Library

Library No. S-228,538

Version 1

FOREWORD

The National Computer Security Center has established an aggressive program tostudy and implement computer security technology, and to encourage thewidespread availability of trusted computer products for use by any

organization desiring better protection of their important data. The TrustedProduct Evaluation Program focuses on the security evaluation of commerciallyproduced and supported computer systems by evaluating the technical protectioncapabilities against the established criteria presented in the TrustedComputer System Evaluation Criteria. This program, and the open andcooperative business relationship being forged with the computer and

telecommunications industries, will result in the fulfillment of our country'scomputer security requirements. We are resolved to meet the challenge of

identifying trusted computer products suitable for use in processing sensitiveinformation. A key service of the National Computer Security Center to thecomputer security community is to act as a clearinghouse for computer securityissues and to develop technical security guidelines for automatic data

processing systems and networks. This technical information exchange providesguidance and interpretations for the security evaluation process and offersthe vendors a central point for technical exchange.

PATRICK R. GALLAGHER, JR.DIRECTOR

NATIONAL COMPUTER SECURITY CENTER

1 March 1988

Page 1

PREFACE

This publication describes procedures for interacting with the National

Security Agency's Information Security Organization as related to the TrustedProduct Evaluation Program within the National Computer Security Center. Itprovides the information needed to submit a computer product for technicalsecurity evaluation and outlines the National Security Agency's

responsibilities for positive, timely acknowledgements. This publication

specifically covers the National Computer Security Center's relationship withvendors of proposed trusted computer products from the initial contact withthe vendor through the completion of the security evaluation process and

follow-on programs. Although more detailed instructions will be referenced inthis publication, sufficient guidelines are established for any first-timeuser of the National Computer Security Center's services. The Office ofIndustrial Relations invites your comments on this document and on theNational Computer Security Center's procedures for conducting security

evaluations of computer products. In cooperation with the computer industry,we can improve our national security through the availability of trustedcomputer products.

Page 2

INTRODUCTION

In January 1981 the Director of the National Security Agency was assigned theresponsibility for computer security for the Department of Defense. Thisaction led to the formation of the Computer Security Center at the NationalSecurity Agency. The Computer Security Center's Charter, promulgated in

Department of Defense Directive 5215.1 in October 1982, specifically tasks theComputer Security Center to establish and maintain \"... technical standardsand criteria for the security evaluation of trusted computer systems that canbe incorporated readily into the Department of Defense component life-cyclemanagement process...\" The developmental experiments in the 1970's ranged fromattempts to add security front-ends to existing systems to designing securesystems and hardware from scratch. Early research and development effortsdefined a graduated scale of security features and design principles. Thesefeatures and principles were incorporated in the Department of Defense TrustedComputer System Evaluation Criteria (Orange Book). The Orange Book was issuedin August 1983. In December 1985, the Orange Book was reissued as a

Department of Defense Standard (DOD 5200.28-STD). The National ComputerSecurity Center (the Center) responds to a growing need for, and recognizestechnical challenges involved in, providing effective protection withincomputer systems and networks of systems. The Center relies on an open andcooperative relationship with government, industry representatives, and theacademic community to accomplish these important objectives. The governmentencourages industry to provide the computer security capabilities governmentneeds. The Center sponsors critical research, and makes the results widelyavailable to encourage their incorporation into trusted computer products andsecure applications. The Center performs security evaluations of computer

software and hardware products on commercially or government-produced computersystems. A trusted computer system is defined as a system that employssufficient hardware and software integrity measures to allow its use tosimultaneously process a range of sensitive unclassified or classified (e.g., confidential through top secret) information for a diverse set of userswithout violating access privileges. Levels of trust are based on the abilityof the computer system to enforce access privileges to authorized users and tosystem protected files. The Center evaluates the security features of trustedproducts against established technical standards and criteria, and maintainsthe Evaluated Products List. The Evaluated Products List is a compilation ofall computer products which have undergone formal security evaluations, andindicates the relative security merit of each computer product. The criteriaagainst which computer systems are evaluated is the Orange Book. This providesa metric for distinguishing a range of features and assurances for securitycontrols built into automatic data processing system products. The OrangeBook establishes specific requirements that a computer system must meet in

order to achieve a specific level of trustworthiness. The levels are arrangedhierarchically into four major divisions of protection, each with certain

security-relevant characteristics. These divisions are subdivided into levelsof trust. In recognition of the complex and technical nature of the issuesaddressed by the Orange Book, the Center has established a Technical

Guidelines Program. This program augments information provided in the OrangeBook by publishing additional guidance on issues and features addressedtherein.

