TFCS
Trusted File Classification Specification
The single specification that governs how every file entering or leaving the F-35 MPE is classified, labeled, gated for releasability, and represented inside the SysML model.
◤ Classification Levels
Levels recognized by the MPE
| Level | Name | Handling Rule | Typical MPE Examples |
|---|---|---|---|
| U | UNCLASSIFIED | Open handling; still subject to OPSEC. | Generic charts, public DAFIF, training scenarios. |
| CUI | CONTROLLED UNCLASSIFIED | Need-to-know; encrypt at rest; CUI markings. | Tail numbers, sustainment data, ALIS extracts. |
| S | SECRET | SIPRNet enclave; classified storage; two-person integrity for release. | MDF threat libraries, datalink time slots, MADL plans. |
| S//NF | TIER-2 // DEMO-LIMITED | US persons only; no foreign disclosure; releasability gate must REJECT. | US-only crypto material, USRL-only MDF variants. |
| S//REL | SECRET // REL TO … | Disclosure limited to named partners (PARTNER-GROUP, NATO, FMS-tailored). | ACURL MDF variants, coalition mission packages. |
| TS//SCI | TIER-3 / SAMPLE | JWICS only; SCIF; compartment caveats; separate key material. | Selected intel-derived threat updates, sensitive sources. |
◤ Labeling Rules
Mandatory marking conventions
- ▸Every trusted file carries a header block + footer banner with overall classification.
- ▸Portion marks (U), (CUI), (S), (S//NF) on every paragraph / record / field.
- ▸Releasability line immediately under the banner: REL TO HOME, PARTNER-GROUP / DEMO-LIMITED / etc.
- ▸Handling caveats: ORIG-CTRL, PROP-INFO, DEMO-LIMITED, INTERNAL-DEMO — explicit, never inferred.
- ▸Originator + date of origin + declassification instruction (25X, OADR, source-derived).
- ▸Digital signature block: signer DN, cert chain, hash algorithm, timestamp.
- ▸Integrity hash (SHA-256+) bound to the signed manifest.
- ▸Container metadata mirrors the highest portion mark (high-water mark).
- ▸Coalition variants: separate file artifact per releasability; never overload one file.
◤ Lifecycle
TrustedFile State Machine
⟦ SysML Snippet — TrustedFile lifecycle — modeled in 05_Behavior ⟧
◤ Import Flow
Trusted File Import — Swimlanes
⟦ SysML Snippet — Activity diagram with partitions for Operator / Ground Security / Trusted Importer / Audit / UPC ⟧
◤ SysML Mapping
Every TFCS concept → a SysML artifact
The TFCS is not a stand-alone PDF; it is generated from these model elements via DocGen.
| TFCS Concept | SysML Artifact | Cameo Package |
|---|---|---|
| Classification levels | Enumeration «Classification» | 12_Library |
| Releasability set | Enumeration «Releasability» | 12_Library |
| Handling caveats | Enumeration «Caveat» (multi-valued) | 12_Library |
| Trusted file object | Block «TrustedFile» | 04_Structure / L5 |
| File lifecycle | State Machine TrustedFile | 05_Behavior |
| Import flow | Activity Diagram (swimlanes) | 05_Behavior |
| Releasability gate | Decision Node + Guard expression | 05_Behavior |
| Labeling rules | Constraint Block + Parametric | 06_Parametrics |
| Security controls | Requirements (NIST 800-53 trace) | 09_Security |
| ICD with downstream | Interface Block «TrustedFileIF» | 08_Interfaces |
| Allocation to components | Allocation Matrix | 07_Allocations |
| Evidence for ATO | DocGen template → TFCS PDF | 10_Verification |
◤ Releasability Gate
Guard expression (constraint block)
constraint block ReleasabilityGate {
parameters
fileClass : Classification
fileReleasable : Releasability
targetEnclave : Enclave
targetPartners : Partner[*]
constraint
// 1. Enclave must dominate the file's classification
enclaveLevel(targetEnclave) >= level(fileClass)
// 2. DEMO-LIMITED ⇒ all partners must be US
(fileReleasable == DEMO-LIMITED) ⇒ all(p in targetPartners | p == USA)
// 3. REL TO X ⇒ partners ⊆ X
(fileReleasable matches REL_TO(X)) ⇒ subset(targetPartners, X)
// 4. TS//SCI ⇒ enclave == JWICS && SCIF == true
(fileClass == TS_SCI) ⇒ (targetEnclave == JWICS) && SCIF
}