What Is Compartmented security mode? Security Definition
On This Page
What do you want to do?
Quick Definition
Compartmented security mode is a way of protecting information where a system can contain data at different security levels, like Secret and Top Secret. Users can see everything the system holds because they have high-level clearance, but they are only allowed to access specific pieces of information that they need for their job. The system enforces these restrictions by checking both the user's clearance and their specific need to see each piece of data. This is a very strict setup used especially in government and military environments.
Common Commands & Configuration
sepolicy booleans -l | grep compartmentLists SELinux booleans related to compartment policies. Use to verify if compartment-based MAC rules are enabled on a Linux system configured for compartmented security.
Security+ and CISSP exams test understanding of SELinux as a MAC implementation. This command checks if compartment Mode is enforced at the OS level.
aws iam simulate-custom-policy --policy-input-list '{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Condition":{"StringNotEquals":{"aws:ResourceTag/compartment":"${aws:PrincipalTag/compartment}"}}}]}' --action-names s3:GetObject --resource-arns 'arn:aws:s3:::my-bucket/secret.txt'Simulates an IAM policy that denies access if the resource tag 'compartment' does not equal the principal's tag. Used to test compartment separation in AWS.
Appears in AWS SAA and Security+ exams as a scenario for implementing need-to-know with resource-based tagging.
sacctmgr add user bob qos=compartmented_qosAdds user 'bob' to a QOS (Quality of Service) that enforces compartmented access in a Slurm workload manager cluster.
Relevant for CySA+ and CISSP when discussing HPC environment compartment isolation. Tests understanding of workload-level security modes.
Set-ADUser -Identity 'cn=Alice' -Add @{msDS-AllowedCompartmentList='SAP-A,SAP-B'}Adds compartment authorizations to an Active Directory user object for a system using compartmented security Mode.
Microsoft exams (MD-102, MS-102) test AD schema extensions for compartment labels. This is a common configuration for DoD environments.
kubectl label namespace secret-compartment 'compartment=topsecret-sap' --overwriteLabels a Kubernetes namespace with a compartment tag. Used to enforce workload isolation via network policies and RBAC in compartmented Mode.
Appears in AZ-104 and Security+ as a container security scenario. Tests understanding of labeling for compartment isolation.
cat /sys/fs/selinux/policy_capabilities/compartment | grep -c 1Checks if SELinux compartment support is enabled at the kernel level. Returns 1 if enabled.
CySA+ and CISSP exams test the ability to verify low-level security features. This command confirms the TCB supports compartment enforcement.
Get-AzureRMRoleAssignment -Scope '/subscriptions/.../resourceGroups/compartmentA' | Where-Object {$_.RoleDefinitionName -eq 'Compartment Reader'}Lists role assignments in Azure for a compartment-specific custom role. Used to audit who has compartment access.
MS-102 and AZ-104 exams test Azure RBAC for compartmented security. This shows how to verify least privilege.
Must Know for Exams
Compartmented security mode is a targeted topic in several major IT certification exams, particularly those that cover security architecture and access control models. For the ISC2 CISSP, this term appears in Domain 2 (Asset Security) and is closely associated with the concepts of multilevel security, the Bell-LaPadula model, and the Orange Book. The exam may ask you to differentiate between the four modes of operation: dedicated, system-high, compartmented, and multilevel. The key defining characteristic of compartmented mode is that all users have clearance for the highest classification in the system, but they are restricted by need-to-know compartments. The CISSP exam often presents a scenario where a system requires all users to have a Top Secret clearance but still wants to prevent them from accessing all Top Secret files. The correct answer is compartmented security mode. You might also see questions about which mode is appropriate for a given risk profile. For example, if a security officer wants to ensure that a user with a Secret clearance cannot see a Top Secret file, but the system also needs to keep two different Secret projects separate, compartmented mode would be the best fit, but only if all users first have the highest clearance. If they don't have that highest clearance, you would need multilevel security mode.
For CompTIA Security+ and CySA+, the term appears less frequently but is still part of the security architecture domain. These exams may ask you to match the definition to the correct mode, or they might present a scenario where you have to choose the correct access control mechanism. It is important to know that compartmented mode is an MLS mode, and it relies on mandatory access control (MAC), not discretionary access control (DAC). The exam might also test your understanding of the principle of need-to-know, which is directly enforced by compartmented mode. For the SC-900 (Microsoft Security, Compliance, and Identity Fundamentals), the term is light supporting, meaning it provides background for concepts like sensitive information types and role-based access control, but you won’t see detailed questions about MLS modes. Similarly, for Azure certifications like AZ-104 and Microsoft 365 certifications like MS-102 and MD-102, the term is not a primary objective, but understanding the concept helps when discussing Azure RBAC and Azure Policy, where you can define custom roles that restrict access to specific resources, which is conceptually similar to compartmented access.