Page 3

TRUSTED PRODUCT SECURITY EVALUATION

This section provides the potential computer product vendor with an overviewof the Center's Trusted Product Evaluation Program. The process of a trustedproduct evaluation is illustrated in Figure One. The Pre-Evaluation Reviewincludes the initial contact between the vendor and the National SecurityAgency, the decision-making process to initiate, and the signing of aMemorandum of Understanding. Note: subsystem products do not require a

Memorandum of Understanding but are initiated with a Memorandum of Agreement.The Trusted Product Developmental Process provides the vendor the opportunityto obtain assistance from the Center during the development of a system ornetwork product. The formal product evaluation consists of the actual

security evaluation of the vendor's computer system. Successful completion ofthis process results in the vendor's computer product being placed on theEvaluated Products List.PRE-EVALUATION REVIEW

Five milestones in the application process must be reached before the securityevaluation of a proposed computer product can begin.

1. Initial Contact

2. Certificate Pertaining to Foreign Interests 3. Proposal Package 4. Program Decision

5. Memorandum of Understanding (Memorandum of Agreement for Subsystems)

INITIAL CONTACT

The National Security Agency point of contact for the Trusted ProductEvaluation Program is the Office of Industrial Relations. Interestedcompanies are encouraged to call or write to:

Director, National Security Agency

Attention: Office of Industrial Relations9800 Savage Road

Fort George G. Meade, Maryland 20755-6000(301) 688-6581

CERTIFICATE PERTAINING TO FOREIGN INTERESTS

Before submitting an application for the Trusted Product Evaluation Program,the Center requires that all companies submit a completed Certificate

Pertaining to Foreign Interests prior to undertaking the additional effort toprepare a proposal package. For those companies that already have a facilitysecurity clearance, a current DD Form 441s may be sent in lieu of the

Certificate Pertaining to Foreign Interests. Please submit the certificate orDD Form 441s to the Office of Industrial Relations, as listed above.

PROPOSAL PACKAGE

After contact has been established, the vendor must prepare a proposal package

Page 4

in accordance with the following guidance. Four copies of the proposal packageare required.

This point cannot be over emphasized; information marked Company Proprietaryis protected to the fullest extent permitted under the law, and must be markedaccordingly. The product proposal package should demonstrate corporate-levelsupport for the product evaluation effort and consist of a company profile,market information and a written product proposal.COMPANY PROFILE

Potential computer security product vendors, whether requesting asystem, a network, or a subsystem evaluation, must establish aformal working relationship with the Center. Vendors are

encouraged to submit as much detailed documentation as necessary to establish their capability and suitability for the Trusted Product Evaluation Program. The company profile portion of the submission shall include at least the following information:

Company name and address.

State of incorporation and composition of ownership.

Principal point of contact, a technical point of contact, and apublic point of contact. For each, include name and title,

business address, and business telephone. Public point of contactnames will be placed on a list that can be provided to any

requestor desiring to establish a business connection with yourcompany.

Product or services offered. This could be supplemented with acompany capabilities brochure.

A recent annual or certified financial report.

Number of people employed by the company, and in the case of asystem or network product, the projected size of the team which

will be developing, enhancing and/or maintaining the proposed product.

MARKET INFORMATION

To evaluate the requirements for any proposed product, the vendor must providesufficient detail to identify the utility in the market place. The

information below covers the minimum market information the Center requires toassess the probable need in the community. The market information portion ofthe proposal package shall identify:

Intended market by product type and level of trust, including a specific customer base and/or firmly established requirements.

Portion of markets intended to address. How the specific market

projections were derived. In cases where the product to be developed is

Page 5

a retrofit to existing equipment, include the potential volumne of sales for those existing equipments that are already fielded.

Known or projected U.S. Government requirements that the product will satisfy. Distinguish between DOD and Civil Agency.

Known or projected commercial requirements that the product will satisfy.WRITTEN PRODUCT PROPOSAL

A separate proposal is required for each computer product submitted for

security evaluation. These products must be of direct and obvious benefit tothe information security posture of the nation, and should address the

applicable requirements outlined in established criteria or interpretations.This determination will be based on the information contained in the productproposal, measured against national computer security needs and priorities.The Center presently conducts three distinct types of product evaluations: 1)the system evaluation, 2) the network evaluation, and 3) the subsystemevaluation.

Proposals For System Evaluations

The Center evaluates as a system that product which

addresses all of the requirements of a given class of the Orange Book.

Although complete information about the proposed product may not

be available at this stage of the design, the written product proposal shouldprovide the following information:

Technical description of the product.

What is the targeted class or level of trust?What is the operating system for your product?

Is the proposed product currently in use? If so, what is thecurrent installed base?

What is the projected installed base over the nextve years?What is the target development schedule? How flexible is thisschedule and by what date do you plan to bring this product tomarket?

What are the known or projected requirements that the product willsatisfy? (Distinguish between the Department of Defense and CivilAgencies.)

What are the differences between and advantages of the proposedproduct relative to similar products which are currently

available?

Page 6

Proposals For Network Evaluations

The Center defines a network as everything that is needed to accomplish a job, end user to end user. The Center defines a network component as any part of a network.

