Trusted Computer System Evaluation Criteria Totally Explained

Everything about Tcsec totally explained

Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. The TCSEC was used to evaluate, classify and select computer systems being considered for the processing, storage and retrieval of sensitive or classified information.
The TCSEC, frequently referred to as the Orange Book, is the centerpiece of the DoD Rainbow Series publications. Initially issued by the National Computer Security Center (NCSC) an arm of the National Security Agency in 1983 and then updated in 1985, TCSEC was replaced with the development of the Common Criteria international standard originally published in 2005.

TCSEC Fundamental Objectives/Requirements

Policy

The security policy must be explicit, well-defined and enforced by the computer system. There are two basic security policies:

Mandatory Security Policy - Enforces access control rules based directly on an individual's clearance, authorization for the information and the confidentiality level of the information being sought. Other indirect factors are physical and environmental. This policy must also accurately reflect the laws, general policies and other relevant guidance from which the rules are derived.
- Marking - Systems designed to enforce a mandatory security policy must store and preserve the integrity of access control labels and retain the labels if the object is exported.
Discretionary Security Policy - Enforces a consistent set of rules for controlling and limiting access based on identified individuals who have been determined to have a need-to-know for the information.

Accountability

Individual accountability regardless of policy must be enforced. A secure means must exist to ensure the access of an authorized and competent agent which can then evaluate the accountability information within a reasonable amount of time and without undue difficulty. There are three requirements under the accountability objective:

Identification - The process used to recognize an individual user.

Authentication - The verification of an individual user's authorization to specific categories of information.

Auditing - Audit information must be selectively kept and protected so that actions affecting security can be traced to the authenticated individual.

Assurance

The computer system must contain hardware/software mechanisms that can be independently evaluated to provide sufficient assurance that the system enforces the above requirements. By extension, assurance must include a guarantee that the trusted portion of the system works only as intended. To accomplish these objectives, two types of assurance are needed with their respective elements:

Assurance Mechanisms

Operational Assurance: System Architecture, System Integrity, Covert Channel Analysis, Trusted Facility Management and Trusted Recovery
Life-cycle Assurance : Security Testing, Design Specification and Verification, Configuration Management and Trusted Distribution

Continuous Protection Assurance - The trusted mechanisms that enforce these basic requirements must be continuously protected against tampering and/or unauthorized changes.

Documentation

Within each class there's additional documentation set which addresses the development, deployment and management of the system rather than its capabilities. This documentation includes:

Security Features User's Guide, Trusted Facility Manual, Test Documentation and Design Documentation

Divisions and Classes

The TCSEC defines four divisions: D, C, B and A where division A has the highest security. Each division represents a significant difference in the trust an individual or organization can place on the evaluated system. Additionally divisions C, B and A are broken into a series of hierarchical subdivisions called classes: C1, C2, B1, B2, B3 and A1.
Each division and class expands or modifies as indicated the requirements of the immediately prior division or class.

D — Minimal Protection

Reserved for those systems that have been evaluated but that fail to meet the requirements for a higher division.

C — Discretionary Protection

C1 — Discretionary Security Protection

Separation of users and data
Discretionary Access Control (DAC) capable of enforcing access limitations on an individual basis

C2 — Controlled Access Protection

More finely grained DAC
Individual accountability through login procedures
Audit trails
Resource isolation
Required System Documentation and user manuals.

B — Mandatory Protection

B1 — Labeled Security Protection

Informal statement of the security policy model
Data sensitivity labels
Mandatory Access Control (MAC) over select subjects and objects
Label exportation capabilities
All discovered flaws must be removed or otherwise mitigated

B2 — Structured Protection

Security policy model clearly defined and formally documented
DAC and MAC enforcement extended to all subjects and objects
Covert storage channels are analyzed for occurrence and bandwidth
Carefully structured into protection-critical and non-protection-critical elements
Design and implementation enable more comprehensive testing and review
Authentication mechanisms are strengthened
Trusted facility management is provided with administrator and operator segregation
Strict configuration management controls are imposed

B3 — Security Domains

Satisfies reference monitor requirements
Structured to exclude code not essential to security policy enforcement
Significant system engineering directed toward minimizing complexity
A security administrator is supported
Audit security-relevant events
Automated imminent intrusion detection, notification, and response
Trusted system recovery procedures
Covert timing channels are analyzed for occurrence and bandwidth
An example of such a system is the XTS-300, a precursor to the XTS-400

A — Verified Protection

A1 — Verified Design

Functionally identical to B3
Formal design and verification techniques including a formal top-level specification
Formal management and distribution procedures
An example of such a system is SCOMP, a precursor to the XTS-400

Beyond A1

System Architecture demonstrates that the requirements of self-protection and completeness for reference monitors have been implemented in the Trusted Computing Base (TCB).
Security Testing automatically generates test-case from the formal top-level specification or formal lower-level specifications.
Formal Specification and Verification is where the TCB is verified down to the source code level, using formal verification methods where feasible.
Trusted Design Environment is where the TCB is designed in a trusted facility with only trusted (cleared) personnel.

Matching classes to environmental requirements

Army Regulation 380-19

is an example of a guide to determining which system class should be used in a given situation.

Further Information

Get more info on 'Tcsec'.

External Link Exchanges

Do you know how hard it is to get a link from a large encyclopaedia? Well we're different and will prove it. To get a link from us just add the following HTML to your site on a relevant page:

<a href="http://trusted_computer_system_evaluation_criteria.totallyexplained.com">Trusted Computer System Evaluation Criteria Totally Explained</a>

Then simply click through this link from your web page. Our crawlers will verify your link, extract the title of your web page and instantly add a link back to it. If you like you can remove the words Totally Explained and embed the link in article text.
As long as your link remains in place, we'll keep our link to you right here. Please play fair - our crawlers are watching. Your site must be closely related to this one's topic. Any kind of spamming, dubious practises or removing the link will result in your link from us being dropped and, potentially, your whole site being banned.