For the AWS Certified Solutions Architect – Associate (SAA) exam, compartmented security mode is not a direct topic, but the principle of need-to-know and least privilege is central to designing secure architectures. You might need to apply this concept when designing IAM policies or using resource-based policies with condition keys. The exam could present a scenario where you must securely separate data for multiple projects using different AWS accounts or S3 buckets with fine-grained access controls. While the term itself won't be on the exam, the underlying principle will be tested. In short, for CISSP, you absolutely must know this term inside out. For Security+ and CySA+, know the definition and how it fits into the modes of operation. For other exams, treat it as a background concept that reinforces the importance of least privilege and need-to-know. Regardless of the exam, avoid confusing compartmented mode with system-high mode, where all users can see all data at their clearance level. That is the most common trap.
Simple Meaning
Imagine you work at a large library that has many different rooms, each with its own locked door. Some rooms contain general knowledge books, others have rare historical documents, and a few hold top-secret government files. You have a master key card that lets you enter the library building and walk through the main hallway, meaning you are allowed to be in the building at all. But you cannot just open any room you want. For each room, you need a special permission slip, called a need-to-know, that is separate from your general access. So, even though you have a high-level badge that says you can be in the building during working hours, you can only go into the rooms that are directly related to the projects you are working on. Compartmented security mode works exactly like this in a computer system. The system is the library building, and it contains information at different classification levels, such as Confidential, Secret, and Top Secret. A user who logs into the system might have a Top Secret clearance, similar to having the master key card. The system, however, does not just give this user access to all Top Secret files. Instead, it checks if the user also has the need-to-know for each specific topic. For example, a user might be working on a project about satellite communications and a separate project about naval fleet movements. The system allows them to access files in the Satellite Communications compartment and the Naval Fleet compartment because their job requires it. But the same user, even with Top Secret clearance, is blocked from accessing files about a covert operation in another country, because they do not have a need-to-know for that compartment. This prevents information leaks even among people with the highest clearances. The system constantly checks both your clearance level and your specific need-to-know permissions when you try to open a file or view a document. This makes the system very secure but also complex to manage, because administrators must carefully assign users to the correct compartments.
This approach is different from a simpler system where any user with Top Secret clearance can see all Top Secret information. In that simpler model, if someone with high clearance becomes curious or if a malicious insider tries to snoop, they could access sensitive data that is not relevant to their work. Compartmented security mode prevents this by adding that extra layer of access control. It is not enough to be trustworthy enough for the highest level of secrecy. You must also have a direct, job-related reason to look at a specific piece of information. The system is designed on the principle of least privilege, meaning no user gets more access than absolutely necessary for their tasks. This mode is standard in many intelligence agencies and defense organizations where a single network must handle multiple highly sensitive projects at the same time. It allows those organizations to share computing resources safely without mixing the different projects or compromising their security.
For the information technology professional, understanding compartmented security mode is important because it represents the pinnacle of access control enforcement. It is not just about password rules or firewalls. It is about the architecture of trust within the system. When you administer a system using this mode, you spend a lot of time defining compartments, assigning users to them, and auditing access logs to ensure no one is trying to cross boundaries. A big challenge is that every new project or piece of intelligence must be assigned to an existing compartment, or a new compartment must be created, and all user permissions must be updated accordingly. This requires careful planning and a detailed understanding of who needs what. Failing to do this correctly can lead to serious security breaches, not from external hackers, but from internal personnel losing trust or accidentally seeing information they should not. In the real world, this mode is enforced by specialized operating systems and security kernels that are designed for multilevel security, such as those certified under the Common Criteria at the highest assurance levels.
Full Technical Definition
Compartmented security mode is one of the four defined modes of operation for multilevel secure (MLS) systems as specified in the U.S. Department of Defense Trusted Computer System Evaluation Criteria (TCSEC), also known as the Orange Book. In this mode, all users are cleared for the highest classification level of any information processed by the system, but they are granted access only to those specific compartments of information for which they possess both the clearance and a valid need-to-know. This is fundamentally different from system-high security mode, where all users with the highest clearance can access all data at that level. Compartmented security mode is a strict implementation of the Bell-LaPadula model, enforcing both the simple security property (no read up) and the *-property (no write down), but it also incorporates a third dimension of compartment-based mandatory access control (MAC).
In practice, a compartmented system uses sensitivity labels that consist of a hierarchical classification level (e.g., Confidential, Secret, Top Secret) and a set of non-hierarchical categories, which are the compartments. Each subject (user or process) has a security label that includes their maximum clearance level and a list of compartments they are authorized to access. Each object (file, document, database record) has a label that specifies its classification level and the compartments it belongs to. When a subject attempts to access an object, the system's reference monitor performs a check against the Bell-LaPadula rules, but also verifies that the subject's compartment list includes all compartments listed on the object's label. A user with Top Secret clearance but without the compartment for Project X cannot read a Top Secret file labeled for Project X. This enforcement is done at the kernel level by the security kernel, often in conjunction with a trusted computing base (TCB) that is responsible for maintaining label integrity and enforcing the policy.
