Trusted Computer System Evaluation Criteria – “The Orange Book”
I’m currently studying for CISSP (Certified Information Systems Security Professional), and while it does dive deep into risk analysis and business cyber security objectives, it also has a couple of history lessons baked into it.
The "Orange Book" is the common name for the Trusted Computer System Evaluation Criteria (TCSEC), an evaluation model developed by the U.S. Department of Defense. It earned its nickname because it was originally published with a bright orange cover.
It was a pioneering effort to define security levels for information systems, focusing primarily on data confidentiality. While it set the stage for later models, it is now considered legacy and has been largely replaced by the Common Criteria. A key limitation is that the Orange Book only addressed standalone systems; network security was later addressed in the "Red Book".
According to the Orange Book, there are 4 main levels of protection, ranging from minimal (Division D) to verified (Division A).
Table of Contents
Trusted Computing Base
The Trusted Computing Base, or TCB, is a design principle that combines software, hardware and controls to form the basis of a security implementation. It includes a concept called the Reference Monitor, which is an abstract device mediates all access between subjects (users/processes) and objects (files/devices).
Division D – Minimal Protection
Whilst other divisions are split into classes, Division D is not. It is simply defined as being:
“…reserved for those systems that have been evaluated but that fail to meet the requirements for a higher evaluation class.”
Put another way, Division D is for systems that have no adequate protection.
Division C – Discretionary Protection
Division C is split into two classes, C1 and C2.
Classes in this division provide for discretionary (need-to-know) protection and, through the inclusion of audit capabilities, for accountability of subjects and the actions they initiate.
In Division C, access is discretionary, meaning the system will implement whatever the data owner puts in place. If they want to open it up to everyone, that is what will happen.
Class C1
C1 is the first class that provides any actual security. It requires users to authenticate, and it also requires data owners to be able to set permissions, hence the ‘discretionary’ part.
Class C2
The biggest difference between C1 and C2 is the added requirement for logging. The logging must record security-related events (logins, file access, permission changes) and the identity of the user who performed them. In C2 it is no longer acceptable to have shared accounts, there must be individual accountability.
Division B – Mandatory Protection
Class B1
The jump from C2 to B1 is the biggest transition in TCSEC. Access is based on security labels, and the system (’reference monitor’) makes the decision based on a central policy. Even the data owner cannot share data with someone who doesn't have the required clearance level.
Class B2
Stepping up from B1 to B2 (Structured Protection) is often described as moving from "functional security" to "architectural security." In B1, the system simply adds labels to an existing design. In B2, the entire system must be re-architected from the ground up to be inherently secure.
B2 requires the TCB to be structured and divided into critical secure and non-secure parts. It explicitly deals with covert channels, and requires trusted paths for user authentication. Whereas in B1 only data is labelled, in B2 labeling is extended to everything, including devices such as printers.
Class B3
To achieve B3, a system must satisfy the Reference Monitor concept perfectly: it must be tamper-proof, always invoked, and small enough to be subjected to rigorous analysis. Any code that does not absolutely need to be part of the TCB must be removed.
While C2 onwards all require logging, B3 requires real time security monitoring. This means it needs to alert administrators to security violations.
B3 requires trusted recovery, introducing the concept of fail-secure and secure boot.
Finally, B3 requires timing channel attacks to be mitigated.
Division A – Verified Protection
Class A1
While B3 requires "analysis" of timing and storage channels, A1 requires formal methods to identify them. Designers must use automated tools and mathematical modeling to find any potential path where data could leak, ensuring that even the most obscure "side-channel" attacks are accounted for.
A1 is the only level that strictly mandates security for the shipping and handling of the system, and in A1, the Trusted Computing Base verification isn't limited to just the software. The firmware and the hardware design itself must be scrutinized to ensure they don't contain any undocumented features that could bypass the security kernel.
Beyond A1
Most of the security enhancements envisioned for systems that will provide features and assurance in addition to that already provided by class (Al) systems are beyond current technology.
The beyond A1 section is a theoretical discussion of where technology might allow security classifications and requirements to develop. It dicusses concepts that would later be introduced in the Red Book.
Conclusion
The Orange Book might be legacy, but it provides the basis for modern cyber security frameworks that are in use today. It maps the path from unprotected to advanced, verified protection, and addresses the gap between design and implementation.
TCSEC focuses on confidentiality, and largely ignores integrity and availability. These concepts are introduced in future frameworks, but the principles laid out in TCSEC remain the foundation for security policies in 2026.
