Configuration Management is a requirement for the following level(s) of the Orange Book?

A.
B3 and A1

B.
B1, B2 and B3

C.
A1

D.
B2, B3, and A1

Explanation:
Configuration Management is a requirement only for B2, B3, and A1.
Configuration management consists of identifying, controlling, accounting for, and auditing all changes made to
a particular system or equipment during its life cycle. In particular, as related to equipment used to process
classified information, equipment can be identified in categories of COMSEC, TEMPEST, or as a Trusted
Computer Base (TCB).
The Trusted Computer System Evaluation Criteria (TCSEC) requires all changes to the TCB for classes B2
through A1 be controlled by configuration management.
Incorrect Answers:
A: Configuration Management is also a requirement in level B2.
B: Configuration Management is not a requirement in level B1. Furthermore, Configuration Management is also
a requirement in level A1.
C: Configuration Management is a requirement in levels B2 and B3.

Krutz, Ronald L. and Russell Dean Vines, The CISSP Prep Guide: Mastering the CISSP and ISSEP Exams,
2nd Edition, Wiley Publishing, Indianapolis, 2004, p. 223
http://surflibrary.org/ses/TEMPBOOK/CH6CONFGMGT.pdf Page 6-1