Computer Security Evaluation FAQ, Version 2.1
Trusted Product Evaluation Program
Posting-Frequency: monthly
Archive-name: computer-security/evaluations
The Computer Security Evaluation Frequently Answered Questions (V2.1)
This FAQ is designed to answer common questions about the evaluation of
trusted products. It is being posted to comp.security.misc
comp.security.unix, comp.answers and news.answers. We have attempted to be as
clear, precise, accurate, and correct as possible. Some answers are
undoubtedly closer to this ideal than others. Comments on the FAQ may be sent
to TP...@dockmaster.ncsc.mil. The current official version of this FAQ may be
found at <http://www.radium.ncsc.mil/tpep/process/faq.html>.
----------
Subject: Contents
Section I: The Trusted Product Evaluation Program (TPEP)
1. What is the National Computer Security Center (NCSC)?
2. What is TPEP?
3. How is TPEP related to the National Security Agency (NSA)?
4. How is TPEP related to the National Institute of Standards
and Technology (NIST)?
5. How do I contact the TPEP?
6. What is the TTAP?
7. What is Dockmaster?
8. Why doesn't TPEP have a WWW server on Dockmaster?
Section II: Criteria
1. What is the criteria used for evaluation?
2. What is the TCSEC?
3. What is the Orange Book?
4. What are interpretations?
5. What is the Interpreted TCSEC (ITCSEC)?
6. What is the ITSEC (as opposed to the ITCSEC)?
7. What is the CTCPEC?
8. What is the Common Criteria?
9. What is the TNI?
10. What is the TDI?
11. What is the Rainbow Series?
12. What are Process Action Team (PAT) Guidance Working Group (PGWG)
documents?
13. Is there a criteria for commercial (as opposed to military) systems?
14. What is the Federal Criteria?
15. What are the CMWREQs and the CMWEC?
Section III: Criteria Concepts
1. What are security features?
2. What is assurance?
3. What is a division?
4. What is a class?
5. What is a network component?
6. What is a Network Security Architecture Design (NSAD) document?
7. How do I interpret a rating?
8. The TCSEC is 10 years old, doesn't that mean it's outdated?
9. How do the TCSEC and its interpretations apply to routers and
firewalls?
10. Does a trusted system require custom hardware?
11. What are the requirements for a D/C1/C2/B1/B2/B3/A1 system?
Section IV: Evaluations
1. How do I get my product evaluated?
2. What is the evaluation process?
3. How long does an evaluation take?
4. How much does an evaluation cost?
5. How do I find out about the evaluation process?
6. Who actually performs the evaluations?
7. What information is released about an evaluated product?
8. What is RAMP?
Section V: Evaluated Products
1. Should I buy an evaluated product?
2. Does NSA buy/use evaluated products?
3. How do I know if a product is evaluated?
4. What does it mean for a product to be "in evaluation"?
5. What does it mean for a product to be "compliant" with the TCSEC?
6. What and where is the Evaluated Products List (EPL)?
7. How do I get a copy of an evaluation report?
8. Is an evaluated product "hacker proof?"
9. What is the rating of DOS?
10. What is the rating of UNIX?
11. What should I do if evaluated Product X appears to fail a requirement?
12. Why should I buy a B2/B3/A1 product over a C2/B1 product?
13. Is there an approved program to declassify my hard drive?
----------
Subject: Section I: The Trusted Product Evaluation Program (TPEP)
1. What is the National Computer Security Center (NCSC)?
The Department of Defense Computer Security Center was
established in 1981 to encourage the widespread availability of
trusted computer systems for use by facilities processing
classified or other sensitive information. In August 1985 the
name of the organization was changed to the National Computer
Security Center (NCSC). The NCSC may be reached at:
National Computer Security Center
9800 SAVAGE ROAD
FT MEADE MD 20755-6000
or by phone at (410) 859-4376.
2. What is TPEP?
The Trusted Product Evaluation Program (TPEP) is the program by
which the NCSC evaluates computer systems against security
criteria. The Trusted Product Evaluation Program (TPEP) is
operated by an organization separate from the National Computer
Security Center (NCSC). The TPEP performs computer security
evaluations for, and on behalf of, the NCSC.
3. How is TPEP related to the National Security Agency (NSA)?
Both the Trusted Product Evaluation Program (TPEP) and the
National Computer Security Center (NCSC) are organizational
units within the National Security Agency (NSA). The TPEP and
NCSC are two of a number of organizational units within the NSA
responsible for the information system security mission with
respect to classified and sensitive data (see
<http://www.nsa.gov:8080/>).
4. How is TPEP related to the National Institute of Standards
and Technology (NIST)?
In Public Law 100-235 congress directed the National Security
Agency (NSA), of which the Trusted Product Evaluation Program
(TPEP) is a part, to lead the efforts of the United States
Government in information systems security for classified
information. The National Institute of Standards and Technology
(NIST) as part of the Department of Commerce is directed to
lead the efforts for sensitive but unclassified information
with technical support from the NSA. The NSA and NIST have
established a Memorandum of Understanding detailing the
responsibilities of each organization with respect to the other
in this area. While NSA and NIST each have individual efforts,
the agencies attempt to develop methods and standards that are
compatible. (see <http://csrc.ncsl.nist.gov/>)
5. How do I contact the TPEP?
The Trusted Product Evaluation Program can be reached by mail at
V24, TRUSTED PRODUCT EVALUATION PROGRAM
NATIONAL SECURITY AGENCY
9800 SAVAGE ROAD STE 6753
FT MEAD MD 20755-6753
or by phone at (410) 859-4458.
