Frequently Asked Questions (V4)
TCSEC Criteria Concepts
Contents
- What is the TCSEC?
- What does it mean for a product to be "compliant" with the TCSEC?
- What is the Orange Book?
- What is the Rainbow Series?
- What is the TNI?
- What is the TDI?
- What are Process Action Team (PAT) Guidance Working Group (PGWG) documents?
- What are security features?
- What is assurance?
- What is a division?
- What is a class?
- What is a network component?
- What is RAMP?
- What is a Network Security Architecture Design (NSAD) document?
- The TCSEC is over 10 years old, doesn't that mean it's outdated?
- How do the TCSEC and its interpretations apply to routers and
firewalls?
- Does a trusted system require custom hardware?
- What are the requirements for a D/C1/C2/B1/B2/B3/A1 System?
- What do I interpret a TCSEC rating?
1. What is the TCSEC?
The Trusted Computer System Evaluation Criteria (TCSEC) is a
collection of criteria that was previously used to grade or rate the security
offered by a computer system product. No new evaluations are being conducted
using the TCSEC although there are some still ongoing at this time. The TCSEC is sometimes
referred to as "the Orange Book" because of its orange cover.
The current version is dated 1985 (DOD 5200.28-STD, Library No.
S225,711) The TCSEC, its interpretations, and guidelines all
have different color covers and are sometimes known as the
"Rainbow Series" (see TCSEC Criteria Concepts FAQ, Question 4.)
It is available at <http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html>
2. What does it mean for a product to be "compliant" with the TCSEC?
If a product has been evaluated by the Trusted Product
Evaluation Program (TPEP) or Trust Technology Assessment
Program (TTAP) to comply with the requirements of a
rated class, then it means that an independent assessment
showed the product to have the features and assurances of that
class. It does not mean that the product is impenetrable. It
is even possible that the independent assessment overlooked
some failure to meet the criteria, although we work hard to prevent that. A vendor claim to be
"compliant" without an evaluation often doesn't mean very much
since the vendor's interpretation of the requirement may not be
the same as an independent assessor's would be or consistent with
the interpretation used by competing products.
3. What is the Orange Book?
See TCSEC Criteria Concepts FAQ, Question 1.
4. What is the Rainbow Series?
The "Rainbow Series" is the name given to the collection of
interpretation documents (e.g., TNI and TDI) and guidance
documents (e.g., Guide to Understanding MAC, Password
Guidelines) published by the National Computer Security Center
(NCSC). Each document has a different color cover; thus, the
name "Rainbow Series." The guidelines of the rainbow series,
are designed to expand on, and clarify, the requirements in the
Trusted Computer System Evaluation Criteria (TCSEC). They are,
however, only guidance. The words of the requirements and
interpretations are used as the metric for evaluation, not the
guidelines. The Trusted
Computer System Evaluation Criteria (TCSEC) and the
other rainbow series documents are available at
<http://www.radium.ncsc.mil/tpep/library/rainbow/>.
5. What is the TNI?
The Trusted Network Interpretation (TNI) of the TCSEC, also
referred to as "The Red Book," is a restating of the
requirements of the TCSEC in a network context. Evaluations of
the type of systems (sometimes called distributed or homogeneous)
described by Part I are often evaluated directly against the TCSEC
without reference to the TNI. TNI component evaluations are
evaluations performed against Appendix A of the TNI.
It is available at <http://www.radium.ncsc.mil/tpep/library/rainbow/
index.html>.
6. What is the TDI?
The Trusted Database Interpretation (TDI) of the TCSEC is
similar to the Trusted Network Interpretation (TNI) in that it
decomposes a system into independently evaluatable components.
It differs from the TNI in that the paradigm for this
decomposition is the evaluation of an application (e.g.,
database) running on an already evaluated system. The Trusted
Product Evaluation Program (TPEP) has to date only evaluated
databases using this interpretation. In principle arbitrary
trusted applications could be evaluated. It is available at
<http://www.radium.ncsc.mil/tpep/library/rainbow/index.html>.
7. What are Process Action Team (PAT) Guidance Working Group (PGWG)
documents?
