication TBA)

Forest Green Book

NCSC-TG-025 Ver. 2

A Guide to Understanding Data Remanence in Automated Information Systems, September 1991, Version 2, (Supersedes CSC-STD-005-85).

Hot Peach Book


A Guide to Writing the Security Features User's Guide for Trusted Systems, September 1991.

Turquoise Book


A Guide to Understanding Information System Security Officer Responsibilities for Automated Information Systems, May 1992.

Violet Book


Assessing Controlled Access Protection, 25 May 1992.

Blue Book


Introduction to Certification and Accreditation Concepts, January 1994.

Light Pink Book


A Guide to Understanding Covert Channel Analysis of Trusted Systems, November 1993.

Table 1 – Matrix based on the Rainbow Books Library (Rainbow series library, 2000).

The Bell-LaPadula Model: The identification of the differences between C-2 and B-3

David Bell and Leonard LaPadula created a model based on the government concept of classified and unclassified information which denied access depending of the type of subject’s [person or user] level of clearance. Incidentally, in 1983 the DoD developed the standard 5200.28, labeled: The Trusted Computing System Evaluation Criteria - TCSEC AKA “the Orange Book”, which as I have mentioned before, was reissued on December 1985 (Kennedy, 2006) which defines security requirements and codifies levels of trust (Pfleeger & Pfleeger, 2003) in the following table: (Maiwald, 2004)


Minimal Protection or unrated


Discretionary Security Protection


Controlled Access Protection


Labeled Security Protection


Structured Protection


Security Protection


Verified Design

Table 2 - TCSEC AKA "The Orange Book" (Maiwald, 2004)

The above table presents what Pfleeger & Pfleeger (2003) called and identified as four clusters, i.e. (I) D; (II) C-1 + C-2 + B-1; (II) B-2 and (IV) B-3 + A-1. This states by itself a major difference between C-2 and B-3, because they were group differently, they do not belong to the same cluster but even if they would have been put in the same cluster, a cluster does not mean that these divisions are equivalent or had have the same set of criteria.

In reality, there are more demands in each division and subsequent class; for example, from B-1 to B-2 and between B-2 and B-3 are clear and substantial differences in the requirements; for instance, and specifically, in the area of the required assurance level. (Pfleeger & Pfleeger, 2003)

The most obvious difference between the B-3 and the C-1divisions or classes is that B-3 division/class requires the application of Mandatory Access Control (MAC); but taking a closer look, we continue finding other important differences between these two sets of criteria [C-2 and B-3]. The C-1 class exhibits a Trusted Computing Base (TCB) that consists of a system that provides security by separating users and data.

The C-1 allows the development of a cooperative environment whereby users are expected to exchange information at the same level of sensitive and at the same time able to protect their own data from other users. C-1 provides the necessary security controls to limit access on an individual basis, this separation of users and data is denominated by TCSEC, Discretionary Security Protection, and it is the major tenet of the Class C-1 (Trusted computer system, 1985).

Pfleeger & Pfleeger (2003) explains that to understand Division C - Class 1 or C-1, one must pay attention at the keyword “discretionary”, which means that the user is authorized to make decisions over when and what controls need to be applied and who are the other users or groups that are allowed to access data or information.

The C-2 builds on the criteria of C-1 and then enhances it a little more by demanding a couple of more requirements. The C-2 then implements the Discretionary Access Control but becomes more granular in controlling access. It supports an audit trail that is capable of tracking each individual’s access or attempted access to each object. The C-2 has been labeled as Controlled Access Protection (Pfleeger & Pfleeger, 285).

