Expeditionary Mesh for GNSS-Denied Operations

Regulatory Framework

Expeditionary mesh operates inside a dense regulatory and doctrinal envelope. The Joint Staff JADC2 strategy and the implementation activities under CJADC2 require that sensor data, fires authorization, and command intent flow across Service-of-Service boundaries under DDIL assumptions. NATO FMN spirals (currently progressing through Spiral 5 and Spiral 6 specifications) impose interoperability profiles for mission partner environments where coalition forces must exchange tactical data without shared static infrastructure. The Tactical Assault Kit family — TAK on Android (ATAK), iOS (iTAK), and Windows (WinTAK) — has become the de facto situational awareness substrate, with the Cursor on Target (CoT) message schema as the lingua franca of tactical observation exchange.

Hardware conformance is governed by MIL-STD-188-220C for digital message transfer over combat-net radio, MIL-STD-461G for electromagnetic interference characteristics in contested spectrum, and MIL-STD-810H for environmental survivability across the temperature, vibration, shock, humidity, and altitude profiles encountered in expeditionary deployment. Link-16 (MIL-STD-6016) remains the legacy backbone for time-division multiple-access tactical data exchange, with Concurrent Multi-Netting and Concurrent Contention Receive extensions narrowing — but not eliminating — the bandwidth and topology constraints. The Replicator initiative and the Army's Project Convergence campaigns have made attritable, mass-deployed sensor and effects platforms a near-term operational fact, multiplying the credentialing and observation-propagation problem by orders of magnitude relative to legacy planning assumptions.

The cumulative regulatory expectation is unambiguous: tactical communications architectures must operate when the network is broken, must remain interoperable across coalition partners with divergent national hardware, must survive contested electromagnetic environments, and must do all of this while preserving cryptographic credentialing of every observation that flows into a fires or command decision. The architectures fielded to meet that expectation have largely failed to satisfy it under stress.

Architectural Requirement

The architectural requirement that follows from JADC2/CJADC2 doctrine and FMN interoperability is precise. The mesh must establish from zero — no pre-positioned reference station, no cellular backhaul, no satellite uplink presumed continuous. Every node must be capable of acting as ingress, egress, store-and-forward relay, and credentialing peer simultaneously. Observations entering the mesh must carry verifiable provenance from the credentialed sensor or operator that produced them, and that provenance must remain verifiable after traversing arbitrary partition-and-reconnect sequences. Policy updates — fires authorization changes, rules-of-engagement adjustments, geofence revisions — must propagate through the same mobile carriers that propagate observations, with the same credentialing guarantees.

The requirement explicitly forbids assumptions that current commercial-off-the-shelf mesh stacks routinely make. It forbids assuming continuous reachability to a CA or revocation endpoint. It forbids assuming GNSS time, since GPS denial and spoofing are baseline planning conditions for Project Convergence and Replicator deployments. It forbids assuming that a node which last contacted the network thirty minutes ago has the same credential state as a node which last contacted ten seconds ago — and yet it requires both nodes to interoperate when they meet on a forward edge.

Why Procedural Compliance Fails

Procedural compliance — the pattern of meeting JADC2 and FMN requirements through deployment of additional pre-positioned infrastructure, longer satellite contract minutes, more elaborate certificate-distribution playbooks, and tighter operator training on connectivity-degradation procedures — fails under structural rather than executional pressure. The failure modes are visible in every contested-environment exercise after-action review.

Pre-positioned infrastructure is the first failure surface. Tactical communications nodes, deployable cellular, expeditionary satellite terminals, and forward-deployed certificate authorities all require physical pre-staging. The deployment scenarios where expeditionary mesh actually matters — opposed entry, post-strike restoration, coalition surge into a partner nation under attack — are exactly the scenarios where pre-staging is impossible, contested, or already destroyed. The infrastructure-dependent solution is structurally absent precisely when it is needed.

Centralized credentialing is the second failure surface. Certificate-revocation lists, OCSP responders, and online enrollment endpoints assume reach-back to a sustained-presence authority. Under DDIL, that reach-back is unavailable for hours to weeks. Procedural workarounds — long-validity certificates, pre-issued offline credential bundles, manual key ceremonies in the field — degrade either security posture or operational tempo, and usually both. CRL staleness becomes a tactical vulnerability rather than a hygiene metric.

Improvised connectivity is the third failure surface. When pre-positioned and centralized fail, units improvise: civilian LTE, commercial satellite hotspots, partner-nation networks of unknown provenance. Each improvisation either bypasses credentialing entirely (creating an injection vector for adversary-shaped observations) or applies credentialing inconsistently across a force whose coherence depends on uniform credential semantics. Procedural compliance has no answer here — the answer it offers is "do not improvise," which combat units uniformly ignore because the alternative is mission failure.

