USE OF THE TRUSTED COMPUTER SYSTEM
EVALUATION CRITERIA(TCSEC) FOR
COMPLEX, EVOLVING, MULTIPOLICY
SYSTEMS
NCSC TECHNICAL REPORT-002
Library No. S-241,321
July 1994
FOREWORD
This Technical Report "Use of the Trusted Computer System Evaluation Criteria (TCSEC) for Complex,
Evolving, Multipolicy Systems," though addressing a more general problem, and not written in the form
of an interpretation, is written in the spirit of the "Trusted Database Management System Interpretation
(TDI) of The Trusted Computer System Evaluation Criteria." This approach can be used in conjunction
with TDI developed systems or in the cases where the TDI does not apply. The document is intended to
be used as a basis update to, NCSC-TG-024, Version 1, Volume 2/4, "A Guide to Procurement of Trusted
Systems: Language for RFP Specifications and Statements of Work - An Aid to Procurement Initiators."
Recommendations for revision to this publication are encouraged and will be reviewed periodically by
the NCSC. Address all proposals for revision through appropriate channels to:
National Computer Security Center
9800 Savage Road
Fort George G. Meade, MD 20755-6000
ATTN: Standards, Criteria, and Guidelines Division
Reviewed by:_______________________________________
GLENN GOMES
Chief, INFOSEC Standards, Criteria & Guidelines Division
Released by:_______________________________________
ROBERT J. SCALZI
Chief, INFOSEC Systems Engineering Office
ACKNOWLEDGEMENTS
This document was written by Howard L. Johnson of Information Intelligence Sciences, Inc., supported
and revised by U.S. Army Major Melvin L. DeVilbiss. Besides many NSA organizations, the document
was reviewed by Department of the Army (ASIS), DISA, Grumman, MITRE, and NAVELEXSECSEN.
TABLE OF CONTENTS
FOREWORD
ACKNOWLEDGEMENTS
1. Introduction
1.1 Purpose
1.2 Today's Operational Systems
1.3 Security Policy
1.3.1 Regulatory Security Policy
1.3.2 Operational Security Policy
1.4 The TCSEC, TNI, and TDI
2. Proposed Approach
2.1 Domains of Constant Policy (DOCPs)
2.1.1 Mechanisms
2.1.2 Kinds of Isolation
2.1.3 Phased Build
2.1.4 Levels of Assurance
2.1.5 Policy Iteration
2.2 Interface Policy
2.2.1 Communications Responsibility - Sending
2.2.2 Communications Responsibility - Receiving
2.2.3 Exposed Risk
2.2.4 Mutual Suspicion
2.3 Global Policy
2.3.1 Shared Mechanisms
2.3.2 Discretionary Access Control
2.3.3 Identification/Authentication
2.3.4 Audit
2.3.5 Security Administrator
2.3.6 Recovery
2.3.7 Global Noncompliance
3. Risk Management
3.1 Propagated Risk Assessment
3.2 Policy Iteration
3.3 Protection Assessment
3.4 Design Iteration
4. Summary
Bibliography
Acronyms
Glossary
LIST OF FIGURES
Figure 1. Relationship of Policy to TCB
Figure 2. The Primitive Property
Figure 3. Domains of Constant Policy
Figure 4. Mechanisms Associated with a DOCP
Figure 5. Policy Iteration
Figure 6. Design Iteration
1 INTRODUCTION
NSA recently published "Design and Evaluation of INFOSEC Systems: The Computer Security
Contribution to the Composition Discussion" [1]. It discusses how the TNI [2] and the TDI [3]
complement the TCSEC [4] and provide powerful tools for extensibility to INFOSEC systems. The
problem addressed "for both designers and evaluators, is how to approach a complex system such that
the elements derived from the high-level system objectives (in the TCSEC context) enforce the security
policy and that they can be shown to compose those objectives."
This paper addresses a different problem (though often it is mistaken as the same). The audience
addressed here includes procurement initiators, certification evaluators, and Designated Approving
Authorities (DAAs). The objective is to deal with existing, evolving systems, where the individual
elements support security policies but do not in general support high-level system objectives. This paper
details how to develop a set of high-level system objectives and to retrofit system elements in a cost/risk
effective manner to allow continued secure evolution, accreditation, and secure mission support.
Today there exists a tremendous investment in evolving Department of Defense (DoD) command and
control systems made up of intercommunicating entities. Many of these systems were developed without
a precisely defined set of system level security objectives or security preserving interface rules. Elements
are often heterogeneous in the security policies supported, the degree of assurance provided, and the
inherent trust present. Often cascading security risk has not been considered. Only classification data
policies have been supported at the interfaces. Most importantly, these systems support highly sensitive
and critical U.S. missions on a daily basis.
We endorse and support the goals and concepts of [1] in its context. It is believed, however, that new
goals and concepts are needed to deal with the current "evolving system acquisition problem."
1.1 PURPOSE
The purpose of this paper is to provide a methodology to assist the heads of DoD components to procure,
certify, and accredit existing, evolving, multipolicy systems against the TCSEC [4] requirements,
consistent with the guidance provided in the TNI [2] and the TDI [3]. This methodology must come to
grips with the problems that exist in current operational command and control systems. The intended
audience is anyone concerned with any aspect of these objectives.
A more immediate goal, once these ideas have been finalized, is to develop a STRAWMAN follow-on
version of Volume 2 of the Procurement Guideline Series "Language for RFP Specifications and
Statements of Work - An Aid to Procurement Initiators [5]," but it will apply to complex systems. This
will provide a way to extend the guideline's application from the procurement of Evaluated Products List
(EPL) [6] products (or the equivalent) to procurement of integrated systems, encouraging maximum use
of EPL products in the system development/evolution.
