The TCSEC (frequently referred to as “The Orange Book”) is the centerpiece of the “.
-
- --- Security Policy - There must be an explicit and well-defined security policy enforced by the system.
- --- Marking - Access Control labels must be associated with objects.
-
- --- Identification - Individual subjects must be identified.
- --- Accountability - Audit information must be selectively kept and protected so that actions affecting security can be traced to the responsible party.
-
- --- Assurance - The computer system must contain hardware/software mechanisms that can be independently evaluated to provide sufficient assurance that the system enforces requirements 1 through 4 above.
- --- Continuous Protection - The trusted mechanisms that enforce these basic requirements must be continuously protected against tampering and/or unauthorized changes.
The TCSEC defines four divisions (D, C, B, A) in ascending hierarchical order which each division representing a significant difference in trust one can place on a so evaluated system. Additionally divisions B and C are broken into a series of hierarchical subdivisions called classes. Within each class the three aforementioned fundamental requirement sets are addressed with the addition of a set. This documentation set addresses the development, deployment, and management of the system rather than its capabilities.
(''Each class expands or modifies as indicated the requirements of the immediately prior class.'')
-
- --- Reserved for those systems that have been evaluated but that fail to meet the requirements for a higher evaluation class.
-
- --- C1 — Discretionary Security Protection
-- separation of users and data
-- DAC capable of enforcing access limitations on an individual basis
- --- C2 — Controlled Access Protection
-- more finely grained DAC
-- individual accountability through login procedures
-- audit trails
-- resource isolation
-
- --- B1 — Labeled Security Protection
-- informal statement of the security policy model
-- data sensitivity labels
-- MAC over select subjects and objects
-- label exportation capabilities
-- all discovered flaws must be removed or otherwise mitigated
- --- B2 — Structured Protection
-- clearly defined and documented formal security policy model
-- discretionary and mandatory access control enforcement be extended to all subjects and objects
-- Covert Storage Channels are analyzed for occurrence and bandwidth
-- carefully structured into protection-critical and non-protection-critical elements
-- design and implementation enable more comprehensive testing and review
-- authentication mechanisms are strengthened
-- trusted facility management is provided administrator and operator segregation
-- strict configuration management controls are imposed
- --- B3 — Security Domains
-- satisfies Reference Monitor requirements
-- structured to exclude code not essential to security policy enforcement
-- significant system engineering directed toward minimizing complexity
-- a security administrator is supported
-- audit security-relevant events
-- automated imminent intrusion detection, notification, and response
-- trusted system recovery procedures
-- covert timing channels are analyzed for occurrence and bandwidth
-
- --- A1 — Verified Design
-- functionally identical to B3
-- formal design and verification techniques including a formal top-level specification
-- formal management and distribution procedures
Army Regulation 380-19 is an example of a guide to determining which system class should be used in a given situation.
|
