Defense Data Classification Enforcement

1. Regulatory Framework

Defense data classification in the United States is governed by Executive Order 13526 (Classified National Security Information) and its implementing directives, which establish the CONFIDENTIAL/SECRET/TOP SECRET hierarchy, sensitive compartmented information (SCI) controls under DCID 6/3 and ICD 503, and the Special Access Program (SAP) framework. Information assurance flows from CNSSI 1253 (security categorization), CNSSP 11 (national policy on the acquisition of information assurance products), and the Risk Management Framework codified in NIST SP 800-37 and NIST SP 800-53. Operational handling is governed by DoD Manual 5200.01 (Information Security Program), with controlled unclassified information (CUI) governed by 32 CFR Part 2002 and NIST SP 800-171 / 800-172 for non-federal systems handling CUI. Cybersecurity Maturity Model Certification (CMMC 2.0) imposes a graduated assessment regime on the defense industrial base.

Coalition and allied operations layer additional structure. NATO classification (COSMIC TOP SECRET, NATO SECRET, NATO CONFIDENTIAL, NATO RESTRICTED) operates under C-M(2002)49. Five Eyes intelligence sharing operates under a network of bilateral and multilateral agreements that govern releasability marks (REL TO USA, FVEY; NOFORN; ORCON; PROPIN). The Federated Mission Networking framework attempts structural interoperability across coalition partners. Across the entire framework, the regulatory expectation is clear: classified information must be protected throughout its lifecycle, against insider and outsider threats, across networks of differing accreditation, with auditable evidence of every access and movement. Regulatory pressure has only intensified following high-profile spillage incidents, generative-AI exfiltration vectors, and the operational reality that coalition tempo demands sharing at machine speed rather than at the speed of bilateral negotiation.

2. Architectural Requirement

The architectural requirement that flows from this framework, and that current implementations satisfy only procedurally, has three properties. First, classification must be a property of the data, not a label attached to the data, so that the protection cannot be separated from the information by a physical or operational action. Second, every operation on classified data — read, copy, transmit, render, derive, summarize, embed in a model — must be evaluated against the data's bound classification policy through an authority-credentialed gate, with a credentialed lineage record of the evaluation. Third, classification changes (declassification, downgrade, reclassification, releasability extension) must require quorum authorization from credentialed governing authorities and must themselves be credentialed observations entered into the data's lineage, not metadata edits performed by individual operators.

The architectural requirement extends to derived works. A summary of a SECRET report is SECRET unless an authorized declassification action says otherwise; an embedding of CUI training data in a model parameter set inherits the source classification unless an authorized derivation policy says otherwise. Procedural classification cannot enforce derivation inheritance because procedural systems do not see the derivation step. Architectural classification can, because the derivation step is itself an operation against the bound policy.

3. Why Procedural Approaches Fail

Classification systems protect information by labeling it and trusting authorized personnel to handle it according to its label. Network segmentation adds a physical layer: classified networks are air-gapped from unclassified networks. The combination of personnel discipline and network separation has been the foundation of information security for decades, and it has produced a long, unbroken record of high-impact failures. Personnel under operational pressure copy data between classification levels to meet mission requirements. Network boundaries are bridged through removable media, improperly configured systems, AI assistants that ingest classified context and emit it on unclassified channels, or deliberate circumvention by insiders ranging from low-tempo leakers to credentialed exfiltrators. Classification spillage — where classified data ends up on systems not authorized for that classification level — is a persistent operational problem that consumes significant security resources to detect and remediate, and the remediation is itself only partial because once data has crossed a boundary it cannot be recalled.

The fundamental weakness is that classification is a label attached to data, not a property of the data. A SECRET document on a SECRET network is protected by the network. The same document copied to a USB drive and inserted into an UNCLASSIFIED system has lost its protection entirely. The classification label may still be on the document header, but the structural enforcement has been defeated by a physical action that the architecture did not, by construction, observe. Mandatory Access Control (MAC) systems like SELinux enforce classification at the operating system level. A process labeled SECRET can read SECRET and below; an UNCLASSIFIED process cannot read SECRET data. These controls are effective within a single system but do not travel with the data. When data moves between systems, the MAC enforcement depends on the receiving system implementing identical controls. If the receiving system does not implement MAC, or implements it differently, the enforcement is lost.

Cross-domain solutions (CDS) enforce classification at network boundaries by inspecting data crossing between classification levels. These solutions are effective but limited to the boundaries where they are deployed. Data that moves through a path that bypasses the CDS — through removable media, through a misconfigured cloud egress, through a coalition partner's system, through an AI inference call that crosses a classification boundary in an unobserved direction — is not governed by the cross-domain solution. Procedural defense-in-depth produces a system whose classification posture is the conjunction of every layer behaving correctly; structural classification produces a system whose classification posture is a property of the data itself. The procedural model is unable, by construction, to close the spillage problem because the spillage problem lives in the gaps between layers.

