Frequently Asked Questions (V4)

TCSEC Criteria Concepts

1. What is the TCSEC?

The Trusted Computer System Evaluation Criteria (TCSEC) is a collection of criteria that was previously used to grade or rate the security offered by a computer system product. No new evaluations are being conducted using the TCSEC although there are some still ongoing at this time. The TCSEC is sometimes referred to as "the Orange Book" because of its orange cover. The current version is dated 1985 (DOD 5200.28-STD, Library No. S225,711) The TCSEC, its interpretations, and guidelines all have different color covers and are sometimes known as the "Rainbow Series" (see TCSEC Criteria Concepts FAQ, Question 4.) It is available at <http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html>

2. What does it mean for a product to be "compliant" with the TCSEC?

If a product has been evaluated by the Trusted Product Evaluation Program (TPEP) or Trust Technology Assessment Program (TTAP) to comply with the requirements of a rated class, then it means that an independent assessment showed the product to have the features and assurances of that class. It does not mean that the product is impenetrable. It is even possible that the independent assessment overlooked some failure to meet the criteria, although we work hard to prevent that. A vendor claim to be "compliant" without an evaluation often doesn't mean very much since the vendor's interpretation of the requirement may not be the same as an independent assessor's would be or consistent with the interpretation used by competing products.

3. What is the Orange Book?

See TCSEC Criteria Concepts FAQ, Question 1.

4. What is the Rainbow Series?

The "Rainbow Series" is the name given to the collection of interpretation documents (e.g., TNI and TDI) and guidance documents (e.g., Guide to Understanding MAC, Password Guidelines) published by the National Computer Security Center (NCSC). Each document has a different color cover; thus, the name "Rainbow Series." The guidelines of the rainbow series, are designed to expand on, and clarify, the requirements in the Trusted Computer System Evaluation Criteria (TCSEC). They are, however, only guidance. The words of the requirements and interpretations are used as the metric for evaluation, not the guidelines. The Trusted Computer System Evaluation Criteria (TCSEC) and the other rainbow series documents are available at <http://www.radium.ncsc.mil/tpep/library/rainbow/>.

5. What is the TNI?

The Trusted Network Interpretation (TNI) of the TCSEC, also referred to as "The Red Book," is a restating of the requirements of the TCSEC in a network context. Evaluations of the type of systems (sometimes called distributed or homogeneous) described by Part I are often evaluated directly against the TCSEC without reference to the TNI. TNI component evaluations are evaluations performed against Appendix A of the TNI. It is available at <http://www.radium.ncsc.mil/tpep/library/rainbow/ index.html>.

6. What is the TDI?

The Trusted Database Interpretation (TDI) of the TCSEC is similar to the Trusted Network Interpretation (TNI) in that it decomposes a system into independently evaluatable components. It differs from the TNI in that the paradigm for this decomposition is the evaluation of an application (e.g., database) running on an already evaluated system. The Trusted Product Evaluation Program (TPEP) has to date only evaluated databases using this interpretation. In principle arbitrary trusted applications could be evaluated. It is available at <http://www.radium.ncsc.mil/tpep/library/rainbow/index.html>.

7. What are Process Action Team (PAT) Guidance Working Group (PGWG) documents?

The PGWG (sometimes pronounced pig-wig) documents are also known as the Form and Content documents. These documents were published by the Trusted Product Evaluation Program (TPEP) and are designed to provide guidance to vendors submitting products for evaluation. This guidance is not security or requirements guidance in the Rainbow Series style. Rather, these documents provide rules used by the TPEP in accepting products into evaluation to ensure that the information provided to the evaluation team is in a state that is most conducive to an expeditious and trouble-free evaluation. The document discussing design documentation is available in postscript at <http://www.radium.ncsc.mil/tpep/library/process_documents/PATdesign.ps>. The document discussing test documentation is available in postscript from <http://www.radium.ncsc.mil/tpep/library/process_documents/PATtest.ps>. These documents are not used by the Trust Technology Assessment Program (TTAP).

