Commercial computer system products acquired by the US government to handle classified or other sensitive information must meet a security standard known as the “Orange Book.” Products are evaluated by the National Computer Security Center, which originated the standard and developed a procedure to perform evaluations, and which assigns each evaluated product a rating. A separate Department of Defense directive specifies what minimum rating is necessary for an application environment, depending on the sensitivity of the information and the clearance of the users. Getting products evaluated is therefore a major concern of computer system vendors supporting government customers.
This paper summarizes both the technical aspects of the standards and the evaluation procedures. As a member of the Technical Review Board, a consulting body that plays a crucial role in evaluations, the author is conversant with both areas, and the paper successfully conveys the flavor of the process as well as a considerable amount of factual information. I recommend it for anyone interested in how seriously the government treats computer security and for vendors who are considering having their products evaluated.