The Trusted Network Interpretation of The Trusted Computer System Evaluation Criteria (TNI) is currently the criteria against which networks are evaluated.

Written product proposals should provide the following information: A technical description of the product.

What is the underlying security policy of the product? What level of protection is provided by the product? What is the projected schedule for development?

What are the environments for which the product is intended? Include an overall description of the product. Compare it to another product currently available if possible.

Does your product interact with users directly? If so, does it provide all of the functionality identified at one of the criteria levels in Part I of the TNI, or only a subset?

If it is a network system, what level of trust does it meet according to Part I of the TNI?

If it is a network component, which of the following

functionalities does it provide, and at which level of trust is each functionality provided? Mandatory Access Control Discretionary Access Control Identification and Authenication

What other security services mentioned in Part II of the TNI does your product provide?

What type of carrier medium, if any, is used or supported by your product?

Proposals For Subsystem Evaluations

The Center defines a computer security subsystem as a physical device or

software mechanism which is added to a computer system to enhance the computersecurity functionality of the overall system.

To be considered for a subsystem evaluation, a company must have an existing

Page 7

product which is designed to provide one or more of the following

capabilities, as described in the Trusted Computer System Evaluation Criteria:

1) mandatory access control;2) audit;

3) discretionary access control;

4) identification and authentication; or.5) object re-use.

Written product proposals should provide the following information:

A technical description of the product.

Which of the five subsystem functionalities does the productimplement?

What is the current installed base? What is the projected

installed base over the next five years?

What is the current or projected market for your product (to

include specific customer base and/or firmly established

requirements, if possible)? What portion of this market do you intend to address? How were the specific market projections derived?

What are the known or projected requirements that the product willsatisfy? (Distinguish between the Department of Defense and CivilAgencies.)

What are the differences between and advantages of the proposedproduct relative to similar products which are currently

available?PROGRAM DECISION

Upon receipt of the company's proposal package, the Office of Industrial

Relations will send the company written notification that the package has beenreceived and is under consideration. The proposal will be reviewed todetermine its value while assessing the capabilities of the company, the

utility of the product to the Federal Government, and the degree to which theproduct addresses the technical aspects of computer security. The

availability of adequate Center resources to support the evaluation program isalso a prime consideration in the program decision. The Center may need tomeet with the vendor's technical experts to ensure decision making processesare based on sound technical understanding of the product. When a decision isreached, the Office of Industrial Relations will notify the vendor in writingwhether the product has been accepted for evaluation. System and networkevaluations will enter into the Trusted Product Developmental Process as

Page 8

described below. Subsystem evaluations enter directly into the formalevaluation.

MEMORANDUM OF UNDERSTANDING

If a package for a system or network product is accepted, a Memorandum of

Understanding is executed between the vendor and the National Security Agency.The purpose and function of the Memorandum of Understanding is to establish alegal relationship between the National Security Agency and the potentialvendor in which:

The National Security Agency agrees to provide necessary andrelevant computer security information and guidance to the

potential vendor.

The vendor agrees to provide the National Security Agency theinformation necessary to assess the security of the proposedproduct.

The vendor agrees to follow the intent and requirements of theprocedures leading to a system, network or subsystem evaluation.

The National Security Agency agrees to protect vendor proprietaryinformation which is provided under the Memorandum of

Understanding.

Both parties agree to review the continuation and terms of theMemorandum of Understanding periodically.

A program manager within the Requirements and Resources Division at the Centerwill be assigned to monitor and coordinate technical and/or administrativeresponses to the vendor, and a technical point of contact within the ProductEvaluation Division will be identified to the vendor. To determine the

division and class at which all requirements are met by a computer system, thesystem must be evaluated against the Orange Book. This security evaluationwill be conducted by a Center evaluation team.

TRUSTED PRODUCT DEVELOPMENTAL PROCESS

The primary thrust of this phase is an in-depth examination of a

vendor's design either for a new trusted product (system or network) or forsecurity enhancements to an existing product.It is intended to ensure that theproduct is actually ready for evaluation with all necessary evidence availableso the evaluation can be completed without delays for additional developmentor evidence generation. This phase is based primarily on design documentationand information supplied by the vendor, and it involves little or no \"handson\" use of the product.

This phase results in the production of an Initial Product Assessment Report.

Page 9

This report documents the evaluation team's understanding of the system basedon the information presented by the vendor, and assigns a candidate OrangeBook class rating to the system. The candidate rating is an estimate of thehighest class for which the product has displayed some evidence for each ofthe requirements in the Orange Book.

The Center's Technical Review Board provides a consistency check on the

application of the Orange Book requirements, and ensures the product is readyfor evaluation. Because the Initial Product Assessment Report does notrepresent a complete analysis of the computer product and may contain

proprietary information, distribution is restricted to the respective vendorand the Center.