As we have seen, Division B: Mandatory Protection - Class 3 or B-3 is in another cluster than C-1, and has different and more demanding set of security requirements and thus is identified as Class 3: Security Domains (Trusted Computer System, 1985). The “Orange Book”, i.e. the TCSEC (2000) indicates clearly the set of criteria of Division B Class 3, B-3,

“The class (B3) TCB must satisfy the reference monitor requirements that it mediate all accesses of subjects to objects, be tamperproof, and be small enough to be subjected to analysis and tests. To this end, the TCB is structured to exclude code not essential to security policy enforcement, with significant system engineering during TCB design and implementation directed toward minimizing its complexity. A security administrator is supported, audit mechanisms are expanded to signal security- relevant events, and system recovery procedures are required. The system is highly resistant to penetration.” (Division B - Class 3: System Domain, Trusted Computer System, 1985, ¶ 1).

In contrasting the C-1 and the B-3, we see that B-3 requires a higher level of security controls even from the early designing information systems stages, that includes the use of layering, i.e. Defense-in-Depth, Abstraction and Information Hiding; mainly to protect the information and data from tampering, i.e. the unauthorized suppression, modification, disruption, falsification, fabrication of sensitive data and information (Pfleeger & Pfleeger, 2003). Below I am presenting a table that exhibits what are the security controls included in C-1 and B-3:

Trusted Computer System Evaluation Criteria -TCSEC




  • Security Policy

1. Discretionary access control



2. Object Reuse



3. Labels



4. Label Integrity



5. Exportation of labeled information



6. Labeling Human-readable output



7. Mandatory Access Control



8. Subject sensitivity labels



9. Device Labels



  • Accountability

1. Identification & authentication



2. Audit



3. Trusted path



  • Assurance

1. System Architecture



2. System Integrity



3. System testing



4. Design specification and verification



5. Covert channel analysis



6. Trusted Facility Management



7. Configuration Management



8. Trusted Recovery



9. Trusted Distribution



  • Documentation

1. Security features user’s guide



2. Trusted facility manual



3. Test documentation



4. Design documentation



Table 3 – Adapted by J. M. Kennedy from Pfleeger & Pfleeger (2003, p. 284).

Legend: "=" means "no requirement" ♦ "<" means "requirement"

Assurance & the Orange Book

To understand what assurance means we need to start for understanding the distinctive characteristics embedded in the meaning of these two terms: “Security and Trust”, as when why experts have chosen to state: This is a “Trusted System”, rather than: This is a “Secure System”. There is a sense of ‘granular expertise’ in these former assertions. In this regard, the qualities of security and “trustedness” [no even thing in trustiness] are quite different; for instance, a system either is or not secure. It is an absolute, either/or situation, not details are given as to how, when, where of by whom, while when a system is trusted can be trusted in many different degrees of trust and its trustedness is based on analysis and evidence that support such state up to a certain specific level. It is a relative view about the security state of a system and by itself represents a characteristic or an attribute; while secure represents a goal hat could be reach and in certain cases it has no been fulfilled. (Pfleeger & Pfleeger, 2003)

From these essential semantic differences between “Trust” and “Security”, we can digest the meaning of TCB or Trusted Computing Base, which is the set of all security controls and methods utilized for ensuring that a particular Information Systems is following and Could guaranty the enforcement of determined organizational driven security policies for processing sensitive information within an acceptable levels of risk. It is in this context that we can understand and seek assurance for our Information Systems, i.e. to meet our expectations, and more important the ones of our customers and other stakeholders, in terms of performance and security within a tolerable level of risk within a well-budgeted security plan. In other words, assurance gives us the confidence that the Information Systems has been architected such as we and our stakeholders could have confidence in processing, storing and distributing sensitive and confidential information is safe up to a certain degree of prearranged and expected trust.

According to Pfleeger & Pfleeger (2006) there are three methods of assurances to mitigate or reduce the effects of a system’s vulnerabilities, i.e. Testing, Verification and Validation, these methods are used to detect and improve the overall trustedness of a system.