1.2 TODAY'S OPERATIONAL SYSTEMS
Operational systems continue to be developed for the military, adding custom built elements onto
existing systems. Some elements still in use were developed in the 70s. The TCSEC [4], first published in
1983, was used selectively on a few experimental developments in the early 80s. The TCSEC [4] was not
made a DoD standard until 1985 and was slow to be adopted into policies and directives of the individual
services. Part of the reason was lack of guidance on adaptation to complex connected systems of the type
being implemented. This void was partially filled by the publication of the TNI [2] in mid 1987, the
update to DoDD 5200.28 [7] in 1988, and availability of "The Trusted Network Interpretation
Environments Guideline [8]," in late 1990. Practical experience was gained in several pilot projects.
Today, guidance is still lacking on exactly how the TCSEC [4], used primarily for products, can be
adapted to evolving, built-to-specification systems. Problems exist in downgrade, cascading risk, and
contractual compromise; not to mention the unavailability of trained expertise for testing and evaluation.
The result is a wide variation in trust and security, perpetuated by continued misconceptions about the
adequacy of existing protection and the nature of potential threat.
The following is a list of problems that can be encountered in operational environments and represents
problems that must be solved. Components of existing/evolving systems:
Seldom are on the Evaluated Products List (EPL) [6] - Although this will change in the future, existing
operational systems often do not use NSA evaluated products.
Often have different policies - System components evaluated during certification against different
Orange Book division/class requirements, different security modes, or different operational policies are
often linked together in complex systems by busses and networks.
Have been built with conflicting regulatory policies - Rigor was employed to make the TCSEC [4]
internally consistent. The TNI [2] and TDI [3] have also been written with this goal in mind. The basic
DoD set of three documents (5200.28 directive [7], manual [9], and standard [4]) are also consistent, for the
most part. However, existing systems have employed additional directives from each of the individual
services and agencies. These documents can lag DoD documents because of lengthy update cycles or they
can lead DoD documents based on preemptive need. (Sometimes internal service policy will be
developed hoping that it will be subsequently adopted by the DoD.)
Have varying degrees of trust and assurance - Some system components have been operating since the
70's, others received initial accreditation before the TCSEC [4] became a requirement, some used the
TCSEC [4] requirements, and a few use Evaluated Products List (EPL) [6] trusted technologies.
Recertifications and reaccreditations often list many deficiencies, but with the risks accepted by DAAs
(feeling the pressures of high corrective costs and operational immediacy).
Generally do not consider cascading risk - Until publication of the TNI [2], cascading risk was not fully
understood or appreciated. DoDD 5200.28 [7] states that the DAA "should be aware that connection to a
network may involve additional risks" and that the concern is only with "connections to adjacent AISs."
This has given the DAA the flexibility to largely ignore cascading risk.
Only enforce "classification policy" at the interface - Policy at interfaces normally includes more than
classifications and clearances. There are discretionary and category (compartment, caveat)
considerations. The concept of least privilege and other privilege restrictions (e.g., two man rule) must be
supported.
Do not have well stated, enforced global objectives - Connected trusted components of existing
evolving systems support their individual assigned policies, but do not in general support a global policy,
such as those addressed in the TNI [2] and TDI [3].
Are not always strictly reaccredited with each added element - Once an element has undergone rigorous
certification evaluation, and has been used operationally, there is a reluctance to subject it to another
recertification when elements are added to the connected system, even though additional risk may have
been introduced.
Are often crucial to National defense - Especially in crisis situations (e.g., the Gulf War) security is
considered a secondary objective and if there is any conflict with the primary mission, the security of the
system may be sacrificed.
1.3 SECURITY POLICY
1.3.1 Regulatory Security Policy
In the controlled process of Computer Security (COMPUSEC) product evaluation, the primary
requirements document is DoD 5200.28-STD [4]. In the operational DoD world, two additional
documents are equally important: DoDD 5200.28 [7] and DoD 5200.28-M [9].
a. DoD Directive 5200.28, "Security Requirements for Automated Information Systems (AISs)" [7] - This
Directive applies to all automated information systems processing classified, sensitive unclassified, or
unclassified information. It specifies the applicability of DoD 5200.28-STD [4]. It also specifies that
systems requiring at least controlled (C2) access based on the risk assessment procedure (i.e., not all users
necessarily have the need-to-know for all information) must have been upgraded by the end of 1992. This
directive identifies the relationships of other areas of security to COMPUSEC. Enclosure 4 to DoDD
5200.28 [7] provides the risk assessment procedure to be carried out to determine the operating mode and
division/class required to support the system's environment.
b. DoD 5200.28-M, "Automated Information System Security Manual" (Draft) [9] - This manual
specifies automated information system (AIS) security roles and responsibilities. It outlines the risk
management process: threat assessment, risk analysis, cost benefit analysis, and the selection and
implementation of safeguards. Certification and accreditation requirements are discussed. The
document discusses the relationship of Security Test and Evaluation to other areas of testing. This
document also addresses provisions of the Computer Security Act of 1987, not addressed in DoDD
5200.28 [7].
c. DoD 5200.28-STD, "DoD Trusted Computer System Evaluation Criteria" [4] - This standard, referred
to as the "Orange Book," deals with confidentiality protection for classified and sensitive data. It contains
a set of basic requirements and evaluation criteria for assessing the effectiveness of security protection
features provided to an automated information system. It specifies the discretionary and mandatory
security policies to be enforced and the rules for access control.
