Contested-Mesh Radio for Defense and Public Safety

Regulatory Framework

Defense mesh-radio deployment sits inside a layered regulatory regime. MIL-STD-188-220C governs digital-message-transfer-device interoperability for combat-net radio, fixing the wire-level conventions for tactical message exchange. MIL-STD-461G governs electromagnetic-interference characteristics that contested-spectrum radios must satisfy for coexistence with co-located emitters and platform integration. MIL-STD-810H governs environmental qualification across temperature, vibration, shock, humidity, and altitude profiles that field deployment imposes. These three together define the physical-and-link-layer envelope that any tactical radio must occupy before it is admissible into a programmed acquisition.

Above the link, the cryptographic regime bifurcates. NSA Type 1 cryptography — implemented in End Cryptographic Units accredited under the Cryptographic Modernization Program — protects classified traffic up to and including TOP SECRET//SCI when paired with appropriate keying material managed through the Electronic Key Management System and its successor Key Management Infrastructure. Commercial Solutions for Classified (CSfC), introduced by NSA to leverage commercial cryptography for classified traffic via layered components, provides an alternative path that admits commercial radios and commercial cryptographic implementations subject to the CSfC Capability Package constraints (Mobile Access, Multi-Site Connectivity, Wireless LAN, Data-at-Rest). The Tactical Assault Kit (TAK) ecosystem — the Department of Defense common-operating-picture client family encompassing Android Tactical Assault Kit, Windows TAK, and iTAK — operates across both regimes, with deployment patterns spanning Type 1 and CSfC channels depending on classification.

The JADC2 reference architecture, published by the Office of the Secretary of Defense, frames the all-domain integration objective: any sensor, any shooter, any commander, any domain. The CJADC2 (Combined JADC2) extension brings coalition partners explicitly into the addressing space, raising authority-resolution questions that the underlying radios were not engineered to answer. Project Convergence experimentation under Army Futures Command, alongside the Air Force's Advanced Battle Management System and the Navy's Project Overmatch, repeatedly demonstrates that the link layer performs while the cross-service and cross-coalition trust layer becomes the gating concern. On the public-safety side, FirstNet — the Band 14 nationwide public-safety broadband network operated under contract by AT&T — together with regional Land Mobile Radio interoperability under Project 25 (P25) Phase 2 standards, faces structurally identical authority-resolution and partition-resilience concerns under different regulatory authorities (Federal Communications Commission, National Telecommunications and Information Administration, state interoperability councils).

Architectural Requirement

A contested-mesh radio system that satisfies the regulatory envelope must additionally satisfy four architectural properties that the regulatory documents specify in objective terms but do not prescribe a primitive for. First, authority taxonomy: every message must carry credentialed evidence of who said what, under what authority, with what scope, in a form that is interpretable by every receiving node without round-trip to a central authority service. Second, coalition authority resolution: the taxonomy must accommodate cross-recognition between national authorities, allied authorities, and host-nation authorities, in ways that preserve sovereign credentialing while permitting interoperable consumption. Third, continuity-based revocation: when a credential must be revoked while the credentialing infrastructure is unreachable, the system must rely on continuity properties of the local credential history rather than fresh certificate-revocation-list fetches that contested operation cannot guarantee. Fourth, partition-resilient store-and-forward: messages whose recipients are temporarily unreachable must propagate through the mesh with their authority, scope, and freshness annotations intact, so that a later-reached recipient consumes them under the same governance the originator intended.

These properties cannot be implemented at the radio-firmware layer alone, because the firmware does not see the authority semantics; nor at the application layer alone, because the application does not see the link partition events. They require a memory-native protocol primitive that travels with the message envelope, encodes authority and scope in line, and exposes verification interfaces both to the link-layer relay logic and to the application-layer consumer. This is the architectural element that current programs of record reconstruct through bespoke customer integration of disparate components — public-key infrastructure clients, attribute-based-access-control engines, message brokers, and store-and-forward queues — wired together for each deployment.

Why Procedural Compliance Fails

Procedural compliance — checklist adherence to MIL-STD-188-220C wire conventions, MIL-STD-461G EMI mask compliance, MIL-STD-810H environmental qualification, CSfC Capability Package layered-cryptography rules — is necessary but architecturally insufficient. A system can pass every applicable test plan and still leave coalition authority resolution to a per-deployment integration spreadsheet. The standards prescribe the floor; they do not prescribe the trust-layer ceiling. Persistent Systems Wave Relay, Silvus StreamCaster, Rajant Kinetic Mesh, Trellisware Tactical Scalable MANET, and similar tactical-mesh products each pass the procedural floor with mature engineering, but each leaves the customer to assemble the authority taxonomy on top.

The cumulative reconstruction effort across the customer base is substantial. A defense customer integrating a tactical mesh radio with the Tactical Assault Kit, a coalition CIS infrastructure, a CSfC Mobile Access capability package, and a service-specific identity provider performs months of integration engineering whose output is not portable to the next program. A public-safety customer integrating FirstNet-adjacent mesh with regional CAD systems, P25 trunked LMR, and federal-state-local interoperability standards performs analogous work whose output is not portable to the next jurisdiction. The reconstruction has structural gaps: coalition cross-recognition is handled inconsistently; revocation depends on connectivity that contested operation may not provide; partition resilience for messages-in-flight is handled per-product through varying ad-hoc mechanisms. These gaps are not failures of any individual procedural standard. They are the absence of a primitive that the procedural standards collectively assume but do not require.