Procedural compliance treats DDIL as an exception condition to be minimized through better infrastructure. The architectural reality is that DDIL is the steady-state condition, and any architecture that treats it as exceptional will fail at the moment of operational stress.

What the AQ Primitive Provides

The memory-native-protocol primitive treats the network as memory rather than as transport. Each conforming device — soldier endpoint, attritable platform, sensor pod, command node — carries a cryptographically continuous local memory that records observations with provenance, policy state, and credentialing successor relationships. The mesh is not a routing fabric overlaid on radios; the mesh is the union of these memories as they encounter one another and reconcile.

When two devices meet — at line-of-sight radio range, across a brief satellite window, through a courier-carried storage device physically transferred between cells — they exchange the deltas of their memories. Provenance is preserved because each observation carries the credentialed signature of the device that originated it; credentialing is preserved because each device carries its own successor-hash chain that establishes its current credential state without reference to an online authority; policy is preserved because policy updates propagate through the same delta-exchange mechanism, signed by the credentialed authority that issued them.

Mobile store-and-forward becomes a structural primitive rather than a degraded-mode workaround. A platoon operating on the far side of a partition for six hours carries policy and observations across the partition; reconnection to the wider mesh propagates the carried content and reconciles divergent histories under the credentialing chain. A Replicator-class attritable platform functioning as a one-shot sensor passes its observation through whatever mesh contact it makes before expending, and the observation carries forward through the credentialing chain even though the platform itself is gone.

GNSS denial is handled at the protocol layer because the protocol does not assume GNSS time. Successor-hash chains establish causal ordering without trusted absolute time, and the trust-slope evaluation that governs whether a foreign observation is admitted to a local memory operates on observed signal characteristics — credentialing chain depth, signature verifiability, corroboration density across independent carriers — rather than on timestamps that an adversary could spoof. The primitive composes naturally with TAK CoT semantics, presenting credentialed observations into ATAK and iTAK as ordinary CoT messages while carrying the underlying provenance machinery transparently.

Compliance Mapping

The primitive maps directly onto the controlling standards. Against MIL-STD-188-220C, the protocol operates as a payload above the digital message transfer layer, neither requiring nor precluding specific waveform choices and remaining compatible with combat-net radio, line-of-sight tactical radios, and emerging Mobile User Objective System derivatives. Against MIL-STD-461G, the protocol's bandwidth-adaptive delta-exchange mechanism does not impose new emission profiles beyond those of the host radio; conformance flows through hardware certification rather than requiring fresh protocol-level testing.

Against MIL-STD-810H, the primitive is software-resident and inherits the environmental envelope of the host platform. Against Link-16, the protocol composes as an overlay payload on J-series messages where bandwidth permits, with the credentialing chain providing observation-level provenance that Link-16's link-layer authentication does not natively address. Against FMN Spiral profiles, the credentialing primitive satisfies the mission-partner credential-exchange requirement without requiring a shared online CA, which the FMN profiles increasingly recognize as architecturally untenable in coalition operations.

Against the JADC2 and CJADC2 sensor-to-shooter integration requirements, the primitive provides credentialed observation propagation at a tempo that matches kinetic timelines under DDIL, which centralized architectures cannot. Against the Replicator and Project Convergence mass-platform deployment requirements, the primitive scales because credentialing is local rather than registrar-mediated; the marginal cost of an additional attritable platform is the cost of issuing one credentialed memory seed, not the cost of registering the platform with a central authority.

Adoption Pathway

Adoption begins at the TAK plugin layer. ATAK and iTAK both expose plugin architectures that allow alternative transport and credentialing modules to be inserted under the existing CoT semantic surface. A memory-native-protocol plugin presents to the rest of TAK as an additional CoT carrier while internally implementing the credentialed memory exchange. Operators see no surface change; the architectural substitution happens beneath the situational-awareness application they already use.

The second adoption phase integrates with attritable and unattended platforms under the Replicator program. Each platform is issued a credentialed memory seed at manufacture or at deployment-staging; the platform's observations enter the mesh through whatever contact opportunities its mission profile allows; the credentialing chain ensures that observations remain verifiable even after the platform is expended. The third phase extends into Link-16-class legacy systems through gateway nodes that bridge the credentialed memory protocol to J-series payload semantics, allowing legacy participants to consume credentialed observations without themselves being conformant nodes.

The fourth phase addresses coalition operation under FMN. Mission-partner forces issue their own credentialing seeds under their own national authorities; the cross-coalition trust-slope evaluator admits or rejects foreign observations based on the credentialing chain depth and corroboration density rather than on a shared CA that no coalition has ever successfully fielded. The pathway is incremental, each phase delivers operational value independently, and the architectural primitive remains stable across the deployment progression — which is the structural property that procedural compliance has never been able to offer expeditionary forces operating under DDIL.