Trusted Computer System Evaluation Criteria (TCSEC) is a
United States
The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 states, a federal district, five major unincorporated territorie ...
Government
A government is the system or group of people governing an organized community, generally a state.
In the case of its broad associative definition, government normally consists of legislature, executive, and judiciary. Government is a ...
Department of Defense Department of Defence or Department of Defense may refer to:
Current departments of defence
* Department of Defence (Australia)
* Department of National Defence (Canada)
* Department of Defence (Ireland)
* Department of National Defense (Philipp ...
(DoD) standard that sets basic requirements for assessing the effectiveness of
computer security
Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
controls built into a
computer system
A computer is a machine that can be programmed to carry out sequences of arithmetic or logical operations (computation) automatically. Modern digital electronic computers can perform generic sets of operations known as programs. These progr ...
. The TCSEC was used to evaluate, classify, and select computer systems being considered for the processing, storage, and retrieval of sensitive or
classified information
Classified information is material that a government body deems to be sensitive information that must be protected. Access is restricted by law or regulation to particular groups of people with the necessary security clearance and need to know, ...
.
The TCSEC, frequently referred to as the Orange Book, is the centerpiece of the DoD ''
Rainbow Series
The Rainbow Series (sometimes known as the Rainbow Books) is a series of computer security standards and guidelines published by the United States government in the 1980s and 1990s. They were originally published by the U.S. Department of Defen ...
'' publications. Initially issued in 1983 by the
National Computer Security Center
The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collectio ...
(NCSC), an arm of the
National Security Agency
The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...
, and then updated in 1985, TCSEC was eventually replaced by the
Common Criteria international standard, originally published in 2005.
Fundamental objectives and requirements
On 24 October 2002, The Orange Book (aka DoDD 5200.28-STD) was canceled by DoDD 8500.1, which was later reissued as DoDI 8500.02, on 14 March 2014.
Policy
The security policy must be explicit, well-defined, and enforced by the computer system. Three basic security policies are specified:
* Mandatory Security Policy – Enforces
access control
In the fields of physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of ''accessing'' may mean consuming ...
rules based directly on an individual's clearance, authorization for the information and the confidentiality level of the information being sought. Other indirect factors are physical and environmental. This policy must also accurately reflect the laws, general policies and other relevant guidance from which the rules are derived.
* Marking – Systems designed to enforce a mandatory security policy must store and preserve the integrity of access control labels and retain the labels if the object is exported.
* Discretionary Security Policy – Enforces a consistent set of rules for controlling and limiting access based on identified individuals who have been determined to have a need-to-know for the information.
Accountability
Individual accountability regardless of policy must be enforced. A secure means must exist to ensure the access of an authorized and competent agent that can then evaluate the accountability information within a reasonable amount of time and without undue difficulty. The accountability objective includes three requirements:
* Identification – The process used to recognize an individual user.
* Authentication – The verification of an individual user's authorization to specific categories of information.
* Auditing –
Audit
An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon.” Auditing ...
information must be selectively kept and protected so that actions affecting security can be traced to the authenticated individual.
Assurance
The computer system must contain hardware/software mechanisms that can be independently evaluated to provide sufficient assurance that the system enforces the above requirements. By extension, assurance must include a guarantee that the trusted portion of the system works only as intended. To accomplish these objectives, two types of assurance are needed with their respective elements:
* Assurance Mechanisms
* Operational Assurance: System Architecture, System Integrity, Covert Channel Analysis, Trusted Facility Management, and Trusted Recovery
* Life-cycle Assurance : Security Testing, Design Specification and Verification, Configuration Management, and Trusted System Distribution
* Continuous Protection Assurance – The trusted mechanisms that enforce these basic requirements must be continuously protected against tampering or unauthorized changes.
Documentation
Within each class, an additional set of documentation addresses the development, deployment, and management of the system rather than its capabilities. This documentation includes:
* Security Features User's Guide, Trusted Facility Manual, Test Documentation, and Design Documentation
Divisions and classes
The TCSEC defines four divisions: D, C, B, and A, where division A has the highest security. Each division represents a significant difference in the trust an individual or organization can place on the evaluated system. Additionally divisions C, B and A are broken into a series of hierarchical subdivisions called classes: C1, C2, B1, B2, B3, and A1.
Each division and class expands or modifies as indicated the requirements of the immediately prior division or class.
D – Minimal protection
* Reserved for those systems that have been evaluated but that fail to meet the requirement for a higher division.
C – Discretionary protection
* C1 – Discretionary Security Protection
** Identification and authentication
** Separation of users and data
**
Discretionary Access Control (DAC) capable of enforcing access limitations on an individual basis
** Required System Documentation and user manuals
* C2 – Controlled Access Protection
** More finely grained DAC
** Individual accountability through login procedures
** Audit trails
** Object reuse
** Resource isolation
** An example of such as system is
HP-UX
HP-UX (from "Hewlett Packard Unix") is Hewlett Packard Enterprise's proprietary implementation of the Unix operating system, based on Unix System V (initially System III) and first released in 1984. Current versions support HPE Integrity Ser ...
