| Class |
Description |
| D Minimal Protection |
This section is reserved for products that have been evaluated but failed to meet any of the requirements of higher classes. |
| C Discretionary Protection |
Operating systems in this division provide for discretionary protection of objects by subjects (i.e. users are able to modify access rights on files they own or have been given access to). The systems in this division also include audit capabilities for the accountability of subjects and the actions they initiate. |
| C1 Discretionary Security Protection |
This class incorporates some form of mechanism that allows individual users to control access to their data. |
| C2 Controlled Access Protection |
Systems in this class enforce a more finely grained discretionary access control than C1 systems, making users individually accountable for their actions. |
| B Mandatory Protection |
A major requirement of systems in this division is that of a TrustedComputing Base that ensures the integrity of sensitivity labels and uses them to enforce a set of mandatory access control rules throughout the system. |
| B1 Labeled Security Protection |
Class B1 systems are required to accurately label exported information and maintain the integrity of those labels. If a user would print out a document that is classified as confidential, the operating system would make sure that the information's classification is clearly printed on the paper. |
| B2 Structured Protection |
As of this level, formal design and verification methods are part of the requirement. Not only will this strengthen the confidence that the security features are properly implemented, but it will also allow for a more thorough and complete review of the system by the evaluation team. B2 system are relatively resistant to penetration. |
| B3 Security Domains |
The Trusted Computing Base (TCB) is structured to exclude code not essential to security policy enforcement, with significant system engineering during TCB design and implemention directed toward minimizing its complexity. The system is relatively highly resistant to penetration. |
A
Verified Protection |
This division is characterized by the use of formal security verification methods to assure that the mandatory and discretionary access controls employed in the system can effectively protect the information stored or processed by the system. |
A1
Verified Design |
A1 level systems are functionally equivalent to B3 systems. Their distinguishing feature is the analysis derived from formal design specification and verification techniques and the resulting high degree of assurance that the Trusted Computing Base is correctly implemented. |