6. What is the TTAP?
The Trust Technology Assessment Program (TTAP) is a joint
National Security Agency (NSA) and National Institute of
Standards and Technology (NIST) effort to commercialize the
evaluation of commercial-off-the-shelf (COTS) products at the
lower levels of trust. Under the auspice of the National
Voluntary Laboratory Accreditation Program (NVLAP), TTAP will
establish, accredit and oversee commercial evaluation
laboratories focusing initially on products with features and
assurances characterized by the Trusted Computer System
Evaluation Criteria (TCSEC) B1 and lower levels of trust
(see Section II, Question 2 and Section III, Question 4).
Vendors desiring a level of trust evaluation will contract with
an accredited laboratory and pay a fee for their product's
evaluation. (see <http://csrc.ncsl.nist.gov/ttap/>)
TTAP approval and oversight mechanisms will assure continued
quality and fairness. Using the NVLAP model of standardized
testing and analysis procedures, TTAP will strive to achieve
mutual recognition of evaluations with other nations. The
European Community evaluations are performed under the purview
of national test standardization bodies associated with NVLAP.
The TTAP is being established with a planned transition from
TCSEC based evaluations to Common Criteria based evaluations
(see Section II, Question 8). The implementation of the Common
Criteria will occur upon acceptance of the Common Criteria and
the Common Evaluation Methodology, which is in the process of
being developed.
7. What is Dockmaster?
Dockmaster, or more precisely dockmaster.ncsc.mil, is an
unclassified computer system used by the Trusted Product
Evaluation Program (TPEP) to exchange information between
product evaluators, vendors, and others within the computer
system security community. Dockmaster is based on the
B2-evaluated Honeywell MULTICS product. This is a very old
platform, and efforts are underway to replace Dockmaster with a
more current product. In addition to use by the TPEP and the
NCSC, dockmaster provides service to the information security
community through electronic mail, bulletin boards, and forums
for the exchange of ideas. Online access to the INFOSEC Product
and Services Catalogue is available. Information is provided
about training courses and scheduled INFOSEC conferences.
To register for an account, write to:
Attn: Dockmaster Accounts Administrator
National Computer Security Center
9800 SAVAGE ROAD
FT MEADE MD 20755-6000
8. Why doesn't TPEP have a WWW server on Dockmaster?
Many desirable network access features are not available in the
MULTICS operating system used by Dockmaster. As the system is
upgraded, it is anticipated that it will support some of these
features. The TPEP WWW server is available at
<http://www.radium.ncsc.mil/tpep/>.
----------
Subject: Section II: Criteria
1. What is the criteria used for evaluation?
The criteria currently used by the Trusted Product Evaluation
Program (TPEP) to grade the security offered by a product is
the Trusted Computer System Evaluation Criteria (TCSEC), dated
1985 (see Section II, Question 2)
2. What is the TCSEC?
The Trusted Computer System Evaluation Criteria (TCSEC) is a
collection of criteria used to grade or rate the security
offered by a computer system product. The TCSEC is sometimes
referred to as "the Orange Book" because of its orange cover.
The current version is dated 1985 (DOD 5200.28-STD, Library No.
S225,711) The TCSEC, its interpretations and guidelines all
have different color covers, and are sometimes known as the
"Rainbow Series" (see Section II, Question 11.) It is available at
<http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html>
3. What is the Orange Book?
See Section II, Question 2.
4. What are interpretations?
It is often the case that there are several ways to read a
given statement in the Trusted Computer System Evaluation
Criteria (TCSEC). Interpretations are official statements
articulating which of a number of possible ways to read the
requirement are the acceptable ways for purposes of evaluation
by the TPEP. Interpretations are developed by an group of
highly experienced product evaluators. These interpretations
in proposed form are available for comment by all users of
Dockmaster (see Section 1, Question 6) including vendors with
products in evaluation. After considering the comments and
revising the interpretation as appropriate (sometime through
several rounds of comments and revision) the interpretation is
accepted by the TPEP and officially announced.
5. What is the Interpreted TCSEC (ITCSEC)?
The Interpreted Trusted Computer System Evaluation Criteria
(ITCSEC) is a version of the TCSEC maintained by the Trusted
Product Evaluation Program (TPEP) that annotates the TCSEC
requirements with all current interpretations. It is available
in postscript from
<http://www.radium.ncsc.mil/tpep/library/tpep/ITCSEC.ps>.
6. What is the ITSEC (as opposed to the ITCSEC)?
The Information Technology Security Evaluation Criteria (ITSEC)
is a European-developed criteria filling a role roughly
equivalent to the TCSEC. While the ITSEC and TCSEC have many
similar requirements, there are some important distinctions.
The ITSEC places increased emphasis on integrity and
availability, and attempts to provide a uniform approach to the
evaluation of both products and systems. The ITSEC also
introduces a distinction between doing the right job
(effectiveness) and doing the job right (correctness). In so
doing, the ITSEC allows less restricted collections of
requirements for a system at the expense of more complex and
less comparable ratings and the need for effectiveness analysis
of the features claimed for the evaluation. The question of
whether the ITSEC or TCSEC is the better approach is the
subject of sometimes intense debate. The ITSEC is available in
postscript at
<http://www.radium.ncsc.mil/tpep/library/non-US/ITSEC-1.2.html>.
On 21 August 1995, The National Institute of Standards and
Technology (NIST) released a draft National Computer Systems
Laboratoty (NCSL) Bulletin. This draft bulletin adresses the
relationship of low assurance products evaluated under the
TCSEC, ITSEC, and CTCPEC. In the case of the ITSEC, it is
recommended that if an appropriate C2 rated product is not
available, that ITSEC rated FC2/E2 products be used.
