Question 170. What are the Orange and Red Books?

The Department of Defense (DOD) publication Trusted Computer System Evaluation Criteria (TCSEC) is also called the Orange Book. It specifies the criteria the DOD uses in evaluating the security of a product. The assessed features include the security policy, marking, identification, accountability, assurance, and continuous protection of the system. Based on the assessment, the security of the system is classified into one of four hierarchies, with A providing the most security and D providing minimal or non-existent security. Each hierarchy has a number of levels as well.

The Red Book was published to provide subsidiary information to enable the Orange Book principles to be applied in a network environment. The Red Book was initially published as the Trusted Network Interpretation (TNI) of the Trusted Computer System Evaluation Criteria. Acceptance of these criteria has grown to the extent that some commercial companies require their purchases to satisfy a specific level of security as described in the Orange and Red Books.