Rainbow Series
Encyclopedia
The Rainbow Series is a series of computer security
standards and guidelines published by the United States
government in the 1980s and 1990s. They were originally published by the U.S. Department of Defense Computer Security Center, and then by the National Computer Security Center.
s. In some cases, U.S. government entities (as well as private firms) would require formal validation
of computer technology using this process as part of their procurement
criteria. Many of these standards have influenced, and have been superseded by, the Common Criteria
.
The books have nicknames based on the color of its cover. For example, the Trusted Computer System Evaluation Criteria was referred to as "The Orange Book." In the book entitled Applied Cryptography, security expert Bruce Schneier
states of NCSC-TG-021 that he "can't even begin to describe the color of [the] cover" and that some of the books in this series have "hideously colored covers." He then goes on to describe how to receive a copy of them, saying "Don't tell them I sent you."
contained a reference to the Rainbow Books that showed Dade naming off a series of six books, the second of them being the Orange Book ("Computer security criteria, DoD standards") and the sixth being the Red Book ("NSA Trusted Networks. Otherwise known as the Ugly Red Book that won’t fit on a shelf") from this series. Phreak called them "those Crayola
books" and Cereal replied, "Oh yeah, Technicolor
rainbow." However the other books, such as the Peter Norton
"pink shirt book", are not part of the Rainbow Series.
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
standards and guidelines published by the United States
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
government in the 1980s and 1990s. They were originally published by the U.S. Department of Defense Computer Security Center, and then by the National Computer Security Center.
Objective
These standards describe a process of evaluation for trusted systemTrusted system
In the security engineering subspecialty of computer science, a trusted system is a system that is relied upon to a specified extent to enforce a specified security policy...
s. In some cases, U.S. government entities (as well as private firms) would require formal validation
Verification and Validation
In software project management, software testing, and software engineering, verification and validation is the process of checking that a software system meets specifications and that it fulfills its intended purpose...
of computer technology using this process as part of their procurement
Procurement
Procurement is the acquisition of goods or services. It is favourable that the goods/services are appropriate and that they are procured at the best possible cost to meet the needs of the purchaser in terms of quality and quantity, time, and location...
criteria. Many of these standards have influenced, and have been superseded by, the Common Criteria
Common Criteria
The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification...
.
The books have nicknames based on the color of its cover. For example, the Trusted Computer System Evaluation Criteria was referred to as "The Orange Book." In the book entitled Applied Cryptography, security expert Bruce Schneier
Bruce Schneier
Bruce Schneier is an American cryptographer, computer security specialist, and writer. He is the author of several books on general security topics, computer security and cryptography, and is the founder and chief technology officer of BT Managed Security Solutions, formerly Counterpane Internet...
states of NCSC-TG-021 that he "can't even begin to describe the color of [the] cover" and that some of the books in this series have "hideously colored covers." He then goes on to describe how to receive a copy of them, saying "Don't tell them I sent you."
Most significant Rainbow Series books
| Document | Title | Date | Color | |
|---|---|---|---|---|
| 5200.28-STD | DoD Trusted Computer System Evaluation Criteria Trusted Computer System Evaluation Criteria Trusted Computer System Evaluation Criteria is a United States Government Department of Defense standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system... |
Orange Book | ||
| CSC-STD-002-85 | DoD Password Management Guideline | Green Book | ||
| CSC-STS-003-85 | Guidance for applying TCSEC in Specific Environments | Light Yellow Book | ||
| CSC-STS-004-85 | Technical Rationale Behind CSC-STD-003-85: Computer Security Requirements | Yellow Book | ||
| NCSC-TG-001 | A Guide to Understanding Audit in Trusted Systems | Tan Book | ||
| NCSC-TG-002 | Trusted Product Security Evaluation Program | Bright Blue Book | ||
| NCSC-TG-003 | Discretionary Access Control in Trusted Systems | Neon Orange Book | ||
| NCSC-TG-004 | Glossary of Computer Security Terms | Teal Green | ||
| NCSC-TG-005 | Trusted Network Interpretation | Red Book | ||
| NCSC-TG-006 | Configuration Management in Trusted Systems | Amber Book | ||