7. What is the CTCPEC?
The Canadian Trusted Computer Product Evaluation Criteria is
the Canadian equivalent of the TCSEC. It is somewhat more
flexible than the TCSEC (along the lines of the ITSEC) while
maintaining fairly close compatibility with individual TCSEC
requirements. The CTCPEC is available at
<http://www.cse.dnd.ca/Services/Criteria/English/Criteria.html>.
On 21 August 1995, The National Institute of Standards and
Technology (NIST) released a draft National Computer Systems
Laboratoty (NCSL) Bulletin. This draft bulletin adresses the
relationship of low assurance products evaluated under the
TCSEC, ITSEC, and CTCPEC. In the case of the CTCPEC, it is
recommended that if an appropriate C2 rated product is not
available, that CTCPEC products rated with a C2 functionality
profile and T1 assurance be used.
8. What is the Common Criteria?
The Common Criteria (CC) occasionally (and somewhat
incorrectly) referred to as the Harmonized Criteria, is a
multinational effort to write a successor to the TCSEC and
ITSEC that combines the best aspects of both. An initial
version (V 1.0) was released in January of 1996. The CC has
a structure closer to the ITSEC than the TCSEC and includes
the concept of a "profile" to collect requirements into easily
specified and compared sets. The TPEP is actively working to
develop profiles and an evaluation process for the CC. We
anticipate beginning several trial CC evaluations late in
calendar year 1996. It is available in postscript from
<http://www.radium.ncsc.mil/tpep/library/ccitse/>
9. What is the TNI?
The Trusted Network Interpretation (TNI) of the TCSEC, also
referred to as "The Red Book," is a restating of the
requirements of the TCSEC in a network context. Evaluations of
the type of systems (sometimes called distributed or
homogeneous) described by Part I are often evaluated directly
against the TCSEC without reference to the TNI. TNI component
evaluations are evaluations performed against Appendix A of the
TNI. (see Section III, Question 5) It is available in at
<http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-005.html>.
10. What is the TDI?
The Trusted Database Interpretation (TDI) of the TCSEC is
similar to the Trusted Network Interpretation (TNI) in that it
decomposes a system into independently evaluatable components.
It differs from the TNI in that the paradigm for this
decomposition is the evaluation of an application (e.g.,
database) running on an already evaluated system. The Trusted
Product Evaluation Program (TPEP) has to date only evaluated
databases using this interpretation. In principle arbitrary
trusted applications could be evaluated. It is available at
<http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-021.html>.
11. What is the Rainbow Series?
The "Rainbow Series" is the name given to the collection of
interpretation documents (e.g., TNI and TDI) and guidance
documents (e.g., Guide to understanding MAC, Password
Guidelines) published by the National Computer Security Center
(NCSC). Each document has a different color cover, thus the
name "Rainbow Series." The guidelines of the rainbow series,
are designed to expand on, and clarify, the requirements in the
Trusted Computer System Evaluation Criteria (TCSEC). They are,
however, only guidance. The words of the requirements and
interpretations are used as the metric for evaluation, not the
guidelines. A single copy of every rainbow series
document is available without charge to U.S. addresses
by writing to:
INFOSEC AWARENESS, ATTN: Y13/IAOC
DEPARTMENT OF DEFENSE
9800 SAVAGE ROAD
FT MEADE MD 20755-6000
or by calling (410) 766-8729. Additional copies may be
obtained from the Government Printing Office. The Trusted
Computer System Evaluation Criteria (TCSEC) and most of the
other rainbow series documents are available at
<http://www.radium.ncsc.mil/tpep/library/rainbow/>.
12. What are Process Action Team (PAT) Guidance Working Group (PGWG)
documents?
The PGWG (often pronounced pig-wig) documents are also known
as the Form and Content documents. These documents are
published directly by the Trusted Product Evaluation Program
(TPEP) and are designed to provide guidance to vendors
submitting products for evaluation. This guidance is not
security or requirements guidance in the Rainbow Series style.
Rather, these documents provide rules used by the TPEP in
accepting products into evaluation to ensure that the
information provided to the evaluation team is in a state that
is most conducive to a expeditious and trouble-free
evaluation. The document discussing design documentation is
available in postscript at
<http://www.radium.ncsc.mil/tpep/library/process_documents/PATdesign.ps>.
The document discussing test documentation is available in
postscript from
<http://www.radium.ncsc.mil/tpep/library/process_documents/PATtest.ps>.
13. Is there a criteria for commercial (as opposed to military) systems?
The Trusted Product Evaluation Program (TPEP) is prohibited by
the Computer Security Act of 1987 from attempting to directly
address the needs of commercial systems. The TPEP does not
subscribe, however, to the often loudly espoused belief that
the requirements of military systems are entirely divorced from
the requirements of commercial systems. It seems reasonable to
believe that commercial computer system users require many of
the same basic features of military systems: identification and
authentication of the users requesting information or service
from the system; ability to audit the actions of users; and
control of access to information, both at the discretion of the
information owner and by corporate policy. Because the TCSEC
couched its requirements in terms of DoD classifications, many
people have not thought about applying them to similar needs
for mandatory controls on protected information pertaining to
product development, marketing, and personnel decisions. It is
one of the aims of the Common Criteria to provide criteria that
use more general terminology.