For each DoD organization, there are also regulations imposed by organization or application specific
security documents as well.
1.3.2 Operational Security Policy
Operational security policy specifies the security critical aspects of the system and the manner in which
the regulatory policy is to be satisfied. Operational security policy specifies the tradeoff decisions made
by the DAA between COMPUSEC and other security methods of protection. It involves a functional
allocation of the various security related tasks to the elements of the system. It identifies security
clearance requirements for users of different system elements and isolates classified and unclassified data
from other data within the system. It determines where users must access multiple security levels in near
real-time.
The actual assignment of operational security policy is arbitrary in the sense that there are usually many
ways to satisfy security requirements. Cost, performance, and risk tradeoffs will help determine the
eventual way in which the system will be built and deployed. The operational security policy may
change several times during development and even over the rest of the system life-cycle.
1.4 THE TCSEC, TNI, AND TDI
Figure 1 provides a simple depiction of the relationship between policy, component(s), and trusted
computing bases (TCBs, defined in the glossary). The TCSEC [4] addresses a single TCB and pertains to a
single policy (i.e., division/class). However, throughout the TCSEC [4] one finds system; computer
system; assembly of hardware, software and firmware. It is easy to interpret the TCB as being within a
component or across components. Thus, the relationship in Figure 1 is too simplistic to accurately portray
the ideas of the TCSEC [4].
The TDI [3], like the TCSEC [4], deals with TCBs. TCB subsets are defined in the TDI [3] by a relationship
between them called "primitive." Figure 2 shows two less primitive TCBs for which it is not possible to
verify the specification of either without a statement about the specification of the more primitive TCB.
One could imagine, for example, constructing a single network TCB and then attaching to it less primitive
nodal TCBs, satisfying the TCB subset requirements of the TDI [3], and gaining the advantage of
evaluation by parts.
Partial order is a necessary condition for the structure of TCB subsets. There are no examples in the TDI
[3] of multiple "more primitive" TCBs, nor is there anything obvious that prevents the possibility.
Nothing appears to preclude different specifications from a subsetted architecture from being drawn
from different division/classes, however, it is intuitive that as dependencies of a higher division/class
less primitive subset become more complicated, that there is a greater chance that the lower division/
class specifications of the more primitive subset will not meet the specifications of the former. It still does
not invalidate this approach as a structure. It just means that the full benefits of the evaluation-by-parts
approach cannot be realized.
Cascading risk occurs when a penetrator can take advantage of multiple TCBs to compromise information
across a range of security levels that is greater than the accreditation range of any of the TCBs he/she
must defeat to do so. Because different division/classes are not addressed directly in the TDI [3], neither
is cascading risk.
The TNI [2] primarily addresses a single trusted system view, where a single policy lies across
components and the single Network TCB (NTCB) can be partitioned across some of those network
components. There is no requirement, or even expectation, that every component have a partition, nor
that any partition comprise a complete TCB. Thus, the TNI [2] deals with a single policy supported across
multiple components and a single TCB partitioned across multiple components. The TNI [2] supports
evolving systems only to the extent that added components do not invalidate the NTCB.
The TNI [2] acknowledges the existence of interconnected, accredited AISs and states that "it may not be
practical to evaluate such a network using this interpretation or to assign it a trusted system rating." The
TNI [2] Appendix C describes the rules for connecting separate accredited AISs and the circumstances in
which these rules apply. Included in this description is a discussion of operational security policy, though
not specifically stated as such, in the form of interconnection rules and the cascading problem.
2 PROPOSED APPROACH
As was stated earlier, it is not designers and (product) evaluators to whom this paper is directed. This
paper, and its concepts, is directed to procurement initiators, certification evaluators, and DAAs. Further,
we are dealing with the difficult case where the system being considered is an existing, evolving, multiple
policy system, is being dealt with.
Reference [1] strongly makes the point that:
Design and Analysis of Systems Proceeds from Policy to Mechanisms.
The TCSEC [4], the TNI [2], and the TDI [3] incorporate the Bell-La Padula rules for implementing the
DoD security policy. The policy from which we begin here is the organization's operational security
policy, which assumes the Bell-La Padula model and assigns the required security variables to elements of
the system. A way to ensure a proper statement of the operational policy is through Domains of Constant
Policy (DOCPs). In the rest of this section we will do the following:
o Define domains of constant policy in such a way that it addresses evolution, multiple policy, and
shared risk in connected systems.
o Address interface policy required between intercommunicating DOCPs.
o Address global policy and its application to systems where global policy has not previously been
concern.
The idea of domains of constant policy was presented in [10] as a way to better test systems. It was
expanded in [11] to deal with requirements definition in a phased build.
2.1 DOMAINS OF CONSTANT POLICY (DOCPs)
The primary reason for defining DOCPs is to have an entity analogous to a single policy system to which
a division/class of the TCSEC [4] applies. Thus, for each DOCP, our goal is to identify or provide a set of
mechanisms and a level of assurance that would satisfy the prescribed division/ class. If this is done
properly, certification evaluation can make the statement that the requirements of the division/class have
been satisfied for this DOCP.
Simply defined, a DOCP is that part of a system to which a single, unique operational security policy has
been defined. It follows then that DOCPs are nonoverlapping subsets of the system, that, in combination,
completely cover the system, as shown in Figure 3. More rigorously defined, a DOCP consists of a well-
defined boundary (where an isolation mechanism exists or can be employed) and an n-tuple of policy
defining security characteristics. (The isolation is required to ensure that communications is taking place
only over the known, designated channels.)
