The importance of high assurance computers for command, control, communications, and intelligence systems

The authors discuss the available alternatives for building multilevel secure automated command, control, communications, and intelligence systems (CCCI systems). It is concluded that the only way to have a high degree of confidence that the anticipated threat can be countered is to base a CCCI system on a TCB (trusted computer base) having a security kernel (i.e., on a Class B3 or A1 TCB rather than Class B2 TCB). The recommended approach is to provide the required operating system services as a nonsecurity-critical extension to a commercially available Class B3 TCB, making it possible to use technology that is available, affordable, and immediately usable. It is concluded that the desired extensions are practical within the constraints of a CCI system development project and could be implemented using standard software engineering techniques without impacting the highly-assured security characteristics of the system enforced by the underlying security kernel