SYSTEM AND NETWORK FORMAL EVALUATIONS

To enter this formal evaluation phase, the design of a computer system must befinalized and marketable. In addition, the product release being evaluatedmust not undergo any additional development. Once the product is accepted forevaluation, a Memorandum of Agreement is signed between the Center and thevendor, to address the formal aspects of the product receiving an EvaluatedProducts List rating and the accompanying responsibilities.

At the start of this phase, a Product Bulletin is released by the enter

announcing the evaluation. The Product Bulletin is a brief description of thecomputer system undergoing security evaluation, and includes the candidaterating of the system.

The evaluation phase is a detailed analysis of the hardware and softwarecomponents of a system, all system documentation, and a mapping of the

security features and assurances to the Orange Book. The analysis performedduring this phase requires \"hands on\" testing (i.e., functional testing and,if applicable, penetration testing).

The evaluation phase leads to the Center publishing a Final Evaluation Reportand an Evaluated Products List entry. The Final Evaluation Report is a summaryof the security evaluation and includes the Evaluated Products List rating,which is the final class at which the product successfully met all Orange Bookrequirements in terms of both security features and assurances. The Final

Evaluation Report and the Evaluated Products List entry are made public. Theevaluation process represents a firm commitment from the vendor, and at itscompletion the product will receive a rating from the Center.

SUBSYSTEM FORMAL EVALUATIONS

While the Center devotes much of its resources to encouraging the productionand use of multipurpose trusted computer systems, there is a recognized needfor guidance on, and security evaluation of, supplementary computer securityproducts. These subsystems may not meet all of the security feature,

architecture, or assurance requirements of any one security class or level ofthe Orange Book. To meet this need, the Center has established the subsystem

Page 10

evaluation process.

The goal of the Center's subsystem evaluations is to provide computer

installation managers with information on subsystems that would be helpful inproviding immediate computer security improvements in existing installations.Once a subsystem product is accepted for evaluation, a Memorandum of Agreementis signed between the Center and the vendor, addressing the formal aspects ofthe product being included in the Evaluated Products List and the accompanyingresponsibilities.

Subsystems are special-purpose products which can be added to existing

computer systems to increase some aspect of security and have the potential ofmeeting automatic data processing security needs. For the most part, the scopeof a subsystem evaluation is limited to consideration of the subsystem itself,and does not address or attempt to rate the overall security of the processingenvironment or computer system on which the subsystem may be implemented. Topromote consistency in evaluations, an attempt is made to assess a subsystem'ssecurity-relevant performance in light of applicable standards and featuresoutlined in the Orange Book. In addition, the evaluation team reviews thevendor's claims and documentation for obvious flaws which would violate theproduct's security features, and verifies, through functional testing, thatthe computer product performs as advertised. Upon completion, a summary of theFinal Evaluation Report will be placed on the Evaluated Products List.

The Final Evaluation Report will not assign a specific rating to the computerproduct, but will provide an assessment of the product's effectiveness andusefulness in increasing computer security. The Final Evaluation Report andthe Evaluated Products List entry are made public.EVALUATED PRODUCTS LIST

The Evaluated Products List provides computer users, managers and securityofficials, an authoritative and unbiased security evaluation of a computersystem's suitability for use in processing classified and sensitive

information. All products on the Evaluated Products List have been evaluatedagainst the established criteria and interpretations. A Final EvaluationReport is issued for all products. The rating given to a system product isthe highest class for which all the requirements in the Orange Book have beenmet. Trusted product security evaluation results are published in formalreports available from either the Government Printing Office or the NationalTechnical Information Service.

The overall evaluation class ratings given in the Evaluated Products List

apply only to the specific hardware/software configurations listed. As such,the rating indicates that the product met or exceeded each of the individualrequirements for the overall Evaluation Class. Although the computer productwas subjected to the detailed security testing specified in the Orange Book,it must be emphasized that such testing is not sufficient to guarantee theabsence of flaws in the product. The Evaluated Products List entry does notconstitute a general or overall endorsement of the product by the government,nor does it constitute a Department of Defense certification or accreditationof the trusted computer product for use in classified or sensitive

unclassified processing environments. Rather, the security evaluation

provides an essential part of the technical evidence required for follow on

Page 11

certification and accreditation. Ultimate responsibility for the continuingintegrity provided by the security mechanisms of any trusted computer productevaluated by the Center rests solely with the vendor. The Evaluated ProductsList, which documents evaluated computer products, is available to vendors toactively market and advertise the overall evaluation class rating achieved bytheir products to procurement authorities and the general public.

The Evaluated Products List contains entries for general-purpose operatingsystems, add-on packages, and subsystems. Product Bulletins, which are

synopses of computer systems currently undergoing formal security evaluationsby the Center, are also included on the Evaluated Products List.

A hard copy of the Evaluated Products List is included in the InformationSystems Security Products and Services Catalogue. This catalogue is updatedquarterly and is available through the Government Printing Office.

