The following list includes some of the most important requirements of C2-level security, as defined by the U.S. Department of Defense:
- It must be possible to control access to a resource by granting or denying access to individual users or named groups of users.
- Memory must be protected so that its contents cannot be read after a process frees it. Similarly, a secure file system, such as NTFS, must protect deleted files from being read.
- Users must identify themselves in a unique manner, such as by password, when they log on. All auditable actions must identify the user performing the action.
- System administrators must be able to audit security-related events. However, access to the security-related events audit data must be limited to authorized administrators.
- The system must be protected from external interference or tampering, such as modification of the running system or of system files stored on disk.