is the "Orange Book"?
The Orange Book is a set of criteria
used by the US Department of Defense (DoD) for evaluating the security
features of computer systems. It is widely used in the IT industry as a
benchmark for security standards. There are a whole set of NCSC Rainbow
Series books from Orange to Hot Peach.
There are other "Orange Books" and
I often get asked questions about these as well :) Hey guys, read the site
before you send me an email!
Is there a certification procedure?
Yes, the DoD has a certification procedure.
However, some manufacturers will state that their product is up to a certain
Orange Book standard such as B2 without having completed the certification
process. The evaluation procedures are available on the NCSC's Trusted
Product Evaluation Program page. The original evaluation procedure
is called the Bright Blue Book.
Some of the Operating Systems are ancient,
Sure are. Not all the certified OSes
are still in production, some have vanished completely, some (such as Multics)
have ascended to the OS hall of fame. Where vendors can still be found,
these have been listed on the Orange Book Links
The Orange Book is old isn't
Yes, the original Orange Book was CSC-STD-001-83
from 1983, the current one is DOD-5200.28-STD from 1985. However, the fundamentals
of operating system design have remained constant so the Orange Book is
still widely used.
An attempt was made to update
the Criteria in 1991. Although these changes were not incorporated into
the Orange Book, the proposals are of some interest and will probably be
added to this site at a later date.
Where can I get hardcopy Rainbow Books?
of American Scientists say this:
of 14 February 1997 the NSA is no longer passing out free hardcopy of the
Rainbow books to mere citizens. If you aren't satisfied with what's online,
don't bother contacting the Government Printing Office, cause the whole
series is outta print as far as they are concerned.
is that the National Technical Information Service will sell you hardcopy
if you contact them [sorry, I don't have a price list...]
OTOH, if you
cash a US Government paycheck [direct hire, contractor, etc] you can request
complimentary copies of these publications from the NSA Information System
Security Organization Service Center, call
(800) 688-6115 or
Department of Defense
National Security Agency
ATTN: V (NISC)
9800 Savage Road
Ft. George G. Meade, MD 20755-6755
Failing that you can try searching through
specialists in rare and out-of-print books. Ground
Zero Books (or see their Amazon
zShop) is a good place to contact as they often carry Rainbow series
books. If you study or work at a University, you should be able to obtain
microfiche copies through your National Library service.
Why does this site exist anyway?
The Orange Book Summary was originally
created simply to help understand the DoD's classifications when purchasing
equipment. It was put on the web due to overwhelming demand from the Usenet
community in 1996 (i.e. I innocently posted "hey I have a summary of the
Orange Book, does anyone want it" and came back to a mailbox stuffed full
Who uses it?
The summary is mostly used by IT professionals,
students, academics, military and governmental organisations. The summary
has had about 50,000 hits since it went online.
Who can I contact about this site?