This document is a summary of the US
Department of Defense Trusted Computer System Evaluation Criteria,
known as the Orange Book. Although originally written for military systems,
the security classifications are now broadly used within the computer industry,
You can get further information on
the Orange Book and Rainbow Series by looking at the Orange
Book Links page. Example Operating System descriptions link to
the NCSC Evaluated
The DoD security categories range
from D (Minimal Protection) to A (Verified Protection).
D - Minimal Protection
Any system that does not comply to any
other category, or has failed to receive a higher classification. D-level
certification is very rare.
C - Discretionary Protection
Discretionary protection applies to
Trusted Computer Bases (TCBs) with optional object (i.e. file, directory,
devices etc.) protection.
C1 - Discretionary Security Protection
Discretionary Access Control, for example
Access Control Lists (ACLs), User/Group/World protection.
Usually for users who are all on the
same security level.
Username and Password protection and
secure authorisations database (ADB).
Protected operating system and system
Periodic integrity checking of TCB.
Tested security mechanisms with no obvious
Documentation for User Security.
Documentation for Systems Administration
Documentation for Security Testing.
TCB design documentation.
Typically for users on the same security
C1 certification is rare. Example systems
are earlier versions of Unix, IBM RACF.
C2 - Controlled Access Protection
As C1, plus
Object protection can be on a single-user
basis, e.g. through an ACL or Trustee database.
Authorisation for access may only be
assigned by authorised users.
Object reuse protection (i.e. to avoid
reallocation of secure deleted objects).
Mandatory identification and authorisation
procedures for users, e.g. Username/Password.
Full auditing of security events (i.e.
date/time, event, user, success/failure, terminal ID)
Protected system mode of operation.
Added protection for authorisation and
Documentation as C1 plus information
on examining audit information.
This is one of the most common certifications.
Example Operating Systems are: VMS,
NT, Novell NetWare
7, DG AOS/VS
B - Mandatory Protection
Division B specifies that the TCB protection
systems should be mandatory, not discretionary.
B1 - Labelled Security Protection
As C2 plus:
Mandatory security and access labelling
of all objects, e.g. files, processes, devices etc.
Label integrity checking (e.g. maintenance
of sensitivity labels when data is exported).
Auditing of labelled objects.
Mandatory access control for all operations.
Ability to specify security level printed
on human-readable output (e.g. printers).
Ability to specify security level on
any machine-readable output.
Enhanced protection of Operating System.
Example OSes are: HP-UX
BLS, Cray Research Trusted
Unicos 8.0, Digital SEVMS,
B2 - Structured Protection
As B1 plus:
Notification of security level changes
affecting interactive users.
Hierarchical device labels.
Mandatory access over all objects and
Trusted path communications between
user and system.
Tracking down of covert storage channels.
Tighter system operations mode into
multilevel independent units.
Covert channel analysis.
Improved security testing.
Formal models of TCB.
Version, update and patch analysis and
Example systems are: Honeywell Multics,
B3 - Security Domains
As B2 plus:
ACLs additionally based on groups and
Trusted path access and authentication.
Automatic security analysis.
TCB models more formal.
Auditing of security auditing events.
Trusted recovery after system down and
Zero design flaws in TCB, and minimum
The only B3-certified OS is Getronics/Wang
A - Verified Protection
Division A is the highest security division.
A1 - Verified Protection
As B3 plus:
A2 and above
Provision is made for security levels
higher than A2, although these have not yet been formally defined. No OSes
are rated above A1.