Which Orange Book evaluation level is described as “Structured Protection”?

A.
A1

B.
B3

C.
B2

D.
B1

Explanation:
Class B2 corresponds to Structured Protection.
Division B – Mandatory Protection
Mandatory access is enforced by the use of security labels. The architecture is based on the BellLaPadula security model and evidence of the reference monitor enforcement must be available.
B1: Labeled Security Each data object must contain a classification label and each subject must
have a clearance label. When a subject attempts to access an object, the system must compare
the subject and the object’s security labels to ensure the requested actions are acceptable. Data
leaving the system must also contain an accurate security label. The security policy is based on an
informal statement and the design specifications are reviewed and verified. It is intended for
environments that handle classified data.
B2: Structured Protection The security policy is clearly defined and documented and the system
design and implementation is subjected to more thorough review and testing procedures. This
class requires more stringent authentication mechanisms and well-defined interfaces between
layers. Subject and devices require labels, and the system must not allow covert channels. A
trusted path for logon and authentication processes must be in place, which means there are no
trapdoors. There is a separation of operator and administration functions within the system to
provide more trusted and protected operational functionality. Distinct address spaces must be
provided to isolated processes, and a covert channel analysis is conducted. This class adds
assurance by adding requirements to the design of the system. The environment that would
require B2 systems could process sensitive data that requires a higher degree of security. This
environment would require systems that are relatively resistant to penetration and compromise.
B3 Security Domains In this class, more granularity is provided in each protects mechanism and
the programming code that is not necessary to support the security is excluded. The design and
implementation should not provide too much complexity because as the complexity of a system
increases, the ability of the individuals who need to test, maintain, and configure it reduces; thus,
the overall security can be threatened. The reference monitor components must be small enough
to test properly and be tamperproof. The security administrator role is clearly defined and the
system must be able to recover from failures without its security level being compromised. When

the system starts up and loads its operating system and components, it must be done in an initial
secure state to ensure any weakness of the system cannon be taken advantage of in this slice of
time. An environment that requires B3 systems is a highly secured environment that processes
very sensitive information. It requires systems that are highly resistant to penetration.
Note: In class (B2) systems, the TCB is based on a clearly defined and documented formal
security policy model that requires the discretionary and mandatory access control enforcement
found in class (B1) systems be extended to all subjects and objects in the ADP system. In
addition, covert channels are addressed. The TCB must be carefully structured into protectioncritical and non-protection-critical elements. Class B corresponds to “Structured Protection” inside
the Orange Book.