All You Need to Know About TCSEC for the Exam

Repeat this 10 times: TCSEC is the Orange Book, and contains a security assurance classification system from D to A.


Did you repeat it 10 times?  Don’t think of it as me telling you what to do, because I promise once you repeat it ten times, you’ll have a better technique to answer any exam questions pertaining to TCSEC, Trusted Computer Security Evaluation Criteria.   Some points about TCSEC:

  • Created by the NSA in the 1980s

  • The first attempt to implement access control on systems with difference security levels

  • It is no longer used today, but will be on the exam

  • Enforces confidentiality NOT integrity

  • Security clearance and classification labels (Mandatory Access Control) do not apply until Division B

  • Division A is the most secure system

  • Division D is the least secure system

Let’s break down each of the classes within each division for further analysis, and also because it is on the exam.

Division D: Minimal Protection

A “D” rating fails to meet any of the below classification assurance levels.

Division C: Discretionary Protection

Deals with subjects and object using Discretionary Access Control (DAC). A “C” rating has two different classes of individual assurance.

Class 1 (C1 Rating): Discretionary Security Protection

  • Users have the same security levels (there is no secret, top secret…)

  • Subjects and objects are separated requiring identification and authentication for access

  • Lower-level executions should not affect higher-level executions

  • Provides low security, but still trusted

  • Required documentation:

  • System Design

  • Protection Mechanisms

  • Test documents

  • Facility manual (description of proper environment in which to configure system)

 Class 2 (C2 Rating): Controlled Access Protection

  • Provides an audit feature

  • Does not allow data to be remnant after use (No Object Reuse!)

  • Temporary files and objects in use must be erased after use to prevent compromise

  • Assurance is suitable enough for commercial applications and programs

  • Provides more strict access control between subjects and objects

  • Most reasonable for commercial products

  • For systems that require accountability

Division B: Mandatory Protection

Deals with security labels.  Remember the Bell-LaPadula model? How it deals with only confidentially through the use of security labels? Think of Mandatory Access Control (MAC) when thinking of the Division B assurance level. Class 1 (B1): Labeled Security

  • Subjects must have clearance, objects must have classification label

  • Subject’s access to objects must correlate between clearance and label

  • Based on informal security policy

  • For systems that handle classified data

Class 2 (B2): Structured Protection

  • Trusted communication between subject and object; cannot be bypassed

  • Checks for covert storage channels

  • More granular review and testing process than B1

  • Based on formal security policy that is CLEARLY DEFINED and DOCUMENTED

  • For systems that contain sensitive data

  • Operators and administrators must have separate environments and roles (user level vs kernel level)

  • Must be somewhat defensible to penetration and compromise

  • Requires higher level of security and contains sensitive data

Class 3 (B3): Security Domains

  • Design must not be too complex, as that increases vulnerabilities

  • Checks for covert timing channels

  • Role of security administrator defined

  • Unnecessary programming code is taken out of protection mechanisms

  • System must recover from failures and reboot securely

  • Must be highly defensible to penetration and compromise

  • For highly secure environments with sensitive information

  • Trusted Recovery of the system

Division A: Verified Protection

The difference between B and A is not so much in it’s requirements, but in HOW it is evaluated.  Class A is evaluated very strictly with formal methods.

Class 1 (A1): Verified Design

  • Similar to the B3 rating

  • Highly detailed and granular evaluation of this system

  • Even the transportation of the system is to be subject of evaluation

  • System CANNOT be compromised as it contains top-secret data

    • Trusted Recovery of the system

Not really as exciting as many of the other domains, but it is important learn.  Building a system securely provides an exceptional level of protection mechanisms to reduce risk (risk= threat x vulnerability).

  • Sumesh M S

    Role of security administrator defined in B3

    • studynotesandtheory

      Sumesh! Thanks so much for the input! I have edited the page to reflect your findings! Thanks again!

  • Deepak J Bhatia

    Very good explanation
    The lowest TCSEC class wherein the systems must support separate operator and system administrator roles is B2

  • IdentityThief

    Awesome explanation. What about Common Criteria and Assurance Levels. What will be the best way to memorize them?

  • MikeD_VABeach

    Thanks! I have an exam next week and this helped sum up all of the other stuff I’ve been studying very nicely. Cheers!

    • studynotesandtheory

      You’re welcome, good luck on the exam!