Orange Book, Still relevant?

havoc64

I have been told that the Orange Book, Trusted Computer System Evaluation Criteria has been replaced the the Common Criteria on the test? Looking at the Official CBK it seems to confirm that.

[h=3]Can anyone confirm this to be true?[/h]

Eburon

I believe so. And I think that (only) CC is well-testable. I mean on the exam.

havoc64

yea I had heard that as well.

gespenstern

Passed cissp last year and issap this year -- no TCSEC, lots of CC.

apr911

According to all sources I've found, TC-SEC is still on the exam.

The last announced CBK revision that took effect as on 15 April 2015 did not remove TC-SEC from the CBK.

Although TC-SEC has been superseded, there is still a fair amount within it that you should at least be familiar with as it is still relevant today.

CCCure just published a quick one page review of the important parts of TC-SEC
https://cccure.training/m/articles/view/One-page-TCSEC-resume-for-your-CISSP-Exam

As they described it:
"The TCSEC ratings are still showing up on the exam for sure. You may get one or two questions or you may get none. However, any points are important when you get a score of 698, this is the question that can put you over the passing bar."

gespenstern

apr911 wrote: »

CCCure just published a quick one page review of the important parts of TC-SEC
https://cccure.training/m/articles/view/One-page-TCSEC-resume-for-your-CISSP-Exam

As they described it:
"The TCSEC ratings are still showing up on the exam for sure. You may get one or two questions or you may get none. However, any points are important when you get a score of 698, this is the question that can put you over the passing bar."

...and how long time ago it was posted there?

apr911

Well the link I provided was posted on 9/27/2015 so within the last 3 weeks.

Granted, the one-page TC-SEC "resume" of things you need to know says it was last updated on 10/28/2007 so take it as you will.

Like I said originally though; TCSEC is still relevant despite being superseded.

Additionally, here is the CBK update/exam outline for April 15, 2015 that I referenced previously:
https://www.isc2.org/uploadedfiles/%28isc%292_public_content/exam_outlines/cissp-exam-outline-april-2015.pdf

TCSEC is still listed under "Security Engineering (Engineering and Management of Security)"

gespenstern

apr911 wrote: »

Well the link I provided was posted on 9/27/2015 so within the last 3 weeks.

The link you provided points to a page, that contains links to other related materials, one of which you quoted. Specifically, this: "The TCSEC ratings are still showing up on the exam for sure..." and so on. This related material to the page we are discussing, was added 415 days ago as of now, i.e. before April 2015 revamp. Therefore, it should be at least taken with a grain of salt, or at max disregarded as TCSEC being too old and replaced by CC.

apr911 wrote: »

Additionally, here is the CBK update/exam outline for April 15, 2015 that I referenced previously:
https://www.isc2.org/uploadedfiles/%28isc%292_public_content/exam_outlines/cissp-exam-outline-april-2015.pdf

TCSEC is still listed under "Security Engineering (Engineering and Management of Security)"

I don't find it there under "Security Engineering", can you please point to exact page?

Bottom line, I don't see any mentions of TCSEC in "passed" threads that I follow, I didn't see it in my recent ISSAP exam (plenty of CC though). Based on my experience I conclude that most likely they finally removed it.

And just a note, questions on reference monitor, security kernel, isolation and similar concepts are there, because they aren't TCSEC-specific, TCSEC questions are the ones which ask you about at which level do we start checking for covert channels, etc.