The Orange Book is one of the National Security Agency’s Rainbow Series of books on evaluating “Trusted Computer Systems”. This is the main book in the Rainbow Series and defines the Trusted Computer System Evaluation Criteria (TCSEC). The TCSEC outlines hierarchical degrees of security with the letter D being the least secure through A for the most secure.
The Orange Book also identifies assurance requirements for secure computer operations applied to ensure that a trusted computing base’s security policy has been correctly employed and that the system’s security features have effectively implemented that policy. Two types of assurances are defined in the Orange Book. These are:
- Operational assurance – examines the fundamental features and structure of a system. These include system architecture, system integrity, covert channel analysis, trusted facility management, and trusted recovery.
- Life cycle assurance – concerned with the controls and standards required for constructing and maintaining a system. These include security testing, design specification and testing and configuration security testing.