14. What is the Federal Criteria?
The Federal Criteria was an attempt to develop a criteria to
replace the Trusted Computer System Evaluation Criteria
(TCSEC). A draft version was released for public comment in
December 1992. However, this effort was supplanted by the
Common Criteria effort (see Section II, Question 8), and the
Federal Criteria never moved beyond the draft stage (although
many of its ideas are retained in the Common Criteria). There
is no FINAL Federal Criteria; the draft should not be treated
as a final criteria document. The draft of the Federal
Criteria is available at <http://hightop.nrl.navy.mil/rainbow.html>.
15. What are the CMWREQs and the CMWEC?
The criteria used by the Defense Intelligence Agency (DIA) to
rate a product as a Compartmented Mode Workstation (CMW) is the
Compartmented Mode Workstation Evaluation Criteria (CMWEC),
which superseded the CMW Requirements (CMWREQs) in 1991. This
criteria defines a minimum level of assurance equivalent to the
B1 level of the TCSEC (see Section III, Questions 2-4). It
also defines a minimum set of functionality and usability
features outside the scope of the TCSEC (e.g. a graphical user
interface via a window system is required along with the
capability to cut and paste between windows). Neither set of
requirements are currently used by the Trusted Product Evaluation
Program (TPEP) although products that are designed to have these
features may be evaluated as B1 or higher products.
----------
Subject: Section III: Criteria Concepts
1. What are security features?
A security feature is a specific implementable function in a
system which supports some part of the system's security
policy. Examples of security features would be access control,
trusted path, and audit. The Trusted Computer System
Evaluation Criteria (TCSEC) (see Section II, Question 1)
ratings are not designed to express the rating of individual
features, as are some other criteria. Rather, each class
specifies a set of security features that a system must
implement in order to be rated at that class. However, many
evaluations are given "extra credit" in the evaluation results
for successful implementations of features that are required
only in a higher overall rating in the criteria.
2. What is assurance?
In the context of the Trusted Computer System Evaluation
Criteria (TCSEC), assurance coincides with correctness
assurance. It is a measure of confidence that the security
features and architecture of a computer system accurately
mediate and enforce the system security policy. The TCSEC's
assurance-related requirements constrain development methods
(e.g., configuration management) and software engineering
practices (e.g., modular code). Higher evaluation classes
contain more assurance-promoting requirements and give more
confidence in correctness.
3. What is a division?
A division is a set of classes (see Question 5) from the
Trusted Computer System Evaluation Criteria (TCSEC) (see
Section II, Question 1). There are 4 divisions A, B, C, and D
in decreasing order of assurance and features. Thus, a system
evaluated at a class in division B has more security features
and/or a higher confidence that the features work as intended
than a system evaluated at a class in division C. Although the
Computer Security Subsystem Interpretation (CSSI) of the TCSEC
specifies criteria for various D ratings, these are not
reflected in the TCSEC itself, which has no requirements for D
division systems. An unrated system is, by default, division
D.
4. What is a class?
A class is the specific collection of requirements in the
Trusted Computer System Evaluation Criteria (TCSEC) to which an
evaluated system conforms. There are seven classes in the
TCSEC A1, B3, B2, B1, C2, C1, and D, in decreasing order of
features and assurances. Thus, a system evaluated at class B3
has more security features and/or greater confidence that the
security features work as intended than a system evaluated at
class B1. The requirements for a higher class are always a
superset of the lower class. Thus a B2 system meets every C2
functional requirement and has a higher level of assurance.
5. What is a network component?
A "network component" is the target of evaluation for a Trusted
Network Interpretation (TNI) evaluation (see Section II,
Question 9) done against appendix A of the TNI. These
"network component" evaluations allocate basic requirements
(Mandatory Access Control (MAC); Discretionary Access Control
(DAC); Audit; and Identification and Authentication) to
components of a "network system". Each component may be
evaluated in isolation. The TPEP does evaluate degenerate TNI
components that independently meet all basic requirements (but
nevertheless have an interface to other, perhaps identical
components), but has not evaluated any degenerate TNI component
that met none of the basic requirements (relying totally on
other components for the security features). The TPEP is
currently developing a more integrated approach to the evaluation
of TNI components. The preliminary report of the changes
envisioned are available in postscript at
<http://www.radium.ncsc.mil/tpep/library/process_documents/cwg-draft.ps>.
6. What is a Network Security Architecture Design (NSAD) document?
The documentation for a network component (see Section III,
Question 5) must include a Network Security Architecture Design
(NSAD) document which describes the security expectations by this
component about other components. Each component evaluation
proceeds under the assumption that the expectations of the NSAD
are met by the other components. A collection of components
designed around the same architecture should interoperate
securely.
7. How do I interpret a rating?
A product evaluated by the Trusted Product Evaluation Program
(TPEP) will have one of several styles of ratings. A product
evaluated against the Trusted Computer System Evaluation
Criteria (TCSEC) will have one of the seven class ratings: A1,
B3, B2, B1, C2, C1, or D (see Section III, Question 4.) In
addition a TCSEC evaluated product may be evaluated to have met
requirements above it's class. These would be specified
additionally such as "meets the B1 requirements and the B2
Trusted Path requirement." It is very important to note that,
for example, a B1 evaluated system with B2 trusted path,
provides significantly less confidence that trusted path is
implemented correctly than a B2 evaluated system. That is to
say that the assurance is always that of the system's rated
class.
Some systems have been evaluated against the Compartmented Mode
Workstation (CMW) criteria. The CMW criteria levies minimum
features and assurances from the TCSEC as well as additional
usability criteria (e.g., specifying that the window system must
manipulate windows at multiple levels in certain ways.) The
TPEP has treated these systems as standard TCSEC evaluations
with additional requirements. From a security perspective the
CMW requirements do not preclude a B2 or higher CMW, however,
to this point all CMW evaluated systems are B1 evaluated with
additional TCSEC features above the evaluated class.
