What Orange Book security rating is reserved for systems that have been evaluated but fail to meet the criteria
and requirements of the higher divisions?

A.
A

B.
D

C.
E

D.
F

Explanation:
The U.S. Department of Defense developed the Trusted Computer System Evaluation Criteria (TCSEC), which
was used to evaluate operating systems, applications, and different products. These evaluation criteria are
published in a book known as the Orange Book.
TCSEC provides a classification system that is divided into hierarchical divisions of assurance levels:
A:
Verified protection
B:
Mandatory protection
C:
Discretionary protection
D:
Minimal security
Classification A represents the highest level of assurance, and D represents the lowest level of assurance.
Each division can have one or more numbered classes with a corresponding set of requirements that must be
met for a system to achieve that particular rating.
There is only one class in Division D. It is reserved for systems that have been evaluated but fail to meet the
criteria and requirements of the higher divisions.
Incorrect Answers:
A: Division A is the highest level.
C: The lowest division/level (reserved for systems that have been evaluated but fail to meet the criteria and
requirements of the higher divisions) is D, not E.
D: The lowest division/level (reserved for systems that have been evaluated but fail to meet the criteria and
requirements of the higher divisions) is D, not F.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 392-393