8. What are security features?

A security feature is a specific implementable function in a system which supports some part of the system's security policy. Examples of security features would be access control, trusted path, and audit. The Trusted Computer System Evaluation Criteria (TCSEC) (see TCSEC Criteria Concepts FAQ, Question 1) ratings are not designed to express the rating of individual features, as is the Common Criteria for Information Security Evaluation (CCITSE). Rather, each class specifies a set of security features that a system must implement in order to be rated at that class. However, many evaluations are given "extra credit" in the evaluation results for successful implementations of features that are required only in a higher overall rating in the criteria.

9. What is assurance?

In the context of the Trusted Computer System Evaluation Criteria (TCSEC), assurance coincides with correctness assurance. It is a measure of confidence that the security features and architecture of a computer system accurately mediate and enforce the system security policy. The TCSEC's assurance-related requirements constrain development methods (e.g., configuration management) and software engineering practices (e.g., modular code). Higher evaluation classes contain more assurance-promoting requirements and give more confidence in correctness.

10. What is a division?

A division is a set of classes (see Question 11) from the Trusted Computer System Evaluation Criteria (TCSEC) (see TCSEC Criteria Concepts FAQ, Question 1). There are 4 divisions A, B, C, and D in decreasing order of assurance and features. Thus, a system evaluated at a class in division B has more security features and/or a higher confidence that the features work as intended than a system evaluated at a class in division C. Although the Computer Security Subsystem Interpretation (CSSI) of the TCSEC specifies criteria for various D ratings, these are not reflected in the TCSEC itself, which has no requirements for D division systems. An unrated system is, by default, division D.

11. What is a class?

A class is the specific collection of requirements in the Trusted Computer System Evaluation Criteria (TCSEC) to which an evaluated system conforms. There are seven classes in the TCSEC A1, B3, B2, B1, C2, C1, and D, in decreasing order of features and assurances. Thus, a system evaluated at class B3 has more security features and/or a higher confidence that the security features work as intended than a system evaluated at class B1. The requirements for a higher class are always a superset of the lower class. Thus a B2 system meets every C2 functional requirement and has a higher level of assurance.

12. What is a network component?

A "network component" is the target of evaluation for a Trusted Network Interpretation (TNI) evaluation (see TCSEC Criteria Concepts FAQ, Question 5) done against appendix A of the TNI. These "network component" evaluations allocate basic requirements (Mandatory Access Control (MAC); Discretionary Access Control (DAC); Audit; and Identification and Authentication) to components of a "network system". Each component may be evaluated in isolation. The TPEP does evaluate TNI components that independently meet all basic requirements (but nevertheless have an interface to other, perhaps identical components), but has not evaluated any TNI component that met none of the basic requirements (relying totally on other components for the security features). The TPEP attempted to develop a more integrated approach to the evaluation of TNI components. The preliminary report of the changes envisioned are available in postscript at <http://www.radium.ncsc.mil/tpep/library/process_documents/cwg-draft.ps>. This work has been subsumed into work on the Common Criteria's Common Evaluation Methodology (see Criteria FAQ, Question 5).

13. What is RAMP?

The Rating Maintenance Phase (RAMP) Program was established to provide a mechanism to extend the previous TCSEC rating to a new version of a previously evaluated computer system product. RAMP seeks to reduce evaluation time and effort required to maintain a rating by using the personnel involved in the maintenance of the product to manage the change process and perform Security Analysis. Thus, the burden of proof for RAMP efforts lies with those responsible for system maintenance (i.e., the vendor or TEF) instead of with an evaluation team.

Requirements exist in the Common Criteria for Information Technology Security Evaluation (CCITSE) for maintenance of existing EAL levels. A RAMP-like program is currently being developed to address these requirements.

