THE KERNEL DESIGN WHICH IS BASED UPON A MATHEMATICAL MODEL, IS IN THE DEVELOPMENT STAGE. TOOLS TO BE USED TO PROTECT THE DESIGN, DEVELOPMENT, AND TESTING OF THE KERNEL SOFTWARE FOR BOTH THE OPERATING SYSTEM AND THE COMMUNICATIONS PROCESSOR INCLUDE THE DEPARTMENT OF DEFENSE INFORMATION SECURITY PROGRAM, THE ACCESS ISOLATION MECHANISM OF MULTICS, AND CONFIGURATION MANAGEMENT. THE INFORMATION SECURITY PROGRAM INCLUDES A SYSTEM OF CLEARANCES, CLASSIFICATIONS, SECURE WORKING AREAS, AND OTHER PHYSICAL AND PERSONNEL SECURITY MEASURES. THE ACCESS ISOLATION MECHANISM OF MULTICS APPLIES THESE SAME CLEARANCE AND CLASSIFICATION CONCEPTS TO SOFTWARE SECURITY. ACCESS TO VARIOUS PORTIONS OF THE SOFTWARE IS THROUGH PASSWORDS; VARIOUS PASSWORDS DENOTE VARIOUS DEGREES OF SECURITY. CONFIGURATION MANAGEMENT IS A SET OF FORMAL DISCIPLINES DESIGNED TO ENSURE THAT ITEMS PRODUCED UNDER ITS CONTROL CONFORM TO THE APPROVED SPECIFICATIONS. CONFIGURATION MANAGEMENT WILL BE USED TO CONTROL CHANGES AND MODIFICATIONS TO THE KERNELS, PARTICULARLY AFTER THE CLOSE OF THE VERIFICATION PHASE. IMPLEMENTATION OF THESE TECHNIQUES IS DESCRIBED IN A GENERAL, NONCLASSIFIED MANNER, EMPHASIZING BASIC PRINCIPLES. THE PROGRAM PROVIDES THREE LEVELS OF PROTECTION, CONFIDENTIAL, SECRET, AND TOP SECRET. IT LIMITS ACCESS TO THE DATA AND TO COPIES THROUGH 'NEED-TO-KNOW' PROCEDURES. IT ALSO SPELLS OUT ACCOUNTABILITY AND CONTROL PROCEDURES. (GLR)