Each DOCP will have a TCB for support of its own security requirements, however, some of the
mechanisms (e.g., audit) may be shared with another DOCP. The boundary may be created by physical
isolation or logical isolation (e.g. supported by the TCB reference monitor, defined by cryptographic
isolation, or use of guard isolation). The n-tuple that represents operational policy can be simple
(clearance and classification levels) or complicated (with categories and other parameters). For the
purposes of this document, the basic portion of the n-tuple will be values of the parameters:
Minimum classification of data
Maximum classification of data
Minimum security clearance
Maximum security clearance
Categories (compartments/caveats)
Build status (existing, EPL [6] product, to be built)
Level of assurance achieved (EPL [6] evaluation at some level, certification evaluation at some level,
none, other).
The derived portion of the n-tuple will be the values of the parameters:
Risk index
Exposed risk index due to cascading (discussed further in section 3)
Mode
TCSEC [4] division/class.
Some clarifying comments should be made at this point of the discussion:
o One possible policy is "no policy," e.g., no confidentiality requirement, thereby requiring no trust
technology.
o This approach does not preclude using TNI [2] and TDI [3] approaches in any way. It does, however,
deal with the cases in which they cannot be employed. In the case of an NTCB, all policies are
incorporated into a single DOCP. In the case of the TDI [3], one DOCP depends on the mechanisms of
another DOCP to satisfy its TCB requirements.
o A DOCP is a working entity in the sense that (as will be seen later) tradeoff decisions concerning
policy, costs, and mechanisms may make it necessary to change the operational policy and therefore the
DOCPs.
o No attempt has been made here to deal with integrity or denial of service in this document, however
such an extension has been included in a straight forward manner elsewhere.
The reasons DOCP use is recommended as the conceptual approach in existing, evolving systems
instead of TCBs (TCB subsets or peer entity TCBs) are as follows:
o It offers a more concrete definition and intuitive notion to procurement administrators and DAAs.
o It enforces the statement of operational policy.
o Since the operational policy is defined by the using organization, then so are the DOCPs.
o It enforces precise system covering boundary definition.
o It is not constrained to components.
o It allows, and in fact encourages, cost risk tradeoffs and iteration of operational policy assignment.
o It allows application to the pre TCSEC [4], pre TNI [2] and/or pre TDI [3] systems where the
definitions of TCB must be interpreted.
o It does not preclude, and in-fact supports, use of the NTCB or TCB subsetting requirements of the
TNI [2] and TDI [3] respectively.
o It forces consideration of cascading, interface policy based on mutual suspicion, and global
considerations, where in general no formal global policy has been enforced or evaluated for the connected
system.
o It accommodates/promotes the use of EPL [6] products since the basic building block entity of a
system (a DOCP) has a single policy represented by a division/class requirement of the TCSEC [4].
o It addresses security interface requirements which must be satisfied if an EPL [6] product component
is going to be integrated into the overall security of the AIS system, which may in turn contain other EPL
[6] products, existing secure systems, or "to be custom built" specifications.
The rest of this section will deal with some of the specific considerations in the DOCP approach.
2.1.1 Mechanisms
The mechanisms associated with a DOCP are illustrated in Figure 4. They correspond to what is required
by the TCSEC [4]. The asterisks on the figure identify mechanisms that require global consideration.
There are times in which the mechanism that satisfies the requirements of the domain of constant policy is
actually outside the domain. This is equivalent to the dependencies that a less primitive TCB subset may
have, as stated in the TDI [3]. For example, users might be identified in a different place or audit data may
actually be collected and analyzed outside the domain. These mechanisms still must be assured to meet
the requirements of this particular DOCP. The concept of global mechanisms will be discussed in Section
2.3.
2.1.2 Kinds of Isolation
Isolation, as referred to in the TCSEC [4], involves the responsibility within the TCB to provide isolation
of separate domains under its control in response to the single security policy which it must support. This
is usually done by the reference monitor, but other parts of the TCB also play a role. In many current
implemented evolving multi-policy systems, the controls that represent the single TCBs have been
individually certified, however, because no system level certifications have been accomplished,
deficiencies exist at the data interfaces and in the policies that support those interfaces. Here, we are
expanding beyond what is required of a single TCB to a more global consideration, that is, the isolation of
individual Domains of Constant Policy from one another.
There are forms of isolation, other than logical, that exist in addition to what is accomplished by the
reference monitor. They include electronic isolation, cryptographic isolation, and guard enforced
isolation, each of which can be used effectively to separate DOCPs.
2.1.3 Phased Build
The "build" type and time are used as parameters in determining DOCPs. Any part of the system that
exists and is being used in support of the operational mission has undergone the scrutiny of the
certification/accreditation process (perhaps more than once) and has been used in the operational
environment. Anything existing probably was built under a different set of rules than the ones that
currently apply (TNI [2], TDI [3], and even in a few cases, TCSEC [4]). The existing part of the system may
be further broken into several DOCPs because of policy differences.
An EPL [6] product is known to precisely follow the letter of the evaluated division/class from the TCSEC
[4], and, if applicable, as interpreted by the TNI [2] or the TDI [3]. It will be assured to have the level of
trust accorded that division/class rating in a non-application environment. The greatest difficulty is the
adaptation to a more specific set of operational policies, its connectivity to other elements of the system,
and their mutual satisfaction of the set of required global policies.