RATINGS MAINTENANCE PHASE

The Ratings Maintenance Phase provides a mechanism to ensure the validity of aprevious rating for a new version of an evaluated computer system product. Asenhancements are made to the computer product the Ratings Maintenance Phaseensures that the level of trust is not degraded. A complete re-evaluation isrequired to achieve a higher rating.

The Ratings Maintenance Phase is designed to keep the Evaluated Products Listcurrent. This is accomplished by using the personnel involved in the

maintenance of the product to manage the change process and reduce the effortrequired to extend the rating.

Success of the Ratings Maintenance Phase depends upon the development of acadre of vendor personnel with a strong technical knowledge of computer

security and of their computer product. These trained personnel will overseethe vendor's computer product modification process. They will certify to theCenter that any modifications or enhancements applied to the product willpreserve the security mechanisms and maintan the assurances.

The Ratings Maintenance Phase is initially designed for C1 - B1 level of trustsystems. As experience is gained in the program, the intent is to extend tohigher level systems and to networks.

EVALUATION SUPPORT SERVICES

The Center supports the trusted product security evaluation process within theTrusted Product Evaluation Program. The following specialized technicalservices are available to benefit the interactive relationship between thecomputer product vendors and the technical staff of the Center. To obtain

these services or to gain more insight into their particular detail, refer tothe Points of Contact section.DOCKMASTER

Page 12

DOCKMASTER is an unclassified computer system used by the Center for the nationwide dissemination and exchange of computer security information. DOCKMASTER serves the entire information security community including the Federal Government, universities, and private industry. It can distribute electronic mail via connections to the ARPANET. DOCKMASTER is accessible by direct dial, the MILNET, and McDonnell Douglas Tymnet network.

DOCKMASTER is the primary means of communications between the vendor and the Center throughout the computer product security evaluation process. It allows vendors to use electronic mail, file transfer protocols, and the Forum subsystem. Forum is an on-line, interactive meeting facility that permits an individual to \"meet\" with other users through the use of a computer terminal.VERIFICATION TOOLS

Vendors who are developing systems that are targeted to meet the

class A1 requirements of the Orange Book must provide assurance that the system implementation is consistent with the system's design. This

assurance is gained by developing a Formal Top Level Specification of the design and verifying that the specifications are consistent with the

formal security policy model (the security requirements) for the system. After the design verification has been completed, an informal mapping is performed from the Formal Top Level Specification to the implementation. This completes the evidence. Formal Top Level Specification development and subsequent verification is a rigorous, mathematical process that can be greatly aided by the use of automated verification tools. The Orange Book requires the use of such a tool in the verification of A1 systems: \"This verification evidence shall be consistent with that provided within the state-of-the-art of the particular Center endorsed formal specification and verification system used.\"

The Center endorsed verification tools are maintained on the

Endorsed Tools List. Examples of these verification tools are Formal Development Methodology, Gypsy, and Enhanced Hierarchical Development Methodology. For information concerning the current entries on the Endorsed Tools List, vendors should contact the Computer Hardware and Software Support Division.

TECHNICAL GUIDELINES

To complement the information contained in the Orange Book, the Centerpublishes technical guidelines which serve as additional guidance in

interpreting the established standard. These technical guidelines aid in theevaluation and selection of computer security products, both complete systemsand subsystems. In addition, they are used throughout the Federal Governmentand by Federal Government contractors as guidance for the procurement, use,and disposal of automation systems and their associated magnetic storagemedia.

Page 13

The Technical Guidelines Program contributes to the technical literature onissues of computer security. Guidelines are written in response todemonstrated need in automated processing environments.

Participation in the development of technical guidelines is provided by thetechnical staff of the Center and its associated offices within the NationalSecurity Agency, by representatives of the Department of Defense and theIntelligence Community, by civil agencies of the Federal Government, by

Federally Funded Research and Development Centers, by contracted analytic andtechnical firms, and by selected experts in the particular field of endeavor.Draft versions of proposed documents are extensively reviewed by a wideaudience of interests, and comments are fielded for consideration beforepublication.PUBLICATIONS

Technical guidelines that are published by the Center, and useful to a vendorin order to process a computer product through the Trusted Product EvaluationProgram, will be provided in limited quantity by the INFOSEC AwarenessOrganization.TRAINING

The Center provides training on topics of major importance to vendorsinterested in the trusted product security evaluation process.OTHER RELATED SERVICES

Within the Information Security Organization, there are several separate butcomplementary programs which relate to the Trusted Product Evaluation Program.A brief description of each program is provided in subsequent paragraphs. Formore details, please contact the specific program office in the Points ofContact list.