The operational consequence shows up in exercises. JADC2 demonstrations repeatedly succeed at the link-layer integration and stumble at the cross-domain authority handoff. Coalition exercises succeed when the participating nations have pre-coordinated identity bridges and stumble when they have not. Public-safety mutual-aid deployments succeed when the responding agencies share P25 talkgroup configuration and stumble when they do not. In each case the procedural compliance is intact and the architectural primitive is missing.

What the AQ Primitive Provides

The Adaptive Query memory-native protocol provides the primitive directly. Every message carries a governed envelope: an authority-taxonomy field that names the credentialing authority and the scope of the asserted permission; a dynamic-device-hash continuity field that anchors the originating device's credential history without depending on real-time certificate-revocation-list fetches; a hop-history relay field that records the chain of intermediate nodes that handled the message under their own credentials; and a store-and-forward propagation field that preserves freshness, scope, and authority annotations across partition events. The envelope is wire-format and platform-portable; it travels above any link-layer transport that the radio provides.

Coalition authority resolution becomes a structural property rather than an integration project. National authorities, allied authorities, and host-nation authorities each issue credentials within their sovereign trust roots; the envelope's authority taxonomy admits cross-recognition rules that named coalitions agree to, and the receiving node evaluates the rules locally without round-trip. The dynamic-device-hash continuity replaces the failure mode of certificate-revocation under contested connectivity: a device whose credential history breaks continuity is rejected even when the credentialing infrastructure is unreachable, because the continuity check is a local property of the message stream rather than a remote oracle. Hop-history relay supports forensic reconstruction of how a message reached a given node, which both the CSfC accreditation evidence and the post-incident review processes depend on. Partition-resilient store-and-forward preserves the governance annotations across the partition; a node that holds messages while a peer is unreachable forwards them on reconnect with the original authority and scope intact, and the consuming application evaluates them under the same governance the originator intended.

The integration with hardware vendors is additive. A Wave Relay radio carrying a governed envelope continues to be a Wave Relay radio under MIL-STD-188-220C link conventions; the envelope is opaque payload to the radio firmware. A Silvus or Trellisware mesh continues to optimize routing as it does today; the envelope rides on top. A FirstNet handset running the public-safety variant of the protocol consumes governed messages from a tactical mesh under the same wire format as governed messages from its own LTE attachment. The customer's integration effort shifts from reconstructing the trust layer to admitting the primitive into the local authority hierarchy — a one-time mapping rather than an ongoing rebuild.

Compliance Mapping

The primitive maps onto each layer of the regulatory regime without disturbing the procedural floor. MIL-STD-188-220C compatibility is preserved because the envelope rides as application-layer payload over the conformant link. MIL-STD-461G compatibility is preserved because the envelope adds no emitter behavior; it is software-layer. MIL-STD-810H compatibility is preserved for the same reason. NSA Type 1 channels carry the envelope inside their bulk-encryption tunnels without modification to the End Cryptographic Unit; CSfC channels carry it inside the layered commercial-cryptography stack subject to the applicable Capability Package — Mobile Access for handheld, Multi-Site Connectivity for fixed-site interconnection — with the envelope's own credential evidence operating at the application layer above the dual-tunnel cryptographic floor.

JADC2 and CJADC2 reference architecture compatibility is structural: the envelope is the cross-domain trust artifact that the reference architectures presume but do not specify. Tactical Assault Kit compatibility is achieved through the existing TAK Cursor-on-Target message family, with the governed envelope wrapping CoT messages without altering their schema. FirstNet and P25 interoperability is achieved through analogous wrappers at the public-safety variant. The compliance mapping is consistently additive: the procedural compliance evidence that programs already produce remains intact, and the architectural compliance evidence is supplied by the primitive's own audit trail.

Adoption Pathway

Adoption proceeds along three concurrent tracks. The first is hardware-vendor integration: a tactical-mesh-radio vendor adopts the primitive as a recommended payload format, ships reference integrations against TAK and against the major Service-specific common operating pictures, and accumulates deployment experience under JADC2 experimentation events such as Project Convergence and the Air Force's Advanced Battle Management System exercises. The second is program-of-record specification: a Service program manager writes the primitive into the next-generation tactical-radio specification as the required trust-layer envelope, on the same regulatory basis as MIL-STD-188-220C is required for the link layer. The third is coalition adoption: NATO Federated Mission Networking and the Five Eyes interoperability community adopt the primitive as the recommended cross-recognition envelope, with national authorities issuing credentials within their sovereign trust roots and the envelope carrying the cross-recognition rules.

The public-safety pathway runs in parallel. FirstNet operational integration, P25 interoperability board adoption, and the Cybersecurity and Infrastructure Security Agency's emergency-communications-coordination guidance each provide regulatory anchors for adoption. Cross-jurisdictional mutual-aid deployments — wildfire response, hurricane response, mass-casualty incident response — provide concrete deployment cases where the architectural primitive demonstrates value that bespoke integration cannot. The cumulative effect is to retire the per-customer reconstruction burden in favor of a unified primitive that all customers consume, leaving the radio vendors free to compete on the link layer where their engineering investment compounds, and leaving the system integrators free to compete on the application layer where the operational value compounds.