Any portion of the system to be built or modified (including the modification of an EPL [6] product)
carries with it the highest risk. There are many reasons for this, not all of which apply to each specific
development situation. The portion to be built may be complex or may require division into several
DOCPs, thereby introducing technical risk. Contractors often have many requirements to satisfy, in
addition to security, that may dilute the contractor's ability to provide security requirements with
sufficient emphasis. The security experience of the design team is often not as great as it is in a continuing
product line, thereby introducing additional risk. The requirements and guidance to the contractor for
special security requirements within an application are often not as succinct as those provided by NSA in
DoD 5200.28-STD [4] for a product to be evaluated. In a custom development, more cost risk exists
because it is a one-time expenditure. Overruns in the development of a secure product can be amortized
over many copies.
Note that there may be a great difference in assurance provided between existing systems, EPL [6]
products, and developmental systems. This is considered as a separate factor in the next section. The
boundaries of build type and homogeneous assurance often coincide.
2.1.4 Levels of Assurance
Even though the same division/class functional requirements are used, for any two parts of a given
system, there may still be a disparity between the quality and completeness of assurance.
Factors include whether it is an approved EPL [6] product or a custom component, development
configuration management, the qualifications of the people performing assurance functions, the
environment of assurance, or the size and complexity of the system. One approach to measure and
compensate for differences is to develop some criteria (e.g., figure-of-merit) for assurance, consider the
figure-of-merit as a risk factor, and take action on those portions of the system that have the highest risk
factors as funds become available. The action alternatives can be to shut down and rebuild the system,
retest, upgrade and retest again, or change the operational policy that is supported. The following is a list
of some of the measurement topics that can be employed in the figure-of-merit determination, in addition
to what is stated in the TCSEC [4]:
o Point in time of development and evaluation with respect to publication and acceptance of the
TCSEC [4], the TNI [2], the TDI [3] and other pertinent guidance documents.
o Time expended in assurance functions.
o Amount, quality, consistency, and completeness of evidence.
o Skill of team: academic, training, experience (EPL [6] product versus one-time build).
o Development and usage environment.
o Resolution of problems discovered (exception handling).
o The degree/quality of configuration control.
2.1.5 Policy Iteration
There is a high functional dependency between mechanism cost, security risk, and the functional
assignment of operational policy; and therefore the allocation of DOCPs. There is normally an increase in
number of TCBs with more DOCPs. This means more mechanisms and a higher security cost. However,
more DOCPs can more closely model involved operational policies and therefore probably decrease the
risk of policy violation.
If policy is changed to combine what used to be two DOCPs by broadening the policy range of each
DOCP onto one DOCP, there can be an accompanying cost savings. The broadened policy range most
often is accompanied by a risk increase (as illustrated by the risk assessment procedure in enclosure 4 of
DoDD 5200.28 [7]). This risk increase for a new acquisition might drive the new single DOCP to support
a higher division/class, thereby potentially increasing costs. In other cases, mutual boundaries can be
moved to decrease mechanism cost.
Stated another way, two connected DOCPs will each have a risk index less than or equal to the risk index
of a DOCP formed by combining them (e.g., two system high DOCPs have less than or equal risk than one
two level DOCP.) Increasing the number of DOCPs has the potential to decrease the assessed risk, and
never to increase it. Remember, the statements above are made without considering mechanisms.
The DAA must go through a cost/risk tradeoff and iteration procedure until he/she finds the appropriate
operational policy (i.e., assignment of DOCPs) that best meet the needs of his/her system.
These are not new ideas. A system high or dedicated security mode is normally a combining of multiple
policies to decrease mechanism cost. Nevertheless, in so doing, operational flexibility is decreased and
the risk to operational security is increased by potentially creating a sizable downgrade problem.
2.2 INTERFACE POLICY
A system strictly designed and developed according to the subset TCB concept defined by the TDI [3] or
the Network TCB concept of the TNI[2] need not consider additional interface or global policy. However,
in situations where individual accredited entities have been connected, both interface policy and global
policies must be supported. Interface policy will be discussed in this section and global policy will be
discussed in Section 2.3.
In particular, there needs to be an explicit interface policy considered between each DOCP and every
other DOCP with which it communicates. The interface policy can be thought of as an augmentation to
the exportation policy of the TCSEC [4], however, in many cases, both exportation and importation
concerns are expressed. The need for a trusted path to share and mediate security variables also should
be assessed.
2.2.1 Communications Responsibility - Sending
In communications data, a DOCP must support intercommunication (exporting) policies established by
its division/class.
A DOCP has two interface responsibilities: 1) it must ensure that data it sends continues to be supported
by the policies imposed on it, and 2) it must appropriately handle data it receives based on any policy
information known about that data.
External, intercommunicating domains of constant policy (physically interfacing or not) are of two types:
virtual communication channels and trusted absorbing nodes. If the sending DOCP somehow specifies a
destination other than a physically connected DOCP and the intermediate DOCPs have the primary
responsibility of seeing that the data (and often its policy) proceeds to its correct destination, the
intermediate DOCPs are virtual communication channels. It is up to the sending DOCP to ensure that the
virtual communications channels and the destination can be trusted to transfer the data according to its
policy.
A trusted absorbing node is a DOCP somewhere in the path to the destination that can be trusted to
receive the data, properly interpret the policy, and incorporate the policy for that data into its TCB. If this
is not the final destination of the data, the trusted absorbing node assumes the security responsibility. An
intercommunicating DOCP may be considered both a virtual communications channel and a trusted
absorbing node depending on the circumstances. Often the determination is difficult. The most
conservative approach, if there is any question, is to treat the intermediate node as a virtual
communication channel.
