Appendix A The Orange Book

The Department of Defense's Trusted Computer System Evaluation Criteria, or Orange Book, contains criteria for building systems that provide specific sets of security features and assurances (U.S. DOD, 1985d; see Box A.1). However, the Orange Book does not provide a complete basis for security:

  • Its origin in the defense arena is associated with an emphasis on disclosure control that seems excessive to many commercial users of computers. There is also a perception in the marketplace that it articulates defense requirements only.

  • It specifies a coherent, targeted set of security functions that may not be general enough to cover a broad range of requirements in the commercial world. For example, it does not provide sufficient attention to information integrity and auditing. It says little about networked systems (despite the attempts made by the current and anticipated versions of the Trusted Network Interpretation, or Red Book (U.S. DOD, 1987). Also, it provides only weak support for management control practices, notably individual accountability and separation of duty.

  • The Orange Book process combines published system criteria with system evaluation and rating (relative to the criteria) by the staff of the National Computer Security Center. This process provides no incentive or reward for security capabilities that go beyond, or do not literally answer, the Orange Book's specific requirements.

  • Familiarity with the Orange Book is uneven within the broader community of computer manufacturers, managers, auditors, and insurers, and system users. Its definitions and concepts have not been expressed in the vocabulary typically used in general information



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement