Improving Inter - Enclave Information Flow for a Secure StrikePlanning

DoD operates many system high enclaves with limited information ow between enclaves at diierent security levels. Too often, the result is duplication of operations and inconsistent and untimely data at different sites, which reduces the eeectiveness of DoD decision support systems. This paper describes our solution to this problem as it arises in installations of the Joint Maritime Command Information System (JMCIS), an integrated C4I system. Our approach views databases in more classiied enclaves as potential replica sites for data from less classiied enclaves. Replicated data ows from lower enclaves to higher ones via one-way connections, yielding a high assurance MLS (multi-level secure) distributed system. The one-way connections are the only trusted components. This approach is based on our work on SINTRA (Secure Information Through Replicated Architecture), and applies generally to any collection of systems each running a database at system high. It complements and exploits modern system design methods, which separate data management from data processing, and enables eeective, low-cost MLS operation within that paradigm. In addition to describing current JMCIS installations and our architectural approach, the paper presents our approach for justifying a system's security and our use of formal methods to increase assurance that security requirements are met.