dynamoo.com home


Site navigation

orange book
Updated June 2002







Orange Book FAQ

What is the "Orange Book"?

The Orange Book is a set of criteria used by the US Department of Defense (DoD) for evaluating the security features of computer systems. It is widely used in the IT industry as a benchmark for security standards. There are a whole set of NCSC Rainbow Series books from Orange to Hot Peach.

There are other "Orange Books" and I often get asked questions about these as well :) Hey guys, read the site before you send me an email!

Is there a certification procedure?

Yes, the DoD has a certification procedure. However, some manufacturers will state that their product is up to a certain Orange Book standard such as B2 without having completed the certification process. The evaluation procedures are available on the NCSC's Trusted Product Evaluation Program page. The original evaluation procedure is called the Bright Blue Book.

Some of the Operating Systems are ancient, aren't they?

Sure are. Not all the certified OSes are still in production, some have vanished completely, some (such as Multics) have ascended to the OS hall of fame. Where vendors can still be found, these have been listed on the Orange Book Links page.

The Orange Book is old isn't it?

Yes, the original Orange Book was CSC-STD-001-83 from 1983, the current one is DOD-5200.28-STD from 1985. However, the fundamentals of operating system design have remained constant so the Orange Book is still widely used.

An attempt was made to update the Criteria in 1991. Although these changes were not incorporated into the Orange Book, the proposals are of some interest and will probably be added to this site at a later date.

Where can I get hardcopy Rainbow Books?

The Federation of American Scientists say this:

    As of 14 February 1997 the NSA is no longer passing out free hardcopy of the Rainbow books to mere citizens. If you aren't satisfied with what's online, don't bother contacting the Government Printing Office, cause the whole series is outta print as far as they are concerned.

The RUMINT is that the National Technical Information Service will sell you hardcopy if you contact them [sorry, I don't have a price list...] 

OTOH, if you cash a US Government paycheck [direct hire, contractor, etc] you can request complimentary copies of these publications from the NSA Information System Security Organization Service Center, call 

          (800) 688-6115 or
          (410) 684-7661 

     or write 

          Department of Defense
          National Security Agency
          ATTN: V (NISC) 
          9800 Savage Road
          Ft. George G. Meade, MD 20755-6755

Failing that you can try searching through specialists in rare and out-of-print books. Ground Zero Books (or see their Amazon zShop) is a good place to contact as they often carry Rainbow series books. If you study or work at a University, you should be able to obtain microfiche copies through your National Library service.

Why does this site exist anyway?

The Orange Book Summary was originally created simply to help understand the DoD's classifications when purchasing equipment. It was put on the web due to overwhelming demand from the Usenet community in 1996 (i.e. I innocently posted "hey I have a summary of the Orange Book, does anyone want it" and came back to a mailbox stuffed full of requests).

Who uses it?

The summary is mostly used by IT professionals, students, academics, military and governmental organisations. The summary has had about 50,000 hits since it went online. 

Who can I contact about this site?

Contact dynamoo@spamcop.net
Recommended titles at Amazon.com:
Hacking Exposed: Second Edition (US) / (UK)
Computer Security Basics (US) / (UK)
Information Security Management Handbook (US) / (UK)
The Information Systems Security Officer's Guide (US) / (UK)
Mastering Network Security (US) / (UK)
Computer Security Handbook (US only)


Subj: Shopping and Services

Dynamoo 1997-2002   home   technical   diary   webmaster stuff   orange book   shop   contact   links   your privacy