Concepts
From physical document stamps to cryptographically-enforced digital labels — a practical introduction to NATO label-based access control.
In government and defence organisations, information is sensitive in different ways and to different degrees. A battlefield report, a diplomatic cable, and a public press release all require different handling — yet they may all live on the same network and be processed by the same systems.
The physical world solved this with stamps and envelopes: a document marked SECRET in red ink could only be handled by personnel who had been granted the appropriate clearance. Personnel carried an identity badge that expressed what they were permitted to access. Access was controlled by comparing the document's marking to the person's badge — a simple matching rule.
The challenge in electronic systems is that this check must happen automatically, consistently, and at every point where information could escape to an unauthorised consumer — not just at the front door.
A security label is a structured, machine-readable descriptor attached to a piece of information that expresses its sensitivity and the conditions under which it may be accessed. It is the electronic equivalent of the red SECRET stamp on a paper document.
A security label has three components:
A position in an ordered hierarchy — from UNCLASSIFIED to TOP SECRET. A clearance must reach at least this level for access to be permitted.
Additional, non-hierarchical restrictions: topic-based compartments, coalition releasability groups, geographic restrictions, or other organisational boundaries.
The domain policy (SPIF) that defines which label values are valid, what they mean, and the rules for deciding whether a label permits a given action.
Critically, in a data-centric model the label is not a separate database entry or a property of a storage location — it is bound to the content itself with a cryptographic signature. It travels with the data wherever the data goes.
Classification levels form a strict hierarchy. Each level implies containment of all levels below it: a person cleared to SECRET may also access CONFIDENTIAL and below. The hierarchy defines a total ordering that makes the basic access decision straightforward: if your clearance level is at least as high as the document's classification level, the level criterion is satisfied.
In a networked environment a classification ceiling is also defined per network or domain — the highest classification permitted to transit that network. Information whose label exceeds the domain ceiling must not enter that domain.
Classification level alone is insufficient. A document may be SECRET and yet must only be shared with a specific coalition, or with a specific Community of Interest (COI) who have an operational need to know. Categories add these granular, non-hierarchical restrictions on top of the classification level.
Common category types in NATO practice include:
Restrict information to specific allied nations or coalitions. RELIDO CCEB NATO mark what national groupings may receive the information.
Special Access Codes (SAC) or Sensitive Compartmented Information (SCI) isolate particularly sensitive information within a clearance level — clearance alone does not grant compartment access.
Operational caveats such as EYES ONLY NO FOREIGN ORCON that further restrict distribution or handling beyond the classification level and releasability groups.
Single-valued flags such as CRYPTO or NOFORN that apply a specific requirement universally — access is denied unless the clearance explicitly grants that restriction.
Categories are represented in the SPIF as named bit-positions. A label carries a bit for each category; a clearance carries an authorisation bit for each category it permits. The access decision requires that every set bit in the label's category mask is also set in the clearance's authorisation mask.
A security clearance is the mirror image of a security label. Where a label describes what a piece of information requires for access, a clearance describes what a person (or system) is authorised to access.
A clearance consists of:
The access decision is a straightforward match:
Access is granted if and only if:
Both conditions must be satisfied simultaneously. A TOP SECRET clearance does not override a compartment restriction; the compartment must be explicitly authorised.
A Security Policy Information File (SPIF) is a machine-readable file that defines everything required to evaluate and enforce a security policy within a domain:
In cross-domain scenarios, two SPIFs are relevant: the originating domain's SPIF (to validate the label as issued) and the destination domain's SPIF (to verify the information is releasable under the destination's policy). Both must agree before information is allowed to cross the domain boundary.
SPIFs are defined in the XMLSPIF format — a NATO-standardised XML schema available in versions 2.1 and 3.0. Tessera supports both.
A label that is only checked in one place provides weak protection. An end-user application might be bypassed; a network relay might not enforce it; a storage system might not inspect it. Robust label-based access control requires multi-point enforcement — the label is checked at every boundary crossing.
In the Tessera model:
Traditional access control asks: "Is this user on the access list?" ABAC asks: "Do this user's attributes satisfy every condition in the policy?"
A user's attributes — their classification clearance, their
category authorisations (compartments, COIs, releasability markings), their
nationality — are evaluated against the ABAC policy embedded in the
.ztdf archive. Every condition must be satisfied simultaneously.
A TOP SECRET clearance alone does not grant access to a compartmented document;
the compartment authorisation must also be present.
Critically, this evaluation happens fresh on every decryption request — there is no cached approval, no pre-authorised user list, and no way to pre-position a key. If a user's clearance is revoked or a category authorisation is withdrawn, the next access attempt is denied, regardless of whether they successfully decrypted the same file before.
The NATO standards suite translates the physical-world model into a concrete, interoperable electronic implementation:
Defines the XML schema for a Confidentiality Label — the electronic equivalent of the classification stamp. Specifies how classification level, categories, and policy references are encoded in a structured, parsable format.
Defines how a Confidentiality Label is cryptographically bound to a specific document. The Binding Data Object (BDO) is a CMS SignedData structure that includes the label, a hash of the content, and a digital signature — making tampering detectable.
Provides the structured handling instructions that accompany a Confidentiality Label — the JSON OCL record whose portioning marking string is displayed to users and printed in document headers and footers.
The ACP-240 standard defines the .ztdf encrypted archive
format that packages payload encryption, ABAC access policy, and
STANAG label binding into a single, self-describing container that
enforces policy at the point of decryption.