14. What is a Network Security Architecture Design (NSAD) document?

The documentation for a network component (see TCSEC Criteria Concepts FAQ, Question 5) must include a Network Security Architecture Design (NSAD) document which describes the security expectations by this component about other components. Each component evaluation proceeds under the assumption that the expectations of the NSAD are met by the other components. A collection of components designed around the same architecture should interoperate securely.

15. The TCSEC is over 10 years old, doesn't that mean it's outdated?

The Trusted Computer System Evaluation Criteria (TCSEC) was published in 1985. While some of the details need interpretation for current systems, in general the requirements of the TCSEC are at a level of abstraction that has not experienced great change. The Common Criteria (see Criteria FAQ, Question 2) provides more flexible criteria for evaluating modern systems.

16. How do the TCSEC and its interpretations apply to routers and firewalls?

The Trusted Network Interpretation (TNI) of the TCSEC has been used to evaluate these types of products. While there is some value to those evaluations it is true that many of the specific mechanisms of these products on which one might wish to have an evaluator comment are not recognized by the TNI. Using the Common Criteria for Information Technology Security Evaluation (CCITSE), (see Criteria FAQ, Question 2) firewall protection profiles for sensitive but unclassified environments have been written and are available at <http://www.radium.ncsc.mil/tpep/library/protection_profiles/index.html>

17. Does a trusted system require custom hardware?

A system does not require custom hardware to be successfully evaluated against the Trusted Computer System Evaluation Criteria (TCSEC) or Common Criteria for Information Technology Security Evaluation (CCITSE). However, all TCSEC evaluations and many, perhaps most, CCITSE evaluations consider the security of the system hardware as well as software. For every evaluated product, there is an evaluated configuration. The evaluated configuration lists the specific hardware and software evaluated. A given evaluation may require hardware with certain security features used by the software, and the software may require certain optional features be enabled or disabled. The Final Evaluation Report (FER) (see Evaluated Products FAQ, Question 6) lists the evaluated hardware and software. The Trusted Facility Manual (TFM) for the product will give detailed guidance on configuring the hardware and software securely.

18. What are the requirements for a D/C1/C2/B1/B2/B3/A1 system?

The Interpreted Trusted Computer System Evaluation Criteria (ITCSEC) available in postscript at <http://www.radium.ncsc.mil/tpep/library/tcsec/ITCSEC.ps> contains the definitive set of requirements for each TCSEC class. In Summary:

Class D: Minimal Protection

Class D is reserved for those systems that have been evaluated but that fail to meet the requirements for a higher evaluation class.

Class C1: Discretionary Security Protection

The Trusted Computing Base (TCB) of a class C1 system nominally satisfies the discretionary security requirements by providing separation of users and data. It incorporates some form of credible controls capable of enforcing access limitations on an individual basis, i.e., ostensibly suitable for allowing users to be able to protect project or private information and to keep other users from accidentally reading or destroying their data. The class C1 environment is expected to be one of cooperating users processing data at the same level of sensitivity.

Class C2: Controlled Access Protection

Systems in this class enforce a more finely grained discretionary access control than C1 systems, making users individually accountable for their actions through login procedures, auditing of security-relevant events, and resource isolation.

Class B1: Labeled Security Protection

Class B1 systems require all the features required for class C2. In addition, an informal statement of the security policy model, data labeling (e.g., secret or proprietary), and mandatory access control over named subjects and objects must be present. The capability must exist for accurately labeling exported information.

Class B2: Structured Protection

In class B2 systems, the TCB is based on a clearly defined and documented formal security policy model that requires the discretionary and mandatory access control enforcement found in class B1 systems be extended to all subjects and objects in the automated data processing system. In addition, covert channels are addressed. The TCB must be carefully structured into protection-critical and non- protection-critical elements. The TCB interface is well-defined and the TCB design and implementation enable it to be subjected to more thorough testing and more complete review. Authentication mechanisms are strengthened, trusted facility management is provided in the form of support for system administrator and operator functions, and stringent configuration management controls are imposed. The system is relatively resistant to penetration.