The PGWG (sometimes pronounced pig-wig) documents are also known
as the Form and Content documents. These documents were
published by the Trusted Product Evaluation Program
(TPEP) and are designed to provide guidance to vendors
submitting products for evaluation. This guidance is not
security or requirements guidance in the Rainbow Series style.
Rather, these documents provide rules used by the TPEP in
accepting products into evaluation to ensure that the
information provided to the evaluation team is in a state that
is most conducive to an expeditious and trouble-free
evaluation. The document discussing design documentation is
available in postscript at
<http://www.radium.ncsc.mil/tpep/library/process_documents/PATdesign.ps>. The
document discussing test documentation is available in postscript
from <http://www.radium.ncsc.mil/tpep/library/process_documents/PATtest.ps>. These
documents are not used by the Trust Technology Assessment Program (TTAP).
8. What are security features?
A security feature is a specific implementable function in a
system which supports some part of the system's security
policy. Examples of security features would be access control,
trusted path, and audit. The Trusted Computer System
Evaluation Criteria (TCSEC) (see TCSEC Criteria Concepts FAQ,
Question 1)
ratings are not designed to express the rating of individual
features, as is the Common Criteria for Information Security
Evaluation (CCITSE). Rather, each class
specifies a set of security features that a system must
implement in order to be rated at that class. However, many
evaluations are given "extra credit" in the evaluation results
for successful implementations of features that are required
only in a higher overall rating in the criteria.
9. What is assurance?
In the context of the Trusted Computer System Evaluation
Criteria (TCSEC), assurance coincides with correctness
assurance. It is a measure of confidence that the security
features and architecture of a computer system accurately
mediate and enforce the system security policy. The TCSEC's
assurance-related requirements constrain development methods
(e.g., configuration management) and software engineering
practices (e.g., modular code). Higher evaluation classes
contain more assurance-promoting requirements and give more
confidence in correctness.
10. What is a division?
A division is a set of classes (see Question 11)
from the Trusted Computer System Evaluation Criteria (TCSEC) (see
TCSEC Criteria Concepts FAQ, Question 1). There are 4
divisions A, B, C, and D in decreasing order of assurance and features. Thus, a system
evaluated at a class in division B has more security features
and/or a higher confidence that the features work as intended
than a system evaluated at a class in division C. Although the
Computer Security Subsystem Interpretation (CSSI) of the TCSEC
specifies criteria for various D ratings, these are not
reflected in the TCSEC itself, which has no requirements for D
division systems. An unrated system is, by default, division
D.
11. What is a class?
A class is the specific collection of requirements in the
Trusted Computer System Evaluation Criteria (TCSEC) to which an
evaluated system conforms. There are seven classes in the
TCSEC A1, B3, B2, B1, C2, C1, and D, in decreasing order of
features and assurances. Thus, a system evaluated at class B3
has more security features and/or a higher confidence that the
security features work as intended than a system evaluated at
class B1. The requirements for a higher class are always a
superset of the lower class. Thus a B2 system meets every C2
functional requirement and has a higher level of assurance.
12. What is a network component?
A "network component" is the target of evaluation for a Trusted
Network Interpretation (TNI) evaluation (see
TCSEC Criteria Concepts FAQ,
Question 5) done against appendix A of the TNI. These
"network component" evaluations allocate basic requirements
(Mandatory Access Control (MAC); Discretionary Access Control
(DAC); Audit; and Identification and Authentication) to
components of a "network system". Each component may be
evaluated in isolation. The TPEP does evaluate TNI
components that independently meet all basic requirements (but
nevertheless have an interface to other, perhaps identical
components), but has not evaluated any TNI component
that met none of the basic requirements (relying totally on
other components for the security features). The TPEP attempted to develop
a more integrated approach to the evaluation
of TNI components. The preliminary report of the changes
envisioned are available in postscript at
<http://www.radium.ncsc.mil/tpep/library/process_documents/cwg-draft.ps>.
This work has been subsumed into work on the Common Criteria's Common
Evaluation Methodology (see
Criteria FAQ, Question 5).
13. What is RAMP?
The Rating Maintenance Phase (RAMP) Program was established to
provide a mechanism to extend the previous TCSEC rating to a new
version of a previously evaluated computer system product.