Another form of rating is a Trusted Network Interpretation
(TNI) component (see Section III, Question 5) rating. TNI
component ratings specify the evaluated class as well as which
of the four basic security services the evaluated component
provides. Thus, a B2-MD component is one that provides both
Mandatory Access Control (MAC) and Discretionary Access Control
(DAC). A B1-MDIA component is one that provides MAC, DAC,
Identification and Authentication, and Audit. Since a B1-MDIA
component meets all the Trusted Computer System Evaluation
Criteria (TCSEC) requirements for B1, it is likely that this
component is also evaluated as a B1 system if it can be used in
a non-network configuration.
A third form of rating is a Trusted Database Interpretation
(TDI) rating. This rating is the same as a TCSEC rating except
that the rating applies to the composite of the evaluated
application and each of the listed underlying systems.
Finally, products evaluated against the Computer Security
Subsystem Interpretation (CSSI) of the TCSEC have been given
variations of D division (see Question 4) ratings. These
appear for example as I&A/D2, Audit/D1, DAC/D3, and OR/D.
These products all have very low assurance regardless of the
features.
8. The TCSEC is 10 years old, doesn't that mean it's outdated?
The Trusted Computer System Evaluation Criteria (TCSEC) was
published in 1985. While some of the details need
interpretation for current systems, in general the requirements
of the TCSEC are at a level of abstraction that has not
experienced great change. For the areas where it is becoming
difficult to use the TCSEC, the Common Criteria (see Section
II, Question 8) should provide more relevant criteria.
9. How do the TCSEC and its interpretations apply to routers and
firewalls?
The Trusted Network Interpretation (TNI) of the TCSEC has been
used to evaluate these types of products. While there is some
value to those evaluations it is true that many of the specific
mechanisms of these products on which one might wish to have an
evaluator comment are not recognized by the TNI. It is hoped
that the Common Criteria (see Section II, Question 8) will be
able to address these products more directly with, for example,
an appropriate profile.
10. Does a trusted system require custom hardware?
A system does not require custom hardware to be successfully
evaluated against the Trusted Computer System Evaluation
Criteria (TCSEC). However, an evaluation does consider the
security of the system hardware as well as software. For every
evaluated product, there is an evaluated configuration. The
evaluated configuration lists the specific hardware and
software evaluated. A given evaluation may require hardware
with certain security features used by the software, and the
software may require certain optional features be enabled or
disabled. The Final Evaluation Report (FER) (see Section V,
Question 7) lists the evaluated hardware and software. The
Trusted Facility Manual (TFM) for the product will give
detailed guidance on configuring the hardware and software
securely.
11. What are the requirements for a D/C1/C2/B1/B2/B3/A1 system?
The Interpreted Trusted Computer System Evaluation Criteria
(ITCSEC) available in postscript at
<http://www.radium.ncsc.mil/tpep/library/tcsec/ITCSEC.ps>
contains the definitive set of requirements for each TCSEC
class. In Summary:
Class D: Minimal Protection
Class D is reserved for those systems that have been evaluated
but that fail to meet the requirements for a higher evaluation
class.
Class C1: Discretionary Security Protection
The Trusted Computing Base (TCB) of a class C1 system
nominally satisfies the discretionary security requirements by
providing separation of users and data. It incorporates some
form of credible controls capable of enforcing access
limitations on an individual basis, i.e., ostensibly suitable
for allowing users to be able to protect project or private
information and to keep other users from accidentally reading
or destroying their data. The class C1 environment is
expected to be one of cooperating users processing data at the
same level of sensitivity.
Class C2: Controlled Access Protection
Systems in this class enforce a more finely grained
discretionary access control than C1 systems, making users
individually accountable for their actions through login
procedures, auditing of security-relevant events, and resource
isolation.
Class B1: Labeled Security Protection
Class B1 systems require all the features required for class
C2. In addition, an informal statement of the security policy
model, data labeling (e.g., secret or proprietary), and
mandatory access control over named subjects and objects must
be present. The capability must exist for accurately labeling
exported information.
Class B2: Structured Protection
In class B2 systems, the TCB is based on a clearly defined and
documented formal security policy model that requires the
discretionary and mandatory access control enforcement found
in class B1 systems be extended to all subjects and objects in
the automated data processing system. In addition, covert
channels are addressed. The TCB must be carefully structured
into protection-critical and non- protection-critical
elements. The TCB interface is well-defined and the TCB
design and implementation enable it to be subjected to more
thorough testing and more complete review. Authentication
mechanisms are strengthened, trusted facility management is
provided in the form of support for system administrator and
operator functions, and stringent configuration management
controls are imposed. The system is relatively resistant to
penetration.
Class B3: Security Domains
The class B3 TCB must satisfy the reference monitor
requirements that it mediate all accesses of subjects to
objects, be tamperproof, and be small enough to be subjected
to analysis and tests. To this end, the TCB is structured to
exclude code not essential to security policy enforcement,
with significant system engineering during TCB design and
implementation directed toward minimizing its complexity. A
security administrator is supported, audit mechanisms are
expanded to signal security-relevant events, and system
recovery procedures are required. The system is highly
resistant to penetration.