Like the Trusted Product Evaluation Program, the Commercial Communications

Security Endorsement Program is a business relationship which combines privatesector leadership and expertise in equipment design, development and highvolume production with the information security expertise of the National

Security Agency. Specifically, this program is designed to encourage industryto embed United States Government proprietary cryptography into

telecommunications products to meet the need to protect its classified andsensitive unclassified information. The Commercial Communications SecurityEndorsement Program products that are endorsed for protecting sensitiveunclassified government information only are also available to the private

sector. In today's computer networking environment, many products require bothan encryption capability and a trusted computing base to meet user

requirements. Companies whose products merge both communications and computersecurity disciplines are encouraged to become familiar with the requirementsof the Commercial Communications Security Endorsement Program.

The Secure Data Network System Program was established in August 1986, whenthe National Security Agency joined in partnership with ten major

telecommunications and computer companies to develop a security architectureand a user-friendly key management system using the Open Systems

Page 14

Interconnection model. The ultimate goal of the Secure Data Network SystemProgram is to provide for the development of information security productsthat can operate over a broad range of commercial data networks. Once theSecure Data Network System architecture is formalized, the development of

Secure Data Network System products will be carried out under the auspices ofthe Commercial Communications Security Endorsement Program.

The Industrial TEMPEST Program is designed to aid industry in developing andtesting TEMPEST-suppressed equipment which can be offered for sale to theUnited States Government. Companies developing trusted computing productsshould be aware that the United States Government may require that productsprotecting classified information be TEMPEST-suppressed.

A company that produces computer security products may be interested in theDepartment of Treasury's Electronic Funds Transfer Certification Program ifthe primary function of its product is to provide message authentication insupport of United States Government financial transactions. The programspecifically provides for testing, evaluating and certifying Message

Authentication Code devices for Federal electronic funds transfer use inaccordance with American National Standards Institute Standard X9.9. In

addition, elements of Federal Standard 1027 covering minimum general securityrequirements for implementing the Data Encryption Standard encryptionalgorithm are included. Optional electronic key management is based onAmerican National Standards Institute Standard X9.17.

Vendors who are developing trusted computer products as Independent Researchand Development Projects may obtain technical assistance and technical planevaluations by contacting the Center's Office of Computer Security Researchand Development.

The Computer Security Technical Vulnerability Reporting Program, promulgatedin Department of Defense Instruction 5215.2 in September 1986, provides amechanism for reporting weaknesses or design deficiencies in hardware,firmware, or software that leave automated information systems open topotential exploitation. Technical vulnerabilities reported in Evaluated

Products List items could possibly change the overall rating of the product.

Page 15

Points of Contact

COMMERCIAL COMMUNICATIONS SECURITY ENDORSEMENT PROGRAM

Director, National Security Agency

Attention: Office of Industrial Relations9800 Savage Road

Fort George G.Meade, MD 20755-6000(301) 688-6581

TRUSTED PRODUCT EVALUATION PROGRAM

Director,National Security Agency

Attention: Office of Industrial Relations9800 Savage Road

Fort George G.Meade, MD 20755-6000(301) 688-6581COMPUTER SECURITY TECHNICAL VULNERABILITY REPORTING PROGRAM

Director,National Security Agency

Attention: Vulnerability Reporting Program9800 Savage Road

Fort George G. Meade, MD 20755-6000(301) 688-6079DEPARTMENT OF TREASURY'S ELECTRONIC FUNDS TRANSFER CERTIFICATION PROGRAM

Assistant Director, Security ProgramsDepartment of Treasury

15th and Pennsylvania Avenue NWWashington, DC 20220(202) 566-5152DOCKMASTER AND VERIFICATION TOOLS

National Computer Security Center

Attention: Computer Hardware and Software Support

Division

9800 Savage Road

Fort George G. Meade, MD 20755-6000(301) 859-4360

INDEPENDENT RESEARCH AND DEVELOPMENT PROJECTS PROGRAM

National Computer Security Center

Attention: Office of Computer Security Research and

Development

9800 Savage Road

Fort George G.Meade, MD 20755-6000(301) 859-4486INDUSTRIAL TEMPEST PROGRAM

Ford Aerospace and Communications Corporation

Attention: Mail Stop 3 (Industrial TEMPEST Program)7170 Standard Drive

Page 16

Hanover, MD 21076(301) 796-5254

PUBLICATIONS AND TRAINING

Superintendent of Documents

U.S. Government Printing Officeashington, DC 20402(202) 783-3238

U.S. Department of Commerce

National Technical Information Service5285 Port Royal RoadSpringfield, VA 22161(703) 487-4650

SECURE DATA NETWORK SYSTEM PROGRAM

Director, National Security Agency

Attention: Secure Data Network Systems SPO9800 Savage Road

Fort George G. Meade, MD 20755-6000(301)668-7110TECHNICAL GUIDELINES

National Computer Security Center

Attention: Technical Guidelines Division9800 Savage Road

Fort George G. Meade, MD 20755-6000

Page 17

REFERENCES

DoD 3204.1, Independent Research and Development, Under Secretary of Defensefor Research and Engineering, 1 December 1983.

DoD Directive 5200.28, Security Requirements for Automatic Data Processing(ADP) Systems, revised April 1978.