Class B3: Security Domains

The class B3 TCB must satisfy the reference monitor requirements that it mediate all accesses of subjects to objects, be tamperproof, and be small enough to be subjected to analysis and tests. To this end, the TCB is structured to exclude code not essential to security policy enforcement, with significant system engineering during TCB design and implementation directed toward minimizing its complexity. A security administrator is supported, audit mechanisms are expanded to signal security-relevant events, and system recovery procedures are required. The system is highly resistant to penetration.

Class A1: Verified Design

Systems in class A1 are functionally equivalent to those in class B3 in that no additional architectural features or policy requirements are added. The distinguishing feature of systems in this class is the analysis derived from formal design specification and verification techniques and the resulting high degree of assurance that the TCB is correctly implemented. This assurance is developmental in nature, starting with a formal model of the security policy and a formal top-level specification (FTLS) of the design. An FTLS is a top level specification of the system written in a formal mathematical language to allow theorems (showing the coorespondence of the system specification to its formal requirements) to be hypothesized and formally proven. In keeping with the extensive design and development analysis of the TCB required of systems in class A1, more stringent configuration management is required and procedures are established for securely distributing the system to sites. A system security administrator is supported.

19. How do I interpret a TCSEC rating?

A product evaluated against a TCSEC-based criteria will have one of several styles of ratings. A product evaluated directly against the Trusted Computer System Evaluation Criteria (TCSEC) will have one of the seven class ratings: A1, B3, B2, B1, C2, C1, or D (see TCSEC Criteria Concepts FAQ, Question 11.) In addition a TCSEC evaluated product may be evaluated to have met requirements above it's class. These would be specified additionally such as "meets the B1 requirements and the B2 Trusted Path requirement." It is very important to note that, for example, a B1 evaluated system with B2 trusted path, provides significantly less confidence that trusted path is implemented correctly than a B2 evaluated system. In other words, the assurance is always that of the system's rated class.

Another form of rating is a Trusted Network Interpretation (TNI) component (see TCSEC Criteria Concepts FAQ, Question 5) rating. TNI component ratings specify the evaluated class as well as which of the four basic security services the evaluated component provides. Thus, a B2-MD component is one that provides both Mandatory Access Control (MAC) and Discretionary Access Control (DAC). A B1-MDIA component is one that provides MAC, DAC, Identification and Authentication, and Audit. Since a B1-MDIA component meets all the Trusted Computer System Evaluation Criteria (TCSEC) requirements for B1, it is likely that this component is also evaluated as a B1 system if it can be used in a non-network configuration.

A third form of rating is a Trusted Database Interpretation (TDI) rating. This rating is the same as a TCSEC rating except that the rating applies to the composite of the evaluated application and each of the listed underlying systems.

Products evaluated against the Computer Security Subsystem Interpretation (CSSI) of the TCSEC have been given variations of D division ratings. These appear for example as I&A/D2, Audit/D1, DAC/D3, and OR/D. These products all have very low assurance regardless of the features. Some systems have been evaluated against the Compartmented Mode Workstation (CMW) criteria. The CMW criteria levies minimum features and assurances from the TCSEC as well as additional usability criteria (e.g., specifying that the window system must manipulate windows at multiple levels in certain ways.) The TPEP has treated these systems as standard TCSEC evaluations with additional requirements. From a security perspective the CMW requirements do not preclude a B2 or higher CMW, however, all CMW evaluated systems are B1 evaluated with additional TCSEC features above the evaluated class.

[Commercial Product Evaluations | TPEP Main Page | TTAP Main Page | Frequently Asked Questions]

Last updated Wed Aug 25 06:43:31 1999
URL: http://www.radium.ncsc.mil/tpep/process/faq-sect4.html
Questions/Comments