Class A1: Verified Design
Systems in class A1 are functionally equivalent to those in
class B3 in that no additional architectural features or
policy requirements are added. The distinguishing feature of
systems in this class is the analysis derived from formal
design specification and verification techniques and the
resulting high degree of assurance that the TCB is correctly
implemented. This assurance is developmental in nature,
starting with a formal model of the security policy and a
formal top-level specification (FTLS) of the design. An FTLS
is a top level specification of the system written in a
formal mathematical language to allow theorems (showing the
coorespondence of the system specification to its formal
requirements) to be hypothesized and formally proven. In
keeping with the extensive design and development analysis of
the TCB required of systems in class A1, more stringent
configuration management is required and procedures are
established for securely distributing the system to sites. A
system security administrator is supported.
----------
Subject: Section IV: Evaluations
1. How do I get my product evaluated?
Product developers who have a product that they wish to have
evaluated need to request a proposal package from:
V24, TRUSTED PRODUCT EVALUATION PROGRAM
NATIONAL SECURITY AGENCY
9800 SAVAGE ROAD STE 6740
FT MEADE MD 20755-6740
The ultimate proposal for product evaluation will include
technical and marketing details for the product. Because the
Trusted Product Evaluation Program (TPEP) is legislatively
prohibited from directly evaluating products that are not
intended to protect classified information, the proposal
marketing information should include details about the market
potential within the United States Department of Defense and
intelligence communities. Additionally, the TPEP in general
does not accept products targeting the C1 and below evaluation
classes, as these are usually inappropriate for processing any
classified information. TPEP currently accepts for evaluation
at the C2 and higher levels, networked systems which meet the
market and technical criteria. The product technical details
will include descriptions of the product's documentation and how
that documentation's structure compares to that required by the
PGWG documents (see Section II, Question 11). Finally, the
proposed configuration of the product should be a configuration
likely to be used by the described potential market.
2. What is the evaluation process?
The evaluation process is described in detail at
<http://www.radium.ncsc.mil/tpep/process/procedures.html> In
general terms, a successful evaluation proceeds through the
following stages:
Proposal Review
A product proposal, submitted by a vendor for consideration of
evaluation by TPEP is reviewed for two purposes. The first is
to determine the potential market benefits of accepting the
product for evaluation (i.e., the DoD customer base). The
market analysis is performed based upon both the vendor's proposal
and upon TPEP customer input, which is actively solicited on a
regular basis. The second part of the proposal review is to
determine, at a very preliminary level, if the product appears
to provide feasible security mechanisms such that the requirements
of the TCSEC can be satisfied. Once the review of the product
proposal is completed, the vendor is notified in writing of the
acceptance or rejection of the product for evaluation.
Technical Assessment
Products whose proposals were recommended as "accept" are
considered candidates for evaluation and proceed to the next
step in pre-evaluation, the Technical Assessment (TA), where
a vendor must demonstrate that the product design and the
associated evaluation evidence are complete. A TA is often
the first examination of the product and the evidence by a
technical evaluation team. Vendors may have excellent and
complete documentation, indicating a readiness to undergo an
Intensive Preliminary Technical Review (IPTR) which is the
gateway to evaluation when successfully completed. Advice may
be recommended based on readiness.
Advice
The purpose of advice is to aid the vendor in producing a product
and supporting documentation that is capable of being evaluated
against the TCSEC and its interpretations. Advice can be provided
by contractors outside of TPEP or TPEP evaluators may be assigned
to advise the vendor. TPEP-provided advice begins after a vendor
has submitted a proposal and a technical assessment has been
performed that deemed the product suitable for evaluation, but
not yet ready for an IPTR.
Intensive Preliminary Technical Review (IPTR)
The IPTR is an independent assessment by the TPEP evaluators to
determine a product's readiness for evaluation. An IPTR lasts
for approximately 7-10 days and is performed by a team of
approximately 5 TPEP evaluators. During the IPTR, which is
usually held at the vendor's site, the team becomes familiar with
the product (through vendor presentations); reviews documentation,
test plans, and procedures; and documents its findings in a report.
The IPTR report is provided to the vendor and TPEP management and
documents the team's assessment of the product's readiness for
evaluation. Completion of a successful IPTR results in the
product moving into evaluation (pending availability of TPEP
evaluation resources).
Evaluation
Evaluation is the comprehensive technical analysis of a product's
security functionality. At the beginning of evaluation, the
vendor provides the evaluation team with system level, developer-
oriented training for the product. Training is followed by
analysis of the product design, focusing specifically on security
features. This analysis includes both hardware and software
components of the product and associated documentation. Testing
of the product involves running the vendor's test suite, as well
as tests formulated by the evaluation team. Upon successful
completion of testing and rigorous technical reviews by senior
members of the evaluation community, the product is awarded an
Evaluated Products List (EPL) entry.
Rating Maintenance Phase (RAMP)
RAMP provides a mechanism for a vendor to maintain the TCSEC
rating of a product throughout its life cycle. During RAMP,
the vendor works with the TPEP assigned Technical Point of
Contact (TPOC) to analyze the security impact of proposed changes
to the evaluated product. The Vendor Security Analyst (VSA)
actually performs the security analysis of the product changes
as they occur. The changes and associated analysis results are
presented to a TPEP Technical Review Board (TRB) which recommends
approval (or disapproval) of the rating for the "new" product.
