History of Certification and Accreditation

1
History of Certification and Accreditation

• CS662 System Security Certifications and
  Accreditations
• The Rainbow Series
• By
• Brian Copeland
• Modified by
• Scott Puryear

2

• What
• is
• ASSURANCE?

3
HMS Assurance
Sunk in 1738
4
Assurance
From Merriam-Webster Dictionary -- something
that inspires or tends to inspire confidence
http//www.webster.com/cgi-bin/dictionary?vaass
urance
CONFIDENCE
5
What is the Rainbow Series?

• It is the highly convoluted, incredibly dull,
  impossible to find (especially if you are color
  blind) what you are looking for series of books
  that tells you how to secure your system (but not
  really).
• http//www.dynamoo.com/orange/summary.htm

6
What is the Rainbow Series?Seriously This Time

• A set of U.S. Government (DoD) Books Pertaining
  to Computer System Security
• These Books are distinguished by the color of
  their covers, of which there are very many, hence
  the term Rainbow Series
• More than 35 different titles

7
What is the Rainbow Series?

• Subject matter includes many facets of Computer
  Security, ranging from basic definitions, to DoD
  Standards
• General (multi-platform) documents, as well as
  platform specific documents

8
Criteria

• a standard on which a judgment or decision may be
  based

9
Common Criteria

• The Common Criteria (CC) is an international
  standard (ISO/IEC 15408) for computer security.
  Unlike standards such as FIPS 140, Common
  Criteria does not provide a list of product
  security requirements or features that products
  must contain. Instead, it describes a framework
  in which computer system users can specify their
  security requirements, vendors can then implement
  and/or make claims about the security attributes
  of their products, and testing laboratories can
  evaluate the products to determine if they
  actually meet the claims. In other words, Common
  Criteria provides assurance that the process of
  specification, implementation and evaluation of a
  computer security product has been conducted in a
  rigorous and standard manner.
• From Wikipedia, the free encyclopedia

10
Orange Book

• Orange Book (5200.28-STD) DoD Trusted Computer
  System Evaluation Criteria, 26 December 1985
• This document is a summary of the US Department
  of Defense Trusted Computer System Evaluation
  Criteria, known as the Orange Book. Although
  originally written for military systems, the
  security classifications are now broadly used
  within the computer industry, 
• This is the main book in the series
• Most of the other books provide elaboration on
  subject matter contained the Orange Book

11
Orange Book

• Defines the different levels of trust that a
  product can achieve under the Trusted Product
  Evaluation Program (TPEP)

12
Orange Book

• Though originally intended for DoD Systems, many
  parts of the Orange Book are now commonly used in
  defining standards for non DoD Systems.

13
Orange Book Defined Levels of Trust

• Ranges from D (Minimal Protection) to A
  (Verified Protection)

14
Orange Book Defined Levels of Trust

• Level D Minimal Protection
• Any system that does not comply to any other
  category, or has failed to receive a higher
  classification. D level certification is very
  rare.

15
Orange Book Defined Levels of Trust

• Level C Discretionary Protection
• Discretionary protection applies to Trusted
  Computer Bases (TCBs) with optional object (i.e.
  file, directory, devices etc.) protection.
• Broken in to two sublevels
• C1 Discretionary Security Protection
• C2 Controlled Access Protection

16
Orange Book Defined Levels of Trust

• Level B Mandatory Protection
• Division B specifies that the TCB protection
  systems should be mandatory, not discretionary.
• Broken in to three sublevels
• B1 - Labeled Security Protection
• B2 - Structured Protection
• B3 - Security Domains

17
Orange Book Defined Levels of Trust

• Level A Verified Protection
• Division A is the highest security division
• Broken in to two levels (kind of).
• The second level is an acknowledgement of
  potential for a higher security level, though no
  standards have been defined

18
Other Rainbow Series Books

• Other Rainbow Series Books Discuss the following
  topics
• Password Management Green
• Audit - Tan
• Discretionary Access Control Neon Orange
• Trusted Network Interpretation - Red
• Configuration Management - Amber
• Identification and Authentication Light Blue
• And many more

19
Other Rainbow Series Books

• A full listing of these books, and online
  versions of the books themselves can be found at
  http//www.radium.ncsc.mil/tpep/library/rainbow/

20
Summary

• The Rainbow Series provides a solid reference
  relating to many subjects within computer
  security
• It also provides standards (Orange Book) that all
  DoD Systems must meet in order to obtain certain
  levels of trust
• These standards can be useful guidelines in
  creating a security program for non-DoD Systems
  as well

21
Questions?

• If so, please direct them to Scott, as I am tired
  of talking now