Policy must be established with the eventual data recipient or the first intermediate trusted node. The
policy can be discretionary and or mandatory and includes categories (compartments, caveats, need to
know). The responsibility for establishing the policy, linking it with the data, and assuring proper
understanding by the receiver is that of the sender. Policy can be preestablished based on data
identification through DOCP agreements, it can be communicated via labels, or it can be communicated
and implemented manually by security administrators.
Sending DOCPs must be assured that data is being released into a system that can be trusted to interpret
and carry out the policy. Factors to consider include the potential for eavesdropping, spoofing, or policy
alteration.
2.2.2 Communications Responsibility - Receiving
Once data is in the possession of a trusted node or receiving DOCP, it becomes the responsibility of that
DOCP's TCB to impose its knowledge of the policy on that data and treat it accordingly. Suspected or
actual violations of interface policy must be treated as a special case and the data must be protected.
2.2.3 Exposed Risk
A DOCP may not be affordably and certifiably able to support division/class increases determined by
considering exposed risk. Special communications mechanisms or added protection features within the
potentially receiving DOCP may help to ameliorate this situation. This can provide an operational
solution that must be agreed to by the potentially sending DOCP. In any case, the DAA from the sending
DOCP ultimately has responsibility for the decision.
2.2.4 Mutual Suspicion
A sending DOCP must establish interface policy consistent with the level of trust it has established for
potentially receiving DOCPs. If the level of trust determined does not coincide with the certification and/
or accreditation level given that DOCP, the sending DOCP should further restrict the communication
policy, beyond that normally implied by the TCSEC [4] and its interpretations, to a level where the
sending DOCP is willing to accept the remaining risk. Similarly, if a receiving DOCP cannot trust the
content or policy associated with data provided by another DOCP, then a receipt and handling policy
must be established consistent with the risk the receiving DOCP is willing to accept. This policy may be
more restrictive than required by the TCSEC [4] and its interpretations.
2.3 GLOBAL POLICY
These considerations pertain to systems for which there can be or has been no accreditation against a well
defined global policy such as those stated in the TDI[3] TCB subset policy and the TNI [2] NTCB policy.
2.3.1 Shared Mechanisms
If TCBs share mechanisms (e.g., identification/authentication or audit) each individual TCB must be
accredited with both using that mechanism. The DAA must use the evidence from those accreditations to
ensure consistency with interface policy between the entities and any less primitive policy of which this
shared mechanism is a part.
2.3.2 Discretionary Access Control
To be secure, the entire connected system should satisfy a single discretionary access control policy. This
can only be accomplished by isolation of objects under protection of a single TCB to the subjects within
that TCB. Otherwise, it must be accomplished by sharing access control mechanisms or sharing access
control information between mechanisms. In older systems that do not allow subjects to access objects in
other systems, this requirement is often satisfied because only standard messages are formatted and
allowed to be transmitted. In these cases the subjects do not have access to objects beyond the scope of
their own TCB.
2.3.3 Identification/Authentication
Even if each TCB has its own data for identification and authentication, the information for individual
users that may potentially request access in more than one TCB or may have access to objects in more than
one TCB must be consistent. The individual cannot assume more than one identity or be performing two
functions simultaneously (unless the system has accounted for such support).
2.3.4 Audit
There must be a way to associate audit records generated by different TCBs for the same individual
subject.
2.3.5 Security Administrator
Someone must be assigned the authority and assume the responsibility of security administrator for each
of the TCBs. In addition, a security administrator must represent the authority of each hierarchical stage
of DAAs.
2.3.6 Recovery
Implications of failure of one of the component TCBs must be reviewed from the standpoint of impact to
all of the other intercommunicating entities. A way to cooperatively shut down and recover in a secure
manner must exist.
2.3.7 Global Noncompliance
A TCB that has not been assured of external compliance with global considerations, yet still has been
allowed to operate within a connected system, must be treated as a risk within itself, to other connected
TCBs, and to the system.
3 RISK MANAGEMENT
Several topics of risk management are discussed in this section, including the following:
o Propagated risk assessment to account for cascading risk.
o Policy iteration to optimize operational policy resulting from this assessment.
o Assessment of the risk once the protection mechanisms have been determined.
o Design iteration to again adjust the operational policy based on the cost risk analysis.
Many of these concepts of propagated risk were previously presented in [12].
3.1 PROPAGATED RISK ASSESSMENT
One small part of the risk management process is the risk assessment procedure identified in DoDD
5200.28, enclosure 4 [7], and the resultant action taken by the DAA. The risk assessment procedure
proposed here is a simple extension to the procedure in that enclosure, treating cascading risk in its
simplest interpretation. By-products are summed contributions of risk that are management flags to the
DAA indicating which elements of his/her system are the major risk contributors.
The risk assessment procedure is similar to that in "Trusted Network Interpretation Environments
Guideline [8]," except that this document recognizes that cascading risk does not just result from
contiguous components.
The risk inherent to a DOCP is calculated from DoDD 5200.28, enclosure 4 [7], as if the DOCP were in
isolation, and is called inherent risk. The exposed risk is the amount of change (increase) in DOCP risk
resulting from consideration of cascading risk from all other DOCPs. This parameter may result in a
change to the risk index and potentially assigned division/class. In the search for increased exposed risk,
the search may end along a single path once a previously evaluated trusted absorbing node is
encountered. Otherwise the search is to each logical receiver of data.
Contributed risk is the summed amount of increase in exposed risk potentially contributed by a single
DOCP to all other DOCPs. (Two DOCPs could potentially change the risk level of a third DOCP from its
original level, but in the analysis technique, only one actually does. Nevertheless, they both receive an
increase in contributed risk.) Solely contributed risk is the risk contributed by a DOCP which could not
have been also contributed by another DOCP.
