All You Need to Know About TCSEC for the Exam

Repeat this 10 times:
TCSEC is the Orange Book, and contains a security assurance classification system from D to A.

The Orange Book

The Orange Book


Did you repeat it 10 times?  Don’t think of it as me telling you what to do, because I promise once you repeat it ten times, you’ll have a better technique to answer any exam questions pertaining to TCSEC, Trusted Computer Security Evaluation Criteria.


Some points about TCSEC:

  • Created by the NSA in the 1980s
  • The first attempt to implement access control on systems with difference security levels
  • It is no longer used today, but will be on the exam
  • Enforces confidentiality NOT integrity
  • Security clearance and classification labels (Mandatory Access Control) do not apply until Division B
  • Division A is the most secure system
  • Division D is the least secure system

Let’s break down each of the classes within each division for further analysis, and also because it is on the exam.

Division D: Minimal Protection

A “D” rating fails to meet any of the below classification assurance levels.

Division C: Discretionary Protection

Deals with subjects and object using Discretionary Access Control (DAC).

A “C” rating has two different classes of individual assurance.

Class 1 (C1 Rating): Discretionary Security Protection
  • Users have the same security levels (there is no secret, top secret…)
  • Subjects and objects are separated requiring identification and authentication for access
  • Lower-level executions should not affect higher-level executions
  • Provides low security, but still trusted
  • Required documentation:
  • System Design
  • Protection Mechanisms
  • Test documents
  • Facility manual (description of proper environment in which to configure system)
Class 2 (C2 Rating): Controlled Access Protection
  • Provides an audit feature
  • Does not allow data to be remnant after use (No Object Reuse!)
  • Temporary files and objects in use must be erased after use to prevent compromise
  • Assurance is suitable enough for commercial applications and programs
  • Provides more strict access control between subjects and objects
  • Most reasonable for commercial products
  • For systems that require accountability

Division B: Mandatory Protection

Deals with security labels.  Remember the Bell-LaPadula model? How it deals with only confidentially through the use of security labels?

Think of Mandatory Access Control (MAC) when thinking of the Division B assurance level.


Class 1 (B1): Labeled Security

  • Subjects must have clearance, objects must have classification label
  • Subject’s access to objects must correlate between clearance and label
  • Based on informal security policy
  • For systems that handle classified data


Class 2 (B2): Structured Protection

  • Trusted communication between subject and object; cannot be bypassed
  • More granular review and testing process than B1
  • Based on formal security policy that is CLEARLY DEFINED and DOCUMENTED
  • For systems that contain sensitive data
  • Operators and administrators must have separate environments and roles (user level vs kernel level)
  • Must be somewhat defensible to penetration and compromise
  • Requires higher level of security and contains sensitive data


Class 3 (B3): Security Domains

  • Design must not be too complex, as that increases vulnerabilities
  • Unnecessary programming code is taken out of protection mechanisms
  • System must recover from failures and reboot securely
  • Must be highly defensible to penetration and compromise
  • For highly secure environments with sensitive information

Division A: Verified Protection

The difference between B and A is not so much in it’s requirements, but in HOW it is evaluated.  Class A is evaluated very strictly with formal methods.

Class 1 (A1): Verified Design

  • Similar to the B3 rating
  • Highly detailed and granular evaluation of this system
  • Even the transportation of the system is to be subject of evaluation
  • System CANNOT be compromised as it contains top-secret data

Not really as exciting as many of the other domains, but it is important learn.  Building a system securely provides an exceptional level of protection mechanisms to reduce risk (risk= threat x vulnerability).