Compliance
Tessera is built against a defined set of NATO and IETF standards. This page lists each standard, what it specifies, and how it is implemented across our products.
Standards implemented
ACP-240 STANAG 4774 STANAG 4778 ADatP-5636 ADatP-4774 ADatP-4778 XMLSPIF v2.1 XMLSPIF v3.0 RFC 5652 RFC 8785 RFC 3464Core standards that define the data-centric security model and security label framework.
| Standard | Title | Scope | Tessera Implementation | Product | Status |
|---|---|---|---|---|---|
| ACP-240 | Zero Trust Data Format (ZTDF) | Encrypted archive format — payload encryption, ABAC policy, key-access protocol, and manifest structure for the .ztdf container. |
Full .ztdf archive production and consumption. AES-256-GCM payload,
RSA-OAEP-SHA256 key wrap, HMAC-bound ABAC policy, JSON manifest with
RFC 8785 canonical form. KAS /rewrap endpoint.
|
Windows | Implemented |
| STANAG 4774 | Confidentiality Metadata Labels for Information Objects | XML schema for a Confidentiality Label: classification value, policy identifier, categories, handling instructions, and authority information. |
STANAG 4774 Confidentiality Label generation and parsing in all write paths
(Office add-ins, Explorer, service). Label embedded in OOXML custom XML,
XMP metadata, and sidecar .bdo files per ADatP-4778.2 profiles.
|
Windows CDS | Implemented |
| STANAG 4778 | Binding Data Object (BDO) | Cryptographic binding of a Confidentiality Label to a specific content object using CMS SignedData; defines the Binding Data Object structure. |
XML-DSIG BDO production (label signing CA, per-document certificate);
BDO verification in KAS rewrap flow and CDS proxy pipelines.
ADatP-4778.2 binding profiles: OOXML custom XML (Ch.5), XMP sidecar (Ch.10),
standalone .bdo (Ch.9).
|
Windows CDS | Implemented |
| ADatP-5636 | Object Classification Label (OCL) | JSON structured label carrying classification level, categories, and policy reference; embedded as a handling assertion in the ACP-240 archive manifest. | OCL generation and parsing for document-level and portion-level marks. Portioning strings computed from SPIF marking instructions and embedded in OOXML core properties and email headers. | Windows CDS | Implemented |
| ADatP-4774 | Confidentiality Metadata Label (CML) Specification | Normative XSD for the Confidentiality Label XML instance; defines the XML structure and allowed values. | Labels validated against the ADatP-4774 normative XSD on all read paths. XML declarations use UTF-8 without BOM per the ADatP-4774 normative example. | Windows CDS | Implemented |
| ADatP-4778 | Binding Information — Profiles | ADatP-4778.2 defines application-specific profiles for embedding the BDO in OOXML, PDF/image XMP, and standalone sidecar files. |
All three ADatP-4778.2 profiles implemented: OOXML (custom XML part),
XMP (for PDF, JPEG, TIFF, PNG), and sidecar .bdo (all other
types). CDS proxies follow the profile cascade for BDO extraction.
|
Windows CDS | Implemented |
| XMLSPIF v2.1 | Security Policy Information Format (XML, version 2.1) | Machine-readable XML format for a domain security policy: classification hierarchy, category definitions, marking instructions, and equivalence mappings. | Full XMLSPIF v2.1 parsing. SPIF drives classification ordering, category attribute URI mapping, ABAC policy construction, and portioning mark rendering. NATO Security Policy and CWIX25/26 SPIFs included. | Windows CDS | Implemented |
| XMLSPIF v3.0 | Security Policy Information Format (XML, version 3.0) | Updated SPIF schema with extended category types and marking instruction changes. | XMLSPIF v3.0 parsing supported alongside v2.1. CWIX26 v3.0 SPIF included as a test reference. | Windows CDS | Implemented |
Underlying protocol and cryptographic specifications used by Tessera.
| Standard | Title | Scope | Tessera Implementation | Product | Status |
|---|---|---|---|---|---|
| RFC 5652 | Cryptographic Message Syntax (CMS) | Defines the SignedData, EnvelopedData, and other CMS content types used for cryptographic operations on digital content. | CMS SignedData used for STANAG 4778 BDO production and verification. RSA-4096 / SHA-384 signature algorithm. Label-binding CA issues per-document signing certificates. | Windows CDS | Implemented |
| RFC 8785 | JSON Canonicalization Scheme (JCS) | Defines a canonical serialisation for JSON values to enable deterministic HMAC and hash computation over JSON-structured data. | JCS applied to the ACP-240 manifest before computing the HMAC binding the ABAC policy to the wrapped DEK. Ensures consistent HMAC computation across implementations. | Windows | Implemented |
| RFC 3464 | Extensible Message Format for Delivery Status Notifications | Defines the format of email Non-Delivery Reports (NDR) generated when a message cannot be delivered. | RFC 3464 NDRs generated by CDS proxy services when an email flow is rejected at any stage (label validation failure, DLP, malware, Guard DENY). NDR is returned to the originating sender; the destination never sees the rejected message. | CDS | Implemented |
| PKCS#1 / RFC 8017 | RSA Cryptography Specifications | RSA-OAEP key encapsulation and RSA signature algorithms. | RSA-OAEP-SHA256 for ACP-240 DEK wrapping. RSA-4096/SHA-384 for PKI certificates. RSA-2048 for KAS ephemeral keypairs. | Windows CDS | Implemented |
| FIPS 197 | Advanced Encryption Standard (AES) | AES block cipher; AES-GCM authenticated encryption mode. | AES-256-GCM for ACP-240 payload encryption. Unique 96-bit IV per file. GCM authentication tag provides integrity verification of the ciphertext. | Windows | Implemented |
Standards-body testing and interoperability verification.
| Programme | Description | Tessera Status |
|---|---|---|
| CWIX | Coalition Warrior Interoperability eXploration, eXperimentation, eXamination and eXercise — annual NATO interoperability exercise for testing coalition communications and information sharing standards. | CWIX SPIFs included. ACP-240 interoperability test vectors verified against published examples. Test harness provided for standalone testing and validation. |
| Bold Quest | US-led multinational coalition interoperability exercise assessing data-centric security and information-sharing capabilities across participating nations. | ACP-240 interoperability test vectors produced. |
NATO standards continue to evolve. Tessera tracks compliance against each standard and maintains a gap-remediation log documenting known deviations and the planned remediation for each. Where a standard has multiple implementation profiles, the profile in use is documented.
Learn how security labels work