This post examines what the Rainbow Series was, how it influenced technical and policy development, and why its legacy lives on in today’s evaluation standards like Common Criteria and FedRAMP.

📘 What Was the Rainbow Series?

• Authoring agency: NCSC, part of the NSA
• Timeframe: Early 1980s to mid-1990s
• Purpose: Define and standardize the evaluation of trusted computer systems used in military and government environments
• Total volumes: Over 30 documents, each named for the color of its cover

📕 The Orange Book (1983): The Cornerstone

Officially titled the Trusted Computer System Evaluation Criteria (TCSEC), the Orange Book defined the core idea of a “trusted system.” It specified technical requirements, design architectures, and assurance levels used to evaluate systems.

🔒 Key Features

• Security levels: From D (minimal) to A1 (verified design), with progressively stricter requirements
• Mandatory and discretionary access control (MAC/DAC): Required systems to control access based on policy—not just user discretion
• Auditing and accountability: Insisted on event logging and traceability for all security-relevant actions
• Trusted computing base (TCB): Defined the smallest set of components responsible for enforcing security policy

📙📗📒 Notable Companion Volumes

• Red Book (1987): Trusted Network Interpretation—how to apply TCSEC in distributed networked systems
• Green Book: Password management and authentication standards
• Tan Book: Audit and accountability principles
• Purple Book: Formal verification of software security properties

These volumes created a shared vocabulary and methodology for both vendors and evaluators—and laid the groundwork for commercial security certification programs.

🔍 Legacy and Modern Relevance

• Common Criteria: Direct descendant of the Orange Book; provides global system evaluation standards for government and defense
• FedRAMP and NIST SP 800-53: Borrow heavily from Rainbow Series principles—especially in control families and auditability
• DoD ATO process: Authorization to Operate processes in U.S. military systems still map back to Rainbow-era assurance models
• Secure development: Formal design, threat modeling, and least privilege principles first appeared in these books

📣 Final Thought

The Rainbow Series gave cybersecurity its first real doctrine—a structured way to define, build, and evaluate secure systems. While technology has evolved, many of today’s trust frameworks, compliance standards, and security architectures trace their roots to these colorful pages. If you’ve ever filled out a control matrix, chased an ATO, or deployed SELinux, you’re following a path that began with the Orange Book.

Need help aligning your architecture or compliance strategy to trusted security models? Let’s talk.