4. The AQ Cryptographic-Governance Primitive

The Adaptive Query cryptographic-governance primitive, disclosed under USPTO provisional 64/049,409, binds classification constraints to the data itself through cryptographically signed policy agents and authority-credentialed governance gates. A SECRET document carries its classification as a cryptographic property that cannot be separated from the data. Every operation on the data — whether reading, copying, transmitting, modifying, summarizing, embedding, or rendering — must pass through a governance gate that evaluates the operation against the cryptographically bound classification policy, the credentials of the requesting principal, and the accreditation of the executing system.

The enforcement travels with the data. A SECRET document that is copied to a USB drive still carries its cryptographic classification. A system that attempts to process the document evaluates its classification constraints through the governance gate. An UNCLASSIFIED system that does not satisfy the classification requirements cannot decrypt or process the document. The classification enforcement is intrinsic to the data, not dependent on the system or network where the data resides. Compartmentalization and releasability markings are bound the same way. A document marked SECRET//NOFORN carries those constraints cryptographically. A system operated by a foreign partner cannot satisfy the NOFORN constraint and therefore cannot process the document, regardless of what classification level the partner's system is accredited to. SECRET//REL TO USA, FVEY is processable by Five Eyes partner systems whose credentials satisfy the releasability constraint and not by other coalition members.

Declassification and reclassification require quorum authorization from credentialed governing authorities. The cryptographic binding ensures that classification changes are deliberate, authorized, and recorded in the data's lineage as credentialed observations. Unauthorized reclassification is structurally impossible — not procedurally discouraged. Derivation operations evaluate against the source classification and emit derived works whose policy bindings inherit and recompose source constraints under credentialed derivation rules, which closes the AI-summarization and model-training spillage vector that conventional classification has no architectural answer to. The primitive is technology-neutral with respect to cryptographic suite (it composes with the NSA Commercial National Security Algorithm Suite and emerging post-quantum standards) and composes hierarchically across system, enclave, network, and coalition layers.

5. Compliance Mapping

Mapped against the regulatory framework, cryptographic governance produces a one-to-one structural answer to obligations that are otherwise satisfied through layered procedural controls. Against EO 13526 and DoDM 5200.01, classification becomes a property of the data with a credentialed lineage of every access, evaluation, and change — closing the audit gap that procedural classification only partially closes. Against ICD 503 and the SCI compartmentation regime, compartments are cryptographically bound and enforced at every operation rather than enforced procedurally at access time, which closes the cross-compartment summarization vector. Against NIST SP 800-53 control families AC (Access Control), AU (Audit), MP (Media Protection), and SC (System and Communications Protection), the gate satisfies multiple controls at once with a single architectural mechanism whose evidence is the credentialed lineage record. Against CMMC 2.0 Level 3 and SP 800-171/172, defense-industrial-base CUI handling becomes structurally enforceable rather than dependent on contractor procedural maturity.

For coalition operations, cryptographic governance enables information sharing with structural releasability enforcement. Each nation's data carries its releasability constraints cryptographically. Coalition partners can only access data that their credentials satisfy. The sharing is governed by the data itself rather than by bilateral sharing agreements that must be negotiated and manually enforced. Federated Mission Networking obligations are satisfied at the data layer rather than at the network layer, which is the layer that has historically failed to scale to operational tempo. Accreditation regimes (Authorization to Operate, Risk Management Framework continuous monitoring) shift from auditing system-level controls to verifying that gates are correctly deployed and policy is current — a smaller, more tractable, and more auditable surface.

6. Adoption Pathway

A defense deployment of cryptographic classification attaches signed policy agents to data at the point of creation. An intelligence analyst creating a SECRET report has the classification constraints cryptographically bound to the report at creation time, drawn from the analyst's credentials and the originating system's accreditation. Every subsequent operation on the report — by a human analyst, an automated workflow, an AI summarization agent, a coalition partner's system, a tactical edge node — evaluates against the bound classification policy through a governance gate whose decisions enter the report's lineage as credentialed observations.

Phasing aligns with how defense IT actually adopts new architecture. Phase one deploys gates as wrappers around existing storage and document-management systems for newly created data, leaving legacy archives untouched. Phase two extends gates to derivation surfaces — summarization tools, AI assistants, training-data pipelines — closing the highest-velocity spillage vectors first. Phase three extends gates to tactical and edge environments, where classification enforcement must persist through degraded conditions, ad hoc networks, and disconnected operations; the data carries its classification regardless of the network path, so personnel cannot accidentally or intentionally spill classified data by moving it to an unauthorized system because the data structurally will not process on systems that do not satisfy its classification requirements. Phase four extends to coalition environments under Federated Mission Networking, with releasability bindings keyed to coalition-partner credentials. Phase five binds classification authorities (Original Classification Authorities, declassification authorities, foreign-disclosure officers) into the credential hierarchy so that classification lifecycle events are themselves credentialed observations rather than administrative annotations.

The adoption pathway is composable with existing investments — MAC, CDS, DLP, SIEM, IRM — rather than replacing them. The existing controls become layers under the cryptographic-governance gate; the gate provides the structural property they cannot, individually or in combination, provide. The end state is an enforcement model in which spillage is structurally impossible for data that has been brought under the substrate, and the residual operational problem narrows to the rate at which legacy archives and uncovered surfaces are migrated onto it.