Orange Book

Last Edited



What is the Orange Book?

Orange Book is another name for the publication Trusted Computer Systems Evaluation Criteria (TCSEC), published by the National Computer Security Center (NCSC) of the U.S. Department of Defense.

Orange Book standards are used to evaluate the security of both stand-alone and network operating systems (NOS’s). The current version of this publication dates from 1985. The Orange Book, which was named for its orange cover, is actually a part of a series of computer system security guidelines and standards that are collectively known as the Rainbow Series.

Orange Book

The Orange Book provides methods of assessing the security of a specific computer system, and it offers hardware and software manufacturers guidance on how to create products that can be certified as secure by the U.S. government and military.

For example, Microsoft Windows Server in certain configurations complies with the C2 (Controlled Access Protection) security standards outlined in the Orange Book. C2 is applied not to operating systems but to specifically tested physical computers running those operating systems.

C2 is one of a family of security designations that the Orange Book applies to computer systems, which include the following:

  • D (Minimal Protection):For systems that were evaluated but failed. 
  • C1 (Discretionary Security Protection):Provides separation between users and data by using access controls. 
  • C2 (Controlled Access Protection):Adds user accountability to C1 in the form of logons, auditing, and other features. 
  • B1 (Labeled Security Protection):Builds on C2 by including informal written security policies, data labeling, and mandatory access control. 
  • B2 (Structured Protection):Builds on B1 by including formal written security policies, separation of critical and noncritical elements, and protection against covert entry. 
  • B3 (Security Domains):Builds on B2 by including reference monitoring of all object access to ensure security, a designated security administrator, and system recovery procedures. 
  • A1 (Verified Design):The same as B3, except security is verified by both testing and analysis of formal design. An A1 system is considered impenetrable to hostile attack.

External References: