TCSEC - Trusted Computer System Evaluation Criteria

The Orange Book or TCSEC defines several divisions, each with its own classes. They are as follows: ### D Division - Minimal Protection This division is for systems that have been evaluated but that fail to meet the requirements of the higher divisions. ### C Division - Discretionary Protection #### C1 Class (Discretionary Security Protection) This class requires that the system maintain a separation of users and data using access controls. - Isolation of TCB - User authentication - Access control (discretionary) #### C2 Class (Controlled Access Protection) This adds individual user accountability to C1 requirements. It also needs a more robust auditing system and resource isolation. - Add accountability/audit requirements. - Logs ### B Division - Mandatory Protection This division introduces the concept of mandatory access control. #### B1 Class (Labeled Security Protection) The system must associate all objects with labels (sensitivity levels), and it must keep track of the security levels of all subjects (users or processes acting on behalf of users). - Mandatory access control - Well-defined TCB - Penetration testing #### B2 Class (Structured Protection) This class introduces more stringent requirements, such as covert channel analysis, trusted path, and careful management of system integrity. - Confinement and covert channels - TCB structuring (e.g., modularity) #### B3 Class (Security Domains) At this level, the system should provide an accurate and understandable description of the security policy model it implements and the assurance that it enforces the model effectively. - Defined security model - Separation of security code from non-security functions - Least privilege ### A Division - Verified Protection #### A1 Class (Verified Design) This class requires formal methods to describe and analyze the system's security aspects. Verified design (formal model for TCB design). #### A2 Class Formal verification of TCB implementation ----- #standards *While the Orange Book has played a fundamental role in the development of security standards, it has largely been superseded by newer models, such as the Common Criteria (CC), which is more widely accepted internationally.*