DoD 5200.28-STD, Department of Defense Standard, Department of Defense TrustedComputer System Evaluation Criteria, December 1985; supersedes CSC-STD-001,dated 15 August 1983.

DoD Directive 5215.1, Computer Security Evaluation Center, 25 October 1982.DoD Instruction 5215.2, Computer Security Technical Vulnerability ReportingProgram, 2 September 1986.

National Telecommunications and Information System Security Policy No. 200,National Policy on Controlled Access Protection Policy, 15 July 1987.

NCSC-TG-005 Version 1, Trusted Network Interpretation of The Trusted ComputerSystem Evaluation Criteria, 31 July 1987.

Page 18

ATTACHMENT I

SPECIFICATIONS AND DESIGN DOCUMENTATION

When a vendor enters into a product evaluation, he must present evidence thathis system and its design meets the appropriate criteria requirements.

Examples of the type of evidence normally submitted to support an evaluationinclude the design specifications that explain the security mechanisms, theTrusted Computing Base (TCB) arguments that show how the TCB is tamperproof,always invoked and small enough to be analyzed. Also, the model (orphilosophy of protection) and how it relates to the implementation are

important parts of the evidence. The best test of evidence is that it mustinclude all the information such that a new team that is basically unfamiliarwith the product could evaluate only the evidence and reach the properconclusion.

In order for the evaluation team to review this evidence and determine whetherthe system complies with these requirements, the team must develop aconceptual understanding of how the system being evaluated operates.

Generally, the evaluation team can acquire this level of understanding by

reviewing the vendor's system documentation and specifications. The followingtypes of high level system documents are typically required by the evaluationteam:

User-Level Documentation

Provides users an overview of the system, its functioning, andinformation on user services.Operational Manuals

Contains general description,implementation and usage informationfor the system. It is intended for use by system programmers whoservice the system.Program Logic Manuals

Documents the internal operation and organization of a system. Itis intended for use by system programmers for program maintenanceand to determine the location of program malfunctions.Administrative Manuals

Documents the procedures for installing and generating the system.Hardware and Software System Specifications

Includes Hardware and Software design and implementation details

of the system major components

Page 19

ATTACHMENT II

TEST PLANNING

The Department of Defense Trusted Computer System Evaluation Criteria (OrangeBook) requires that vendors provide a document to the evaluators that

describes the test plan, test procedures, and the results of the security

mechanisms functional testing. Security mechanisms are those mechanisms thatare relevant to the Orange Book. These include object reuse, labeling,discretionary access control (DAC), mandatory access control (MAC),

identification and authentication, auditing, and trusted path. A securityrelated functional test plan should determine whether the system being

evaluated has any design and implementation flaws that would permit a subjectexternal to the Trusted Computing Base (TCB) to read, change, or delete datawhich he would not normally have access to under the mandatory or

discretionary security policy enforced by the TCB. [The TCB is defined by theTCSEC as \"the totality of protection mechanisms within a computer system --including hardware, firmware, and software --the combination of which isresponsible for enforcing a security policy\"]. Security related functionaltests involve all security properties of a system (i.e., all aspect of the TCBthat affect or can be affected by a security mechanism).COVERAGE OF TESTING

Although many standard testing methods are acceptable in fulfilling the OrangeBook testing requirements, they are, for all but very small or simplisticsystems, impractical to use due to the large amount of resources required.

Some methods of testing that have in the past proven to be sufficient and werereasonable to implement are Interface and Mechanism testing.

Interface testing refers to testing the TCB at the user interface (i.e., usercallable routines). Generally, critical boundaries of each security mechanismare determined and test cases on both sides of these boundaries are generated.The critical boundary of a security mechanism is the point at which the ruleit is designed to implement is or is not invoked. This provides moreassurance that the view of the system presented to a user is correct.

Mechanism testing refers to the testing of the security mechanisms that theTCB supports (i.e., DAC , object reuse, audit, etc.). Mechanism can consistof one or more interface, and some interfaces can be called by different

mechanisms. Mechanism testing shows that the TCB supports these mechanisms.The sufficiency of the different methods of testing are dependent on theparticular class of the Orange Book the system is being evaluated against.

TESTING A B2-A1 SYSTEM:

TCB interface testing is sufficient. Every interface must be tested. SinceB2, B3 or A1 systems are well structured, and their Detailed Top Level

Specifications (DTLS) and Formal Top Level Specifications (FTLS) provide a

complete and accurate description of the TCB interface, the testing of the TCBinterfaces can reasonably be expected to be very comprehensive.

Page 20

TESTING A C1-B1 SYSTEM:

Mechanism testing is probably sufficient. The structure allowed by a C1-B1architecture would most likely make interface testing impractical. It islikely that an evaluation team may determine, through inspection of thesystem's test plan and its architecture, that black box testing of the

interface is insufficient and requires \"white box\" testing of instrumentalcode sections.DOCUMENTATION

Documentation of a test should be specific and briefly describe the TCB

mechanism being tested. The expected results of each test case should be setforth. The test documentation should also contain an overview of the testmethods being used, and the security properties which are and are not

pertinent for each particular mechanism. A list of all assumptions being madeabout the testing environment should also be included .

