Coalition operations require intelligence and targeting data to flow across partner nations in near real time. Each partner maintains its own network infrastructure, directory services, key management systems, and classification regimes. Infrastructure-centric access control assumes a shared policy engine, a common identity provider, and agreement on network boundaries. Coalition environments have none of these. When partners cannot agree on common infrastructure, the security properties that normally reside in the network stack must move into the data itself. This shift from network-centric to data-centric zero trust reframes how classified data moves across boundaries without requiring all partners to adopt a single platform.
The Infrastructure Assumption Breaks Down
Gateway solutions, cross-domain systems, and data diodes all enforce policy at a single point of evaluation: the network boundary. This design works when both sides of the boundary trust the gateway and accept its decisions. In domestic networks, the gateway sits in trusted infrastructure operated by the same authority that issued the classification markings.
Coalition partners do not operate under a single authority. A Five Eyes intelligence liaison does not control U.S. network infrastructure. A NATO partner in a combined air campaign does not trust all other partners to manage a shared policy engine. When the originating nation cannot enforce policy through its infrastructure, it has no enforcement lever except the data itself. This is not a technical preference; it is a necessity imposed by operational security.
Traditional access control lists, role-based access control, and even attribute-based access control assume evaluation happens in a context where identity can be verified and credentials can be revoked. Coalition partners cannot maintain a shared identity provider. They cannot coordinate revocation across classification authorities operating under different clearance procedures and approval chains.
What Data Carries Across the Boundary
When infrastructure cannot enforce policy, the data has to carry policy semantics that each partner can evaluate independently. This requires four elements: cryptographic identity of the classification authority, policy expressed in partner-agnostic attribute terms, authorized key release conditions, and an audit trail that satisfies all parties' oversight boards.
Cryptographic identity solves the origination problem. A NIST FIPS 203 ML-KEM-1024 encapsulated key or a post-quantum signature proves the data came from a specific authority. No gateway needed. Any partner with the authority's public key can verify origin without consulting the originator's network.
Policy expression in attribute-based access control terms allows Partner A's evaluator and Partner B's evaluator to apply the same rules without a shared policy decision point. Instead of "allow if user is in role DCI_OPERATIONS," the policy reads: "allow if clearance level >= TS/SCI AND country in [US, UK, CAN] AND release timestamp > <date>." Every evaluator implements the same attribute grammar and arrives at the same decision.
Key release conditions govern when the data becomes readable. A policy enforcement point evaluates the evaluator's attributes against policy: if the attributes satisfy conditions, the policy decision point issues a key encapsulation. Only then does the data become decryptable. This separation of policy evaluation from decryption ensures every partner runs an independent check before access is granted.
Audit anchoring through Merkle-tree lineage and cryptographic event logs creates evidence acceptable to oversight authorities. When a partner's operator accesses the data, an immutable log entry records identity, time, attributes claimed, and the policy decision. Because the log is cryptographically signed by the evaluator, regulators and joint audit teams can verify the log was not retroactively modified.
Federated Policy Authority Without Central Trust
The NIST SP 800-207 model of policy enforcement point and policy decision point assumes a single trusted policy engine. Coalition operations require many trusted policy engines, each operating under different authorities.
A federated architecture decouples policy evaluation from policy authority. Partner A's evaluator is authority for Partner A's attributes and clearance determinations. Partner B's evaluator is authority for Partner B's attributes. Neither partner trusts the other's evaluator to make decisions; each evaluator only reports facts (attribute values) and lets the data's embedded policy decide. This is where standardized policy languages and interoperable token formats earn operational value. If all evaluators speak the same attribute grammar and produce tokens in a common format, the policy embedded in the data can be evaluated by any evaluator without modification.
NSA's ZTDF guidance frames this interoperability requirement: zero trust data fabric designates policy-addressable, cryptographically anchored data as the interoperability standard. Lattix has extended this principle to handle post-quantum key encapsulation and cross-domain audit chains. The result is portable data that carries its own enforcement properties.
Audit Chains That Span Organizational Boundaries
Oversight regimes differ sharply across coalition partners. U.S. inspectors general operate under statutory authorities foreign intelligence partners do not answer to. NATO audits assume different baseline controls than bilateral intelligence arrangements. Joint operations require joint accountability.
Content-addressed storage with cryptographic proof of lineage solves this without requiring partners to agree on audit infrastructure. Every access, every modification, every policy decision leaves a hash-linked entry in an immutable ledger. Because the hash chain is cryptographically anchored to the original classified data, regulators and oversight teams can reconstruct exactly what happened and when, without trusting the storage system or the original evaluator to tell the truth.
Cryptographic Enforcement at the Data Layer
CMMC 2.0 and DoD Zero Trust Strategy 2.0 both emphasize that zero trust enforcement must reach the data layer. In coalition contexts, data-layer enforcement is not optional architecture; it is the only feasible enforcement point. Policy expression through cryptographic material, key release governed by attribute evaluation, and audit anchored in hash proofs allow classified data to move across boundaries while maintaining the security properties demanded by all originating authorities.
When Partner A sends intelligence to Partner B with releasability caveats and TS/SCI classification, Lattix's data-centric zero trust approach embeds those rules in the data itself. Partner B's operator cannot read the data without running an evaluator that confirms attributes match policy. No gateway authorization is requested. No back-channel confirmation is needed. The data enforces its own protection through cryptographic binding of policy to key material and post-quantum resistant key encapsulation. See related: DoD Zero Trust Strategy 2.0 and Federal Zero Trust Deadlines.
References
- NSA Central Security Service, Embracing Zero Trust Data Fabric for Cyber Defense: https://www.nsa.gov/cybersecurity-collaboration-center/publications/
- NIST, Zero Trust Architecture, NIST Special Publication 800-207: https://csrc.nist.gov/publications/detail/sp/800-207/final
- NIST, Module-Lattice-Based Key-Encapsulation Mechanism Standard, FIPS 203: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf
- DoD, Zero Trust Strategy 2.0: https://dodcio.defense.gov/Library/Library-View/Article/3309092/dod-zero-trust-strategy/
- CISA, Zero Trust Maturity Model 2.0: https://www.cisa.gov/zero-trust-maturity-model
- Department of Defense, CMMC 2.0 Model Certification and Accreditation: https://dodcio.defense.gov/CMMC/