The “Orange Book” is geared for be used by security practitioners, developers, system security officers, et al. for assurance, because it provides well-stated security requirements that can be used for testing any Information Security Systems for understanding, verify and validate its trustedness level with the aim of providing services and store, transmit or process sensitive data or information. (Pfleeger & Pfleeger, 2003) As the TSEC has state in reference to the TCB, in its Section 6.4, which is labeled “Assurance”, "[the Information Security System] Must be of sufficiently simple organization and complexity to be subjected to analysis and tests, the completeness of which can be assured." (Trusted Computer System, 1985) The security clusters/divisions/classes provides for the Information Systems of the POS, and more importantly, a way to measure the trustedness whereby the trusted level of POS at which range level is acceptable for handling sensitive and confidential information.


At the end of our meeting the CEO, the CIO and I developed a mutual understanding in terms of Information System Security, we sensed and share the perception that we were going in the right direction, because we understood the pervasive historical role and importance of the “Orange Book” and the Rainbow Books Series. They become very interested in the subject and were convinced of the importance of designing and implementing and Information Security Plan for obtaining the certification and accreditation of the information systems of the POS. Also the CIO and I exchanged ideas over the application of, either the C-1 or the B-3, set of criteria for changing the POS from an on-house database to a highly available and accessible distributed database. Finally, as the CEO and the CIO were interested in ensuring that the level of assurance for the new distributed database could reach the level of trustedness as to meet the business and security requirements to process sensitive information. The CEO understood my description of what is “assurance” in the context of Information System Security and how in the “Orange Book” has been incorporated and how it should be applied to the POS current Information System Security needs.


Certified Information Systems Security Professional: Study Guide For CISSP Certification. (2003). Retrieved May 20, 2006, from International Information System Security Certification Consortium, Inc. (ISC)2 Website:

Kennedy, J. M. (February 18, 2006). Sensitive Areas of Computer Security Memo: ABC Manufacturing Corporation. Information Systems Security. Unpublished. New York

Maiwald, E. (2004) Fundamentals of Network Security. New York: McGraw-Hill Technology Education.

Pfleeger, S. L. & Pfleeger, C.P. (2003). Security in computing, 3rd Ed. New Jersey: Prentice Hall.

Ross, R., Swanson, M., Stoneburner, G., Katzke, S. & Johnson, A. (May 2004). Guide for security certification and accreditation of federal information systems. Computer Security Division. Information Technology Laboratory. National Institute of Standards and Technology Publication 800-37 CODEN: NSPUE2. Gaithersburg, MD: NIST

Stoneburner, G., Hayden, C. & Feringa, A. (2004). Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A. Recommendations of the National Institute of Standards and Technology National Institute Standards Technology: Computer Security - NIST Special Publication 800-27 Rev A. CODEN: NSPUE2. Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD: Department of Commerce, United States of America.

Rainbow series library. (Wednesday Jun 28 13:44:26 2000). Retrieve May 28, 2006, from

The Orange Book: Management of risk - principle and concept. (October, 2004). HM Treasury. Retrieved, May 22, 2006, from

TPEP Overview: Background (Last updated Thursday, August 13, 13:53:14, 1998). Trusted Product Evaluation Program. Retrieve May 27, 2006, from

Trusted computer system evaluation criteria, (December 1985). U.S. Department of Defense. DOD5200.28-STD. Retrieved May 25, 2006, from


List of Acronyms

ADPSSO ADP System Security Officers 

Automated Information Systems

COTS Commercial-off-the-shelf

CC Common Criteria

CCITSE Common Criteria for Information Technology Security Evaluation

EPL Evaluated Products List

EALs Evaluation Assurance Levels

NCSC National Computer Security Center

PP Protection Profile

ST Security Target

TOE Target of Evaluation

TTAP Trust Technology Assessment Program

TPEP Trusted Product Evaluation Program

NTISSAM This National Telecommunications and Information Systems Security Advisory Memorandum. 

Systems Office Automation Systems

Trusted Database Management System Interpretation

MAC Mandatory Access Control

TCB Trusted Computing Base

DTLS A descriptive top-level specification

NACSI National Communications Security Instruction

Plowed Results | Resultados Arados