3. How long does an evaluation take?
The length of time a developer needs to prepare for an
Intensive Preliminary Technical Review (IPTR) varies
considerably. The IPTR is a short (one to two week) assessment
of the state of the product documentation and testing. A
successfull IPTR ensures that the materials needed for
evaluation are complete and usable. Currently, we expect
successful evaluations at the C2/B1 class to take approximately
one year to complete from successful IPTR to final technical
review. IPTRs should ideally take place approximately eight
months before product release for a typical C2/B1 product, and
even earlier in the product cycle for products targeted at B2,
B3 or A1. We continue to explore ways to reduce the time
required. Higher class evaluations take longer, although this
is somewhat mitigated by the fact that the TPEP is usually
involved earlier in the design process for systems at
relatively higher classes. Problems during evaluation, changes
in the configuration the vendor is planning to market, and
system complexity can all add to the length of evaluation.
Vendors participating in the RAMP (Rating Maintenance) process
can perform analysis of changes to an already evaluated system
to maintain the evaluated rating on subsequent versions and
configurations. The length of time to obtain a RAMP rating is
largely dependent on the vendor and on the nature and
complexity of the change. However, it is reasonable to expect
this RAMP to take far less time than an evaluation.
4. How much does an evaluation cost?
The Trusted Product Evaluation Program (TPEP) does not charge
for evaluations. It may be a significant expense for a product
developer to prepare for and support evaluation. There are
often travel expenses for staff, training costs for the
evaluation team, and the cost of having development personnel
take time to respond to the evaluation team's questions. In
addition, if the product did not previously meet the
requirements for a given class, the cost of improving the
product (i.e., doing the testing, analysis and documentation)
can be high. Ultimately, this should result in an improved
product that will be recognized as superior to competitors.
5. How do I find out about the evaluation process?
For an abstract view of the evaluation process you can read
this list of Frequently Answered Questions (FAQ)! For a more
detailed view appropriate to those who wish to participate in
the process, the process is described in some detail at
<http://www.radium.ncsc.mil/tpep/process/procedures.html>.
6. Who actually performs the evaluations?
Trusted product evaluators come from the Trusted Product
Evaluation Program (TPEP) organization within the National
Security Agency (NSA) as well as from a small group of federal
contract research organizations. Some evaluations have also
benefitted from the participation of evaluators from the
security evaluation organizations of other cooperating
governments. In cooperation with the National Institute of
Standards and Technology (NIST), a program is being developed to
evaluate products in the lower Trusted Computer System
Evaluation Criteria (TCSEC) classes (i.e., C2/B1) using
approved commercial evaluation facilities. However, many
details remain to be finalized for that program.
7. What information is released about an evaluated product?
As we begin working with a product, the vendor and target
rating are made available. When that product is accepted into
evaluation, information such as the vendor, target rating, and
target completion date are announced in a product announcement
on the Evaluated Products List (EPL) (see Section V, Question
6). When the evaluation is completed the general evaluated
product configuration, general product information, and rating
are announced in an entry on the EPL. In addition at the
completion of evaluation a report is published (see Section V,
Question 7). This report contains the analysis of the
evaluation team, a complete description of the evaluated
product, and often comments about the usability of the product
in its evaluated configuration by the evaluation team. Recent
EPL entries and a few Final Evaluation Reports are available at
<http://www.radium.ncsc.mil/tpep/epl/>.
8. What is RAMP?
The Rating Maintenance Phase (RAMP) Program was established to
provide a mechanism to extend the previous rating to a new
version of a previously evaluated computer system product.
RAMP seeks to reduce evaluation time and effort required to
maintain a rating by using the personnel involved in the
maintenance of the product to manage the change process and
perform Security Analysis. Thus, the burden of proof for RAMP
efforts lies with those responsible for system maintenance
(i.e., the vendor) instead of with an evaluation team.
----------
Subject: Section V: Evaluated Products
1. Should I buy an evaluated product?
An evaluated product has the benefit of providing an
independent assessment that the product meets the criteria for
the rating it achieved. When considering a specific
installation the value of the data and the threat to that data
both need to be considered. These are often related, in that
more valuable data has a higher threat. If some of the threats
to the data can be countered by the features or assurance of a
trusted product, then it is certainly worthwhile to consider
that in your purchase decision. All other things being equal
(which is rarely the case) the independent assessment of an
evaluated product adds value.
2. Does NSA buy/use evaluated products?
NSA endevours to be an exemplary customer of the products it
recommends for use by its customers and expects NSA-evaluated
products to comprise the foundation of its own secure information
systems architecture and is developing policy towards that end.
3. How do I know if a product is evaluated?
The simplest way to find out if a product is not evaluated is
to ask the product vendor. If the vendor has an evaluated
product, it is a pretty good bet that the company marketing
people are aware of it. Many products that have NOT been
evaluated have names containing a rating or have declared
themselves as "designed to meet" a specific rating. These products
have not withstood the same scrutiny as products listed on the EPL.
If a vendor claims to have an evaluated product, you should
independently verify the details of the evaluation (e.g.,
product version, configuration, rating.) All evaluated products
are placed on the Evaluated Products List (EPL) (see Section V,
Question 6). That is the first place to look. The EPL entries
that have been awarded within the last three years are available
at <http://www.radium.ncsc.mil/tpep/epl/>. To verify a specific
detail (e.g., the rating) of an evaluation, you may call the Trusted
Product Evaluation Program (TPEP) directly at (410) 859-4458 This
will often result in less complete information since generally we
don't read entire EPL entries over the phone.
For the most complete information about a specific evaluated
product, you should request a copy of the evaluation report.
(see Section V, Question 7) Unfortunately, the publication of
the report sometimes postdates the evaluation significantly.
An increasing number of final evaluation reports are available
via links from the product's electronic EPL entry or from
<http://www.radium.ncsc.mil/tpep/library/fers/> by report number.