| NCSC-TG-007 | A Guide to Understanding Design Documentation in Trusted Systems | Burgundy Book | ||
| NCSC-TG-008 | A Guide to Understanding Trusted Distribution in Trusted Systems | Dark Lavender Book | ||
| NCSC-TG-009 | Computer Security Subsystem Interpretation of the TCSEC | Venice Blue Book | ||
| NCSC-TG-010 | A Guide to Understanding Security Modeling in Trusted Systems | Aqua Book | ||
| NCSC-TG-011 | Trusted Network Interpretation Environments Guideline (TNI) | Red Book | ||
| NCSC-TG-013 | RAMP Program Document | Pink Book | ||
| NCSC-TG-013 V2 | RAMP Program Document version 2 | Pink Book | ||
| NCSC-TG-014 | Guidelines for Formal Verification Systems | Purple Book | ||
| NCSC-TG-015 | Guide to Understanding Trusted Facility Management | Brown Book | ||
| NCSC-TG-016 | Guidelines for Writing Trusted Facility Manuals | Yellow-Green Book | ||
| NCSC-TG-017 | Identification and Authentication in Trusted Systems | Light Blue Book | ||
| NCSC-TG-018 | Object Reuse in Trusted Systems | Light Blue Book | ||
| NCSC-TG-019 | Trusted Product Evaluation Questionnaire | Blue Book | ||
| NCSC-TG-020 | Trusted UNIX Working Group (TRUSIX) Rationale for Selecting Access Control List Features for the UNIX System | Silver Book | ||
| NCSC-TG-021 | Trusted Database Management System Interpretation of the TCSEC (TDI) | Purple Book | ||
| NCSC-TG-022 | Trusted Recovery in Trusted Systems | Yellow Book | ||
| NCSC-TG-023 | Security Testing and Test Documentation in Trusted Systems | Bright Orange Book | ||
| NCSC-TG-024 Vol. 1/4 | Procurement of Trusted Systems: An Introduction to Procurement Initiators on Computer Security Requirements | Purple Book | ||
| NCSC-TG-024 Vol. 2/4 | Procurement of Trusted Systems: Language for RFP Specifications and Statements of Work | Purple Book | ||
| NCSC-TG-024 Vol. 3/4 | Procurement of Trusted Systems: Computer Security Contract Data Requirements List and Data Item Description | Purple Book | ||
| NCSC-TG-024 Vol. 4/4 | Procurement of Trusted Systems: How to Evaluate a Bidder's Proposal Document | Publication TBA | Purple Book | |
| NCSC-TG-025 | Guide to Understanding Data Remanence Data remanence Data remanence is the residual representation of data that remains even after attempts have been made to remove or erase the data. This residue may result from data being left intact by a nominal file deletion operation, by reformatting of storage media that does not remove data previously written... in Automated Information Systems. |
Forest Green Book | ||
| NCSC-TG-026 | Writing the Security Features User's Guide for Trusted Systems | Hot Peach Book | ||
| NCSC-TG-027 | Information System Security Officer Responsibilities for Automated Information Systems | Turquoise Book | ||
| NCSC-TG-028 | Assessing Controlled Access Protection | Violet Book | ||
| NCSC-TG-029 | Certification and Accreditation Concepts | Blue Book | ||
| NCSC-TG-030 | Covert Channel Covert channel In computer security, a covert channel is a type of computer security attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy... Analysis of Trusted Systems |
Light Pink Book |
In popular culture
The 1995 movie HackersHackers (film)
Hackers is a 1995 American thriller film directed by Iain Softley and starring Angelina Jolie, Jonny Lee Miller, Renoly Santiago, Matthew Lillard, Lorraine Bracco and Fisher Stevens...
contained a reference to the Rainbow Books that showed Dade naming off a series of six books, the second of them being the Orange Book ("Computer security criteria, DoD standards") and the sixth being the Red Book ("NSA Trusted Networks. Otherwise known as the Ugly Red Book that won’t fit on a shelf") from this series. Phreak called them "those Crayola
Crayola
Crayola is a brand of artists' supplies manufactured by Crayola LLC, which was founded in 1885 as Binney & Smith. It is best known for its crayons...
books" and Cereal replied, "Oh yeah, Technicolor
Technicolor
Technicolor is a color motion picture process invented in 1916 and improved over several decades.It was the second major process, after Britain's Kinemacolor, and the most widely used color process in Hollywood from 1922 to 1952...
rainbow." However the other books, such as the Peter Norton
Peter Norton
Peter Norton is an American programmer, software publisher, author, and philanthropist. He is best known for the computer programs and books that bear his name. Norton sold his PC-Software business to Symantec Corporation in 1990....
"pink shirt book", are not part of the Rainbow Series.
External links
- Rainbow Series from Federation of American ScientistsFederation of American ScientistsThe Federation of American Scientists is a nonpartisan, 501 organization intent on using science and scientific analysis to attempt make the world more secure. FAS was founded in 1945 by scientists who worked on the Manhattan Project to develop the first atomic bombs...
, with more explanation - Rainbow Series from Archive of Information Assurance