On 24 October 2002, The Orange Book was canceled by DoDD 8500.1, which was later reissued as DoDI 8500.02, on 14 March 2014.
Policy
The security policy must be explicit, well-defined, and enforced by the computer system. Three basic security policies are specified:
Mandatory Security Policy – Enforces access control rules based directly on an individual's clearance, authorization for the information and the confidentiality level of the information being sought. Other indirect factors are physical and environmental. This policy must also accurately reflect the laws, general policies and other relevant guidance from which the rules are derived.
Marking – Systems designed to enforce a mandatory security policy must store and preserve the integrity of access control labels and retain the labels if the object is exported.
Discretionary Security Policy – Enforces a consistent set of rules for controlling and limiting access based on identified individuals who have been determined to have a need-to-know for the information.
Accountability
Individual accountability regardless of policy must be enforced. A secure means must exist to ensure the access of an authorized and competent agent which can then evaluate the accountability information within a reasonable amount of time and without undue difficulty. The accountability objective includes three requirements:
Identification – The process used to recognize an individual user.
Authentication – The verification of an individual user's authorization to specific categories of information.
Auditing – Audit information must be selectively kept and protected so that actions affecting security can be traced to the authenticated individual.
Assurance
The computer system must contain hardware/software mechanisms which can be independently evaluated to provide sufficient assurance that the system enforces the above requirements. By extension, assurance must include a guarantee that the trusted portion of the system works only as intended. To accomplish these objectives, two types of assurance are needed with their respective elements:
Continuous Protection Assurance – The trusted mechanisms that enforce these basic requirements must be continuously protected against tampering or unauthorized changes.
Documentation
Within each class, an additional set of documentation addresses the development, deployment, and management of the system rather than its capabilities. This documentation includes:
Security Features User's Guide, Trusted Facility Manual, Test Documentation, and Design Documentation
Divisions and classes
The TCSEC defines four divisions: D, C, B, and A, where division A has the highest security. Each division represents a significant difference in the trust an individual or organization can place on the evaluated system. Additionally divisions C, B and A are broken into a series of hierarchical subdivisions called classes: C1, C2, B1, B2, B3, and A1. Each division and class expands or modifies as indicated the requirements of the immediately prior division or class.
D – Minimal protection
Reserved for those systems that have been evaluated but that fail to meet the requirements for a higher division.
* Formal design and verification techniques including a formal top-level specification
* Formal management and distribution procedures
* Examples of A1-class systems are Honeywell's SCOMP, Aesec's GEMSOS, and Boeing's SNS Server. Two that were unevaluated were the production LOCK platform and the cancelled DEC VAX Security Kernel.
Beyond A1
* System Architecture demonstrates that the requirements of self-protection and completeness for reference monitors have been implemented in the Trusted Computing Base.
* Security Testing automatically generates test-case from the formal top-level specification or formal lower-level specifications.
* Formal Specification and Verification is where the TCB is verified down to the source code level, using formal verification methods where feasible.
* Trusted Design Environment is where the TCB is designed in a trusted facility with only trusted personnel.
Matching classes to environmental requirements
The publication entitled "Army Regulation 380-19" is an example of a guide to determining which system class should be used in a given situation.