Cascading risk is determined by the exposed risk factor. This parameter results in a change to the risk
index and potentially the assigned division/class. the exposed risk can only be decreased by changing
either the local operational policies or the operational policies of the contributing DOCPs. The
contributed risk factors are an indicator to the DAA where the changing of policy or the
implementation of mechanisms (e.g., security guards), for example, can do the most good in reducing
the risk of the overall system.
The four risk factors (risk index, exposed risk index, contributed risk, and solely contributed risk) become
part of the system "operational security policy." The procedure in DoDD 5200.28 enclosure 4 [7] deals
only with security levels and clearances.
3.2 POLICY ITERATION
Before mechanisms are considered in the solution, Figure 5 shows how the operational requirements
specification can be iterated, along with the definitions of DOCPs, based on risk considerations. The two
contributed risk factors help identify to the DAA the areas where changes in operational policy can have
the largest risk reduction advantage. The propagated risk assessment is reaccomplished to assess the
shared risk aspects of the adjustments.
3.3 PROTECTION ASSESSMENT
The next step considers existing or planned security mechanisms. Compatibility with division/class
criteria, use of downgrade guards, existence of interface enforcement mechanisms, and the approach to
global enforcement are all important considerations. Temporal inconsistencies and potential
vulnerabilities are assessment concerns, as are trusted startup, shutdown and recovery.
Besides protection mechanism assessment, there needs to be an assessment of assurance. This includes
determining the evaluation rigor used, or planned to be used, in testing and evaluating the DOCP. This
assessment uses the figures-of-merit approach discussed earlier.
3.4 DESIGN ITERATION
The second iteration, illustrated in Figure 6, like the first iteration, allows reexamination of the process all
the way back to the specification of operational policy, modification of DOCPs, and respecification of
interface policies to the identification mechanisms. The two contributed risk factors again help identify to
the DAA areas where changes in operational policy can have the largest risk and cost reduction
advantage. The protection assessment can be reaccomplished. What remains is a statement of the
residual risk within the system. The DAA must determine what additional corrections or operational
constraints must be observed to declare the system accredited to operate in the environment. The final
statement of operational security policy and mechanism architecture is then used as the basis for
certification evaluation and accreditation.
4 SUMMARY
This paper has introduced a way to deal with evolving, multipolicy systems using the TCSEC [4]. Rules
are provided for the assembly and assurance of existing, new build, and EPL [6] components. This
approach considers cascading risk and accommodates operational downgrade through data guards, an
approach often used by the military to eliminate unnecessary policy constraints. This approach
incorporates risk assessment. It provides an easily recognized strategy to the DAA for reducing risk with
the minimum expenditure of funds. This approach also specifies assurance deficiencies in the system and
helps to provide a strategy for correcting these deficiencies.
The domains of constant policy approach is a major step toward achieving the security recommended in the network
TCB approach of the TNI [2] and the TCB approach recommended in the TDI [3] for evolving systems. In many
cases the goal can be achieved without major redesign of existing systems. As systems continue to evolve, adding
more function and capability, rigorous security goals can be realized.
BIBLIOGRAPHY
[1] C Technical Report 32-92, "The Design and Evaluation of INFOSEC Systems: The Computer
Security Contribution to the Composition Discussion," June 1992
[2] NCSC-TG-005, "Trusted Network Interpretation (TNI) of the Trusted Computer System Evaluation
Criteria(TCSEC)," National Security Agency, July 31, 1987
[3] NCSC-TG-021 "Trusted Database Management System Interpretation (TDI) of The Trusted
Computer System Evaluation Criteria (TCSEC)," National Security Agency, April 1991
[4] DoD 5200.28-STD, "Department of Defense Trusted Computer System Evaluation Criteria,"
December 1985
[5] NCSC-TG-024, Version 1
Volume 1/4, "A Guide to Procurement of Trusted Systems: An Introduction to Procurement
Initiators on Computer Security Requirements," December 1992
Volume 2/4, "A Guide to Procurement of Trusted Systems: Language for RFP Specifications and
Statements of Work - An Aid to Procurement Initiators," June 30, 1993
Volume 3/4, "A Guide to Procurement of Trusted Systems: Computer Security Contract Data
Requirements List and Data Item Descriptions Tutorial," February 28, 1994
Volume 4/4, "A Guide to Procurement of Trusted Systems: How to Evaluate a Bidder's Proposal
Document - An Aid to Procurement Initiators and Contractors," (Draft)
[6] "Information Systems Security Products and Services Catalogue," Prepared by the National
Security Agency, (Published Quarterly)
[7] DoD Directive 5200.28, "Security Requirements for Automated Information Systems (AISs),"
March 21, 1988
[8] NCSC-TG-011, "Trusted Network Interpretation Environments Guideline," National Security
Agency, August 1, 1990
[9] DoD 5200.28-M, (Draft) "Automated Information System Security Manual," April 29, 1991
[10] Johnson, H.L., "An Approach to Security Test," AFCEA 4th Annual Symposium on C3I
Technology, Information and Security, Philadelphia, PA, August 16-18, 1988
[11] AFSSM 5031, "Complex System Guide," Air Force Special Security Instruction," Air Force
Cryptologic Support Center, Air Force Intelligence Command, 1991
[12] Johnson, H.L., and J.D. Layne, "Modeling Security Risk in Networks," Proceedings 11th National
Computer Security Conference, NIST and NCSC, October 17-20, 1988, pp. 59-64
ACRONYMS
AIS Automated Information System
COMPUSEC Computer Security
DAA Designated Approving Authority
DOCP Domain of Constant Policy
DoD Department of Defense
EPL Evaluated Products List
INFOSEC Information Security
NTCB Network Trusted Computing Base
RFP Request for Proposal
TCB Trusted Computing Base
TCSEC Trusted Computer System Evaluation Criteria
TDI Trusted Database Management System Interpretation
TNI Trusted Network Interpretation
GLOSSARY
Automated Information System - An assembly of computer hardware, software, and/or firmware
configured to collect, create, communicate, compute, disseminate, process, store, and/or control data or
information. (DoDD 5200.28)
Automated Security Policy - The set of restrictions and properties that specify how an AIS supports the
Security Policy.
