C2 Security: Some Background

C2-level security is a designation in a computer securitysystem that the US Department of Defense has developed over the past 30 years. The National Computer Security Center(NCSC), an arm of the National Security Administration, began working on security ratings for military computer systemsin 1967. The center published its first report in 1970 and issued its final specifications in the mid-1980s.

Trusted Computer Standards Evaluation Criteria (TCSEC), or the Orange Book, lays out the requirements forsecurity at various levels according to such parameters as the ability of a system to be audited, to control access, andto authenticate users. The Orange Book applies to standalone machines and operating systems. More than 20 subsequentbooks in this Rainbow Series have interpreted the criteria for other system components. The Red Book interprets thecriteria for network components, the Lavender Book for databases.

Security categories are D (minimal protection), B (mandatory protection), C (discretionary protection), and A(verified protection). C2, or controlled access protection, is the lowest that offers viable security. For C2certification, a system must

NCSC developed the criteria for military computer systems; systems used for many federal government projects musthave C2 certification. But today, the broader computer industry is using the Orange Book criteria.