RAMP seeks to reduce evaluation time and effort required to
maintain a rating by using the personnel involved in the
maintenance of the product to manage the change process and
perform Security Analysis. Thus, the burden of proof for RAMP
efforts lies with those responsible for system maintenance
(i.e., the vendor or TEF) instead of with an evaluation team.
Requirements exist in the Common Criteria for Information
Technology Security Evaluation (CCITSE) for maintenance of existing
EAL levels. A RAMP-like program is currently being developed to
address these requirements.
The documentation for a network component (see
TCSEC Criteria Concepts FAQ,
Question 5) must include a Network Security Architecture Design
(NSAD) document which describes the security expectations by this
component about other components. Each component evaluation
proceeds under the assumption that the expectations of the NSAD
are met by the other components. A collection of components
designed around the same architecture should interoperate
securely.
15. The TCSEC is over 10 years old, doesn't that mean it's outdated?
The Trusted Computer System Evaluation Criteria (TCSEC) was
published in 1985. While some of the details need
interpretation for current systems, in general the requirements
of the TCSEC are at a level of abstraction that has not
experienced great change. The Common Criteria (see
Criteria FAQ, Question 2) provides more flexible criteria for
evaluating modern systems.
16. How do the TCSEC and its interpretations apply to routers and
firewalls?
The Trusted Network Interpretation (TNI) of the TCSEC has been
used to evaluate these types of products. While there is some
value to those evaluations it is true that many of the specific
mechanisms of these products on which one might wish to have an
evaluator comment are not recognized by the TNI. Using
the Common Criteria for Information Technology Security Evaluation
(CCITSE), (see Criteria FAQ,
Question 2) firewall protection profiles for sensitive but
unclassified environments have been written and are available
at
<http://www.radium.ncsc.mil/tpep/library/protection_profiles/index.html>
17. Does a trusted system require custom hardware?
A system does not require custom hardware to be successfully
evaluated against the Trusted Computer System Evaluation
Criteria (TCSEC) or Common Criteria for Information Technology
Security Evaluation (CCITSE). However, all TCSEC evaluations
and many, perhaps most, CCITSE evaluations consider the
security of the system hardware as well as software. For every
evaluated product, there is an evaluated configuration. The
evaluated configuration lists the specific hardware and
software evaluated. A given evaluation may require hardware
with certain security features used by the software, and the
software may require certain optional features be enabled or
disabled. The Final Evaluation Report (FER)
(see Evaluated Products FAQ,
Question 6) lists the evaluated hardware and software. The
Trusted Facility Manual (TFM) for the product will give
detailed guidance on configuring the hardware and software
securely.
18. What are the requirements for a D/C1/C2/B1/B2/B3/A1 system?
The Interpreted Trusted Computer System Evaluation Criteria
(ITCSEC) available in postscript at
<http://www.radium.ncsc.mil/tpep/library/tcsec/ITCSEC.ps>
contains the definitive set of requirements for each TCSEC
class. In Summary:
Class D is reserved for those systems that have been evaluated
but that fail to meet the requirements for a higher evaluation
class.
The Trusted Computing Base (TCB) of a class C1 system
nominally satisfies the discretionary security requirements by
providing separation of users and data. It incorporates some
form of credible controls capable of enforcing access
limitations on an individual basis, i.e., ostensibly suitable
for allowing users to be able to protect project or private
information and to keep other users from accidentally reading
or destroying their data. The class C1 environment is
expected to be one of cooperating users processing data at the
same level of sensitivity.
Systems in this class enforce a more finely grained
discretionary access control than C1 systems, making users
individually accountable for their actions through login
procedures, auditing of security-relevant events, and resource
isolation.
Class B1 systems require all the features required for class
C2. In addition, an informal statement of the security policy
model, data labeling (e.g., secret or proprietary), and
mandatory access control over named subjects and objects must
be present. The capability must exist for accurately labeling
exported information.