The Orange Book functional testing requirements also require that both thesystem and the test plan be maintained using good configuration management

techniques. This allows the vendor to provide a form of Life-cycle assurancesfor the system. Life-cycle assurance is a procedure for managing system

design, development, and maintenance using a method of rigorous and formalizedcontrols and standards. It allows the vendor to reevaluate the system whenchanges are made to determine whether the integrity of the protectionmechanism has been affected

Page 21

ATTACHMENT III

REQUIRED DOCUMENTATION

The Orange Book requires that a vendor produce documentation which describesthe system protection mechanisms, how the system can operate using theseprotection mechanisms, how the system developer designed security into the

system, and how these security features and system were tested. The amount ofdocumentation required increases with the targeted Orange Book class. Thespecific requirements are listed below starting at the lower Orange Book

classes and progressing through the higher classes. In some cases, additionaldocumentation may be requiredC1 - DISCRETIONARY ACCESS CONTROL

Security Features User's Guide tells users how to use the security mechanismsof the system. It provides the necessary information to understand andeffectively use the discretionary access control mechanisms to protectinformation.

Trusted Facility Manual tells the system administrator how to set the systemup so that it stays secure. It should tell the administrator how to selectthe proper options such that the system is operated in a mode that meets therequirements of the Criteria. If there are unsecure modes that the system canrun in, the manual should clearly state their impact on the security andinclude warnings as appropriate. This manual should also include anyprocedures the administrator should use during operations to maintain

security. If any of the hardware/software features require administratoractions to complete the security protection, they should be thoroughlydescribed.

Test Documentation describes results of security mechanism's functionaltesting. This documentation is used by the evaluation team to assess thetesting performed by the vendor. This document describes those tests, howthey are run, and how to properly interpret the results.

Design documentation provides the rationale and supporting evidence for thesecurity of the design of the system. The descriptive specifications are

included in this evidence. It is intended to provide the sort of informationa new developer would need in order to support the system. It should includethe manufacturer's philosophy of protection. If the TCB consists of distinctmodules, the design documentation describes the interfaces between thesemodules.

C2 - CONTROLLED ACCESS PROTECTION

Security Features User's Guide remains the same as C1.

Trusted Facility Manual is the same as C1, but also requires details on how tomaintain audit data.

Test Documentation remains the same as C1.

Page 22

Design Documentation is the same as C1.B1 - MANDATORY PROTECTION

Security Features User's Guide remains the same as C2., but also describes theadditional security mechanisms required at this class (i.e., Mandatory AccessControl).

Trusted Facility Manual remains the same as C2, but also describes the

operator and administrator functions related to security. This includes anexplanation of what's involved in changing the security characteristics of auser, and a description of facility procedures, warnings, and privileges thatneed to be controlled in order to operate the facility in a secure manner.Test Documentation remains the same as C2.

Design Documentation remains the same as C2, but also describes the securitypolicy model (either formally, i.e., mathematically, or informally, i.e., inEnglish) and how the TCB implements this model.B2 - STRUCTURED PROTECTION

Security Features User's Guide remains the same as B1, but also describes theadditional security mechanisms required by this class (i.e., Trusted Path).Trusted Facility Manual remains the same as B1, but also details whatconstitutes the TCB and how it can be modified. It also describes howseparate operator and administrator functions need to be supported.

Test Documentation remains the same as B1, but includes the results of covertchannel tests. Covert channels are communication paths that allow a processto transfer information in a manner that violates the system's securitypolicy.

Design Documentation remains the same as B1, but also includes a formal

description of the model, and proof that it is sufficient for the policy. Itwill also describe how the TCB implements the reference monitor concept andhow it enforces the principle of least privilege.B3 - SECURITY DOMAINS

Security Features User's Guide remains the same as B2, but also describes theadditional security mechanisms required at this class .

Trusted Facility Manual remains the same as B2, but also includes a

description on how to start up and restore the system security. It alsodescribes the role of the Security Administrator.Test Documentation remains the same as B2.

Design Documentation remains the same as B2, but also includes the

correspondence between the Detailed Top Level Specifications and the TCB. TheTCB implementation is also shown to be informally consistent with the Detailed

Page 23

Top Level Specifications.A1 - VERIFIED PROTECTION

Security Features Users's Guide remains the same as B3.Trusted Facility Manual remains the same as B3.

Test Documentation remains the same as B3, but also includes the results ofthe mapping between the Formal Top Level Specifications and the TCB sourcecode.

Design Documentation remains the same as B3, but also includes a descriptionof the components that are strictly internal to the TCB. It also includes aFormal Top Level Specification to TCB correspondence.

Page 24