B – Mandatory protection
* B1 – Labeled Security Protection
** Informal statement of the security policy model
** Data sensitivity labels
**
Mandatory Access Control (MAC) over selected subjects and objects
** Label exportation capabilities
** Some discovered flaws must be removed or otherwise mitigated
** Design specifications and verification
* B2 – Structured Protection
**
Security policy model clearly defined and formally documented
** DAC and MAC enforcement extended to all subjects and objects
**
Covert storage channels are analyzed for occurrence and bandwidth
** Carefully structured into protection-critical and non-protection-critical elements
** Design and implementation enable more comprehensive testing and review
** Authentication mechanisms are strengthened
** Trusted facility management is provided with administrator and operator segregation
** Strict configuration management controls are imposed
** Operator and Administrator roles are separated.
** An example of such a system was
Multics
Multics ("Multiplexed Information and Computing Service") is an influential early time-sharing operating system based on the concept of a single-level memory.Dennis M. Ritchie, "The Evolution of the Unix Time-sharing System", Communications of t ...
* B3 – Security Domains
** Satisfies
reference monitor
In operating systems architecture a reference monitor concept defines a set of design requirements on a reference validation mechanism, which enforces an access control policy over subjects' (e.g., processes and users) ability to perform operations ...
requirements
** Structured to exclude code not essential to security policy enforcement
** Significant system engineering directed toward minimizing complexity
** Security administrator role defined
** Audit security-relevant events
** Automated imminent
intrusion detection
An intrusion detection system (IDS; also intrusion prevention system or IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically rep ...
, notification, and response
**
Trusted path A trusted path or trusted channel is a mechanism that provides confidence that the user is communicating with what the user intended to communicate with, ensuring that attackers can't intercept or modify whatever information is being communicated.
...
to the TCB for the user authentication function
** Trusted system recovery procedures
**
Covert timing channels are analyzed for occurrence and bandwidth
** An example of such a system is the XTS-300, a precursor to the
XTS-400
The XTS-400 is a multilevel secure computer operating system. It is multiuser and multitasking that uses multilevel scheduling in processing data and information. It works in networked environments and supports Gigabit Ethernet and both IPv4 ...
A – Verified protection
* A1 – Verified Design
** Functionally identical to B3
** Formal design and verification techniques including a formal top-level specification
** Formal management and distribution procedures
** Examples of A1-class systems are Honeywell's SCOMP, Aesec's GEMSOS, and Boeing's SNS Server. Two that were unevaluated were the production LOCK platform and the cancelled DEC
VAX Security Kernel.
* Beyond A1
** System Architecture demonstrates that the requirements of self-protection and completeness for reference monitors have been implemented in the
Trusted Computing Base (TCB).
** Security Testing automatically generates test-case from the formal top-level specification or formal lower-level specifications.
** Formal Specification and Verification is where the TCB is verified down to the source code level, using formal verification methods where feasible.
** Trusted Design Environment is where the TCB is designed in a trusted facility with only trusted (cleared) personnel.
Matching classes to environmental requirements
The publication entitled "Army Regulation 380-19" is an example of a guide to determining which system class should be used in a given situation.
[Army Regulation 380-19. Retrieved from https://fas.org/irp/doddir/army/r380_19.pdf.]
See also
*
AR 380-19
AR, Ar, or A&R may refer to:
Arts, entertainment, and media
Music
* Artists and repertoire
Periodicals
* ''Absolute Return + Alpha'', a hedge fund publication
*''The Adelaide Review'', an Australian arts magazine
* ''American Renaissance'' ( ...
superseded by
AR 25-2
AR, Ar, or A&R may refer to:
Arts, entertainment, and media
Music
* Artists and repertoire
Periodicals
* ''Absolute Return + Alpha'', a hedge fund publication
*''The Adelaide Review'', an Australian arts magazine
* ''American Renaissance'' ( ...
*
Canadian Trusted Computer Product Evaluation Criteria The Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) is a computer security standard published in 1993 by the Communications Security Establishment to provide an evaluation criterion on IT products. It is a combination of the TCSEC (a ...
*
Common Criteria
*
ITSEC
*
Rainbow Series
The Rainbow Series (sometimes known as the Rainbow Books) is a series of computer security standards and guidelines published by the United States government in the 1980s and 1990s. They were originally published by the U.S. Department of Defen ...
*
Trusted Platform Module
Trusted Platform Module (TPM, also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The term can also refer to a ch ...
References
{{reflist, 1
External links
National Security Institute - 5200.28-STD ''Trusted Computer System Evaluation Criteria''
National Security Agency
Computer security standards
Trusted computing