Certification - The technical evaluation of an AIS's security features and other safeguards, made in
support of the accreditation process, which establishes the extent that a particular AIS design and
implementation meets a set of specified security requirements. (DoDD 5200.28)
Certification Evaluation - (See Certification and Evaluation)
Contributed Risk - The summed amount of increase in exposed risk to all other DOCPs potentially
contributed by a single DOCP.
Depends - A TCB subset depends (for its correctness) on TCB subset B if and only if the (engineering)
arguments of the correct implementation of A with respect to its specification assume, wholly or in part,
that the specification of B has been implemented correctly. (NCSC-TG-021)
Domain - The unique context in which a program is operating; in effect, the set of objects that a subject has
the ability to access.
Domain of Constant Policy - That part of a system to which a single, unique operational security policy
has been defined. DOCPs are nonoverlapping subsets of the system, that, in combination, completely
cover the system. A DOCP consists of a well-defined boundary (where an isolation mechanism exists or
can be employed) and an n-tuple of policy defining security characteristics.
Evaluation - Two types of evaluation are referred to: product evaluation and certification evaluation.
Exposed Risk - The amount of change (increase) in DOCP risk resulting from consideration of cascading
risk from all other DOCPs. This parameter results in a change to risk index and potentially the assigned
division/class.
Inherent Risk - Calculated risk for the element as if it were in isolation.
Network Trusted Computing Base - The totality of the protection mechanisms within a network system -
including hardware, firmware, and software - the combination of which is responsible for supporting
security policy. (NCSC-TG-005)
NTCB Partition - The totality of mechanisms within a single network component for enforcing the
network policy, as allocated to the component; the part of the NTCB within a single network component.
Operational Security Policy - The policy decisions made by the DAA in accordance with DoDD 5200.28
(policy concerning security levels of user, classifications of data, security mode and assignment of all the
above to different elements of the system). (NCSC-TG-005)
Primitive - An ordering relation between TCB subsets based on dependency (see "depends" above). A
TCB subset B is more primitive than a second TCB subset A (and A is less primitive than B) if (a) A
directly depends on B or (b) a chain of TCB subsets from A to B exists such that each element of the chain
directly depends on its successor in the chain. (NCSC-TG-021)
Product - Used here in the same sense as used in the EPL, NSA Information System Security Products and
Services Catalogue.
Product Evaluation - An evaluation performed on the hardware and software features and assurances of a
computer product from a perspective that excludes the application environment. This term is used here
in the same sense as used in the EPL, NSA Information System Security Products and Services Catalogue.
Regulatory Security Policy - Security policy represented by regulatory documents imposed on the
procurement organization (especially DoDD 5200.28, DoD 5200.28-M, and DoD 5200.28-STD).
Security Evaluation - An evaluation accomplished to assess the degree of trust that can be placed in
systems for the secure handling of sensitive information. One type, a product evaluation, is an evaluation
performed on the hardware and software features and assurances of a computer product from a
perspective that excludes the application environment. The other type, a system evaluation, is done for
the purpose of assessing a system's security safeguards with respect to a specific operational mission and
is a major step in the certification and accreditation process.
Security Policy - The set of laws, rules, and practices that regulate how an organization manages, protects,
and distributes sensitive information.
Solely Contributed Risk - The risk contributed by a DOCP to another DOCP that was not also contributed
by another DOCP.
System - (See Automated Information System)
TCB Subset - A set of software, firmware, and hardware (where any of these three could be absent) that
mediates the access of a set S of subjects to a set O of objects on the basis of a stated access control policy P
and satisfies the properties:
(1) M mediates every access to objects O by subjects in S,
(2) M is tamper resistant; and,
(3) M is small enough to be subject to analysis and tests, the completeness of which can be assured.
(NCSC-TG-021)
Trusted absorbing Node - A DOCP somewhere in the path from the sending DOCP to the destination
DOCP that can be trusted to receive the data, properly interpret the policy, and incorporate the policy for
that data into its TCB. If this is not the final destination, the trusted absorbing node takes the security
responsibility from the sending DOCP from that point on. It is the responsibility of the sending DOCP to
communicate the data, the recipient DOCP, and the appropriate policy to the trusted Absorbing Node.
Trusted Computing Base (TCB) - The totality of protection mechanisms within a computer system -
including hardware, firmware, and software, the combination of which is responsible for enforcing
security policy.
Virtual Communications Channel - If a sending DOCP somehow specifies a destination other than a
physically connected DOCP, and the intermediate DOCPs each have the responsibility of seeing that the
data (and often its policy) gets to its correct destination, these DOCPs are called virtual communication
channels. It is up to the sending DOCP to be assured that the virtual communications channels and the
destination can be trusted to transfer the data according to its policy.