What is C2 certification and what does it mean?

The C2 certification is one level in the Trusted Computer System Evaluation Criteria (the orange book), one of a series of guides on computer security. The TCSEC described levels of security for computing devices. The thought was that with these levels, these devices could be tested, and the classifications used to help people (primarily the government and government contractors) in their purchasing decision. The levels were often written into purchasing specifications. Each level specifies areas that must be met in order to qualify, and vendors submit their equipment to third parties for testing against the criteria -? which takes time. To configure Windows NT 4.0 to meet the C2 criteria, you can use the checklist published here.

TCSEC was developed in the 1980?s in the U.S. One European criteria, Information Technology Security Evaluation Criteria (ITSEC), was developed in the 1990?s. More recently, a newer, international certification ?Common Criteria? seeks to make one evaluation system that all countries can follow. Common Criteria has replaced TCSCEC, and all current product evaluations are taking place at these levels, not at the older C2 level. You can read a short description of this process as it concerns Windows 2000 here and get into the details of Common Criteria at www.commoncriteria.org.

The older TCSEC certifications are still valuable. But, either way, it is important to remember that all the certiications say is that a certain system is certified if configured as it was for the test. It's up to you to determine what that means, and if it will be relevant in your situation, and not just listen to the vendor claims.