In class B2 systems, the TCB is based on a clearly defined and
documented formal security policy model that requires the
discretionary and mandatory access control enforcement found
in class B1 systems be extended to all subjects and objects in
the automated data processing system. In addition, covert
channels are addressed. The TCB must be carefully structured
into protection-critical and non- protection-critical
elements. The TCB interface is well-defined and the TCB
design and implementation enable it to be subjected to more
thorough testing and more complete review. Authentication
mechanisms are strengthened, trusted facility management is
provided in the form of support for system administrator and
operator functions, and stringent configuration management
controls are imposed. The system is relatively resistant to
penetration.
The class B3 TCB must satisfy the reference monitor
requirements that it mediate all accesses of subjects to
objects, be tamperproof, and be small enough to be subjected
to analysis and tests. To this end, the TCB is structured to
exclude code not essential to security policy enforcement,
with significant system engineering during TCB design and
implementation directed toward minimizing its complexity. A
security administrator is supported, audit mechanisms are
expanded to signal security-relevant events, and system
recovery procedures are required. The system is highly
resistant to penetration.
Systems in class A1 are functionally equivalent to those in
class B3 in that no additional architectural features or
policy requirements are added. The distinguishing feature of
systems in this class is the analysis derived from formal
design specification and verification techniques and the
resulting high degree of assurance that the TCB is correctly
implemented. This assurance is developmental in nature,
starting with a formal model of the security policy and a
formal top-level specification (FTLS) of the design. An FTLS
is a top level specification of the system written in a
formal mathematical language to allow theorems (showing the
coorespondence of the system specification to its formal
requirements) to be hypothesized and formally proven. In
keeping with the extensive design and development analysis of
the TCB required of systems in class A1, more stringent
configuration management is required and procedures are
established for securely distributing the system to sites. A
system security administrator is supported.
19. How do I interpret a TCSEC rating?
A product evaluated against a TCSEC-based criteria will have one
of several styles of ratings. A product
evaluated directly against the Trusted Computer System Evaluation
Criteria (TCSEC) will have one of the seven class ratings: A1,
B3, B2, B1, C2, C1, or D (see
TCSEC Criteria Concepts FAQ, Question 11.) In
addition a TCSEC evaluated product may be evaluated to have met
requirements above it's class. These would be specified
additionally such as "meets the B1 requirements and the B2
Trusted Path requirement." It is very important to note that,
for example, a B1 evaluated system with B2 trusted path,
provides significantly less confidence that trusted path is
implemented correctly than a B2 evaluated system. In other words,
the assurance is always that of the system's rated
class.
Another form of rating is a Trusted Network Interpretation
(TNI) component (see TCSEC Criteria Concepts FAQ,
Question 5) rating. TNI
component ratings specify the evaluated class as well as which
of the four basic security services the evaluated component
provides. Thus, a B2-MD component is one that provides both
Mandatory Access Control (MAC) and Discretionary Access Control
(DAC). A B1-MDIA component is one that provides MAC, DAC,
Identification and Authentication, and Audit. Since a B1-MDIA
component meets all the Trusted Computer System Evaluation
Criteria (TCSEC) requirements for B1, it is likely that this
component is also evaluated as a B1 system if it can be used in
a non-network configuration.
A third form of rating is a Trusted Database Interpretation
(TDI) rating. This rating is the same as a TCSEC rating except
that the rating applies to the composite of the evaluated
application and each of the listed underlying systems.
Products evaluated against the Computer Security
Subsystem Interpretation (CSSI) of the TCSEC have been given
variations of D division ratings. These
appear for example as I&A/D2, Audit/D1, DAC/D3, and OR/D.
These products all have very low assurance regardless of the
features.
Some systems have been evaluated against the Compartmented Mode
Workstation (CMW) criteria. The CMW criteria levies minimum
features and assurances from the TCSEC as well as additional
usability criteria (e.g., specifying that the window system must
manipulate windows at multiple levels in certain ways.) The
TPEP has treated these systems as standard TCSEC evaluations
with additional requirements. From a security perspective the
CMW requirements do not preclude a B2 or higher CMW, however,
all CMW evaluated systems are B1 evaluated with
additional TCSEC features above the evaluated class.
Last updated Wed Aug 25 06:43:31 1999
URL: http://www.radium.ncsc.mil/tpep/process/faq-sect4.html
Questions/Comments