The Birth and Death of the Orange Book

  title={The Birth and Death of the Orange Book},
  author={Steven B. Lipner},
  journal={IEEE Annals of the History of Computing},
  • S. Lipner
  • Published 2 June 2015
  • Computer Science
  • IEEE Annals of the History of Computing
This article traces the origins of US government-sponsored computer security research and the path that led from a focus on government-funded research and system development to a focus on the evaluation of commercial products. That path led to the creation of the Trusted Computer System Evaluation Criteria (TCSEC), or Orange Book. The TCSEC placed great emphasis on requirements for mandatory security controls and high assurance, and the resulting TCSEC evaluation process was time-consuming and… 

Tables from this paper

An Efficient Approach to Resolve Covert Channels

A design that is based on the fact that it is impossible inside a system for any process to recognize any user, for whom other processes are invoked, in order to covertly communicate with him or her identities of all users are hidden is proposed.

Role-based Access Control and BCHS

This paper describes how recent developments in BCHS web applications allow programmers to define, enforce, and audit access roles of the application and its data source, and brings hard guarantees on data security from the application scope to the operational scope.

Adaptation of a risk-based approach to the tasks of building and functioning of information security systems

It is proposed to implement a risk-oriented approach, taking into account the properties and characteristics of the protected information, its social significance and importance, which implies building an objective model of the attacker, assessing his potential and the degree of interest in the successful implementation of the attack.

Computer Security Discourse at RAND, SDC, and NSA (1958-1970)

  • T. Misa
  • Computer Science
    IEEE Annals of the History of Computing
  • 2016
New evidence about two early multilevel access, time-sharing systems, SDC's Q-32 and NSA's RYE, and its security-related consequences for both the 1967 SJCC session and 1970 Ware Report are described.

Design Dimensions for Software Certification: A Grounded Analysis

This study compares two certification standards, Common Criteria and DO-178C, and collects insights from literature and from interviews with subject-matter experts to identify design options relevant to the design of standards, serving as a framework to guide the comparison, creation, and revision of certification standards and processes.

Cybersecurity governance: a prehistory and its implications

The purpose of this paper is to understand the emerging challenges of cybersecurity governance by analyzing the internet’s early history by tracing the design and management of early internet and network security technologies in the USA in the 1970s and 1980s.

COMMAND: Certifiable Open Measurable Mandates

This paper solves the problem of identifying a system’s overhead due to security, a key problem towards making such an open mandate enforceable in practice, and makes the case for an alternate resource-based mandate.

Measuring Software Security from the Design of Software

The general quality of the security metrics are not in a satisfying level that could be suitably used in daily engineering work flows, and need to be improved.

Edge Cryptography and the Codevelopment of Computer Networks and Cybersecurity

This study of the PLI is an entry into the historical relationship between cryptography and packet-switched computer networks.

Security certification and labelling in Internet of Things

This paper proposes a new approach for security certification in IoT, which addresses the identified limitations and links formal models to testing and certification.



Mathematics, Technology, and Trust: Formal Verification, Computer Security, and the U.S. Military

Differences between the cultures of communications security and computer security, the bureaucratic turf war over security, and the emergence and impact of the Department of Defense's Trusted Computer System Evaluation Criteria (the so-called Orange Book) are discussed.


This report documents a proposed set of technical evaluation criteria for evaluating the internal protection mechanisms of computer systems and indicates one approach to how trusted systems might be evaluated.


This publication is effective immediately and is mandatory for use by all DoD Components in carrying out ADP system technical security evaluation activities applicable to the processing and storage of classified and other sensitive DoD information and applications as set forth herein.


This document is intended to extend the scope of the TCSEC so that the control objectives, contained therein, will also address the protection of information and computing resource integrity.

Non-Discretionery Controls for Commercial Applications

  • S. Lipner
  • Computer Science
    1982 IEEE Symposium on Security and Privacy
  • 1982
The lattice model of non-discretionary access control in a secure computer system was developed in the early Seventies[BIaP]. The model was motivated by the controls used by the Defense Department

Proposed Technical Evaluation Criteria for Trusted Computer Systems

This report documents a proposed set of technical evaluation criteria for evaluating the internal protection mechanisms of computer systems, and represents one approach to how trusted systems might be evaluated.

Security Controls for Computer Systems

Abstract : With the advent of resource-sharing computer systems that distribute the capabilities and components of the machine configuration among several users or several tasks, a new dimension has

Design and Certification Approach: Secure Communications Processor,

It is asserted that the security controls for such secure systems must be designed into the computers themselves and the problems of designing and certifying the controls and the computer system are discussed.

Introduction and overview of the multics system

Multics (Multiplexed Information and Computing Service) is a comprehensive, general-purpose programming system which is being developed as a research project and will be implemented on the GE 645 computer.

A security model for military message systems

The message system application is introduced, the problems of using the Bell-LaPadula model in real applications are described, and the security model for a family of military message systems is formulated.