4. What does it mean for a product to be "in evaluation"?
In the past it has been the case that Trusted Product
Evaluation Program (TPEP) evaluations where conducted over
longer periods of time and included time for a developer to
work out problems with their documentation and testing that a
current Intensive Preliminary Architecture Review (IPTR) is
designed to limit. Currently a product is not announced to be
in evaluation until it has successfully passed an IPTR. Even
so, a product may go through several releases, incorporate
fixes during the course of evaluation, or even potentially drop
out of evaluation or fail evaluation. Because of this a
product in evaluation is not equivalent to an evaluated
product. While it does show some intent to have an evaluated
product, and a consideration of security criteria in the
product development, it does not necessarily imply any security
features or assurances. Buyers of products in evaluation
should consider what options will be available to them should
the evaluated configuration differ significantly from the
purchased configuration, or if the product does not ultimately
complete evaluation.
5. What does it mean for a product to be "compliant" with the TCSEC?
If a product has been evaluated by the Trusted Product
Evaluation Program (TPEP) to comply with the requirements of a
rated class, then it means that an independent assessment
showed the product to have the features and assurances of that
class. It does not mean that the product is impenetrable. It
is even possible that the independent assessment overlooked
some failure to meet the criteria, although we expend a lot of
energy attempting to prevent that. A vendor claim to be
"compliant" without an evaluation often doesn't mean very much
since the vendor's interpretation of the requirement may not be
the same as an independent assessor's would be.
6. What and where is the Evaluated Products List (EPL)?
The Evaluated Products List (EPL) officially is published
quarterly in the INFOSEC Products and Services Catalog (as a
chapter). The INFOSEC Products and Services Catalog is
available from the Government Printing Office. The EPL is also
maintained electronically on Dockmaster and updated as new
products are announced. (see Section I, Question 7) There is no
anonymous access to Dockmaster so this is available only to
Dockmaster users. EPL entries issued within the last three years
are available at <http://www.radium.ncsc.mil/tpep/epl/>.
7. How do I get a copy of an evaluation report?
Single copies of evaluation reports are available without charge
by writing:
INFOSEC AWARENESS, ATTN: Y13/IAOC
DEPARTMENT OF DEFENSE
9800 SAVAGE ROAD
FT MEADE MD 20755-6000
Multiple copies are available from the Government Printing
Office. In either case you will need the report number
(CSC-EPL-xx/xxx or CSC-FER-xx/xxx) which is given in the
Evaluated Products List (EPL) entry for the product. (see
Section V, Question 6)
8. Is an evaluated product "hacker proof?"
No product can be guaranteed to be "hacker proof" or
"impenetrable." An evaluated product has demonstrated certain
features and assurances, as specified by the rating criteria.
Those features and assurances counter certain threats. Thus an
evaluated product is usually vulnerable to fewer threats than
an unevaluated product. Products with higher ratings are
vulnerable to fewer threats than products with low ratings.
Vulnerabilities to threats that remain in products can often be
addressed through other means. No rating class used by the
Trusted Product Evaluation Program (TPEP), for example,
counters the threat of directly tampering with the hardware.
That threat would need to be addressed physically or
procedurally if it was realistic for the particular system
environment.
Finally, it seems many "hackers" today prefer to use "social
engineering" to accomplish their goals. As with other
insider-related threats, education is necessary in preventing
naive users from disclosing sensitive information. However,
technical measures can also help. They can enforce the the
principle of least privilege, check the reasonableness of
administrative inputs, and provide timely on-line cautions.
9. What is the rating of DOS?
MS-DOS, PC-DOS, and DR-DOS have not been evaluated. Without
modification, it is apparent from the most cursory examination
that they do not implement many of the features required by the
C1 class of the Trusted Computer System Evaluation Criteria
(TCSEC). Several vendors support a DOS application interface
in products designed to achieve higher class ratings.
10. What is the rating of UNIX?
There are a number of evaluated products conforming to one or
another of the UNIX interface standards (see Section V,
Question 3). These products range from class C2 to class B3.
In general, unevaluated UNIX products lack several features,
including sufficient auditing, to achieve anything other than a
D class rating without some modification.
11. What should I do if evaluated Product X appears to fail a requirement?
If an evaluated product does not seem to meet the requirements,
the first thing to do is carefully look at the Final Evaluation
Report (FER) and the product's Trusted Facility Manual (TFM).
The product was evaluated with specific configuration options and
on specific hardware. These should be stated in the TFM and FER
respectively. If the evaluated configuration still seems to not
meet some requirement for its rated class, then it is possible that
there was an oversight during the evaluation. You can send that
information to tp...@dockmaster.ncsc.mil and we may investigate the
issue.
12. Why should I buy a B2/B3/A1 product over a C2/B1 product?
While the features and assurances of each class increase, the
increase is not linear. B1 and below rated products provide a
basic set of security features and an independent assesment that
those features are implemented correctly. At B2 and above there
is significantly more effort and analysis both in development and
in evaluation that the features are correctly implemented. The
additional development effort often translates into increased cost
for the product. For applications involving sensitive data, the
added cost may be well worth the added protection.
13. Is there an approved program to declassify my hard drive?
In summary, no; in general, overwriting may be sufficient to have
media released for other use, but it must retain its original
classification.
You should contact your security officer or contracts manager for
official guidance. Often, your contract will determine how to
declassify disks. This is usually indirect, by referencing a
DOD-STD or other document. Be prepared to submit the disk drive
(or at least the little metal thingy with the iron oxide) for total
destruction.
If you need to retrieve unclassified data that reside on a
classified disk, there are often detailed procedures to accomplish
this.