Compartmented security mode is often implemented using specialized MLS operating systems such as SELinux (in certain configurations), Solaris Trusted Extensions, or IBM z/OS with RACF/MLS. These systems rely on a security administrator to define compartments and assign user attributes. The Common Criteria for Information Technology Security Evaluation provides a framework for certifying such systems, with Evaluation Assurance Levels (EAL) typically set at EAL4 or higher for this mode. Relevant standards include the U.S. National Security Agency's (NSA) Security-Enhanced Linux (SELinux) policy, which can enforce compartmented access through type enforcement and multi-category security (MCS). In a cloud context, this mode is relevant to multi-tenant environments where strict isolation is required, though it is not commonly used in commercial cloud services. In virtualized environments, compartments can be mapped to separate virtual machines or to containers with tightly controlled labels. The system administrator configures the security policy by defining compartments in a policy file, such as the SELinux policy or an RBAC configuration in Trusted Solaris.
Implementing compartmented security mode in a real IT environment involves several critical components. First, a reference monitor must be implemented that is tamperproof, always invoked, and small enough to be verified. This is the core of the TCB. All user accesses must go through this monitor. Second, a security labeling scheme must be uniformly applied to all subjects and objects. This means every file, directory, network socket, and process must have a label. Third, a trusted path mechanism must exist to ensure that users are communicating directly with the TCB when changing security attributes or logging in. Fourth, audit logging must be comprehensive, recording all access attempts, especially denials based on compartment mismatch. In a large organization, such as a government intelligence agency, the system might have hundreds of compartments defined, and the security administrator's role becomes crucial. An example of a real-world standard is the controlled access protection profile from the Common Criteria, which details requirements for systems operating in compartmented mode. The system must also enforce separation of duty, so that no single user can assign compartments and audit the system simultaneously. This mode is also referenced in the guidance for the U.S. Department of Defense's Joint Worldwide Intelligence Communications System (JWICS) and the Secret Internet Protocol Router Network (SIPRNet) when handling compartmented intelligence. Network-level enforcement is achieved through cryptographic segregation, often using IPsec tunnels with labeled security attributes or using Multi-Protocol Label Switching (MPLS) with security labels.
One of the main challenges in operating a system in compartmented security mode is the administrative overhead. Every new employee must be assigned to specific compartments, and every new project must be categorized into an existing or new compartment. If a user changes roles, their compartments must be removed or updated. The risk of a security administrator making a mistake and assigning a user to a wrong compartment is significant, which is why dual-authorization processes are often required. The system must handle the case of a user who has a need-to-know for one compartment but not another, and the system must prevent indirect access through inference. For example, if a file in compartment A contains a reference to a file in compartment B, the system must prevent the user from accessing that reference. This requires careful design and is often handled by a sophisticated data labeling scheme that propagates labels when data is combined. The Bell-LaPadula model, while foundational, was later extended by the Biba model to address integrity, and by the Clark-Wilson model for commercial use, but compartmented security mode remains rooted in the original military model. In modern cybersecurity, the concepts of compartmented access are incorporated into zero trust architectures, where every access request is evaluated based on user identity, device health, and data sensitivity, though the specific term “compartmented security mode” is most often used in the context of TCSEC and formal MLS systems. For IT certification exams, particularly the CISSP and Security+, it is essential to know the four modes of operation: dedicated, system-high, compartmented, and multilevel.
Real-Life Example
Think about a large hospital. The hospital has a main computer system that stores all patient records. The system holds information at different sensitivity levels: basic contact details, medical history, lab results, mental health notes, and highly sensitive legal documents. Every doctor and nurse working in the hospital has a high-level credential that allows them to log into the system, similar to having a Top Secret clearance. They need to access many parts of the system to do their jobs. But not every doctor should be able to see every patient’s information. For example, a cardiologist should not see the mental health notes of a patient unless that patient is also their assigned case. The hospital uses compartments to organize information. There is a Psychiatry compartment, a Cardiology compartment, a Legal compartment, and so on. When a doctor logs in, the system checks their role and their current patient assignments. If a cardiologist is treating a patient for a heart condition, the system adds that doctor to the Cardiology compartment for that specific patient. The doctor can then see the heart-related test results and notes. However, if the same doctor tries to open the patient’s psychiatric evaluation notes, the system blocks the request because the doctor is not in the Psychiatry compartment for that patient. This is exactly how compartmented security mode works in a computer network.
Now, imagine the hospital also has a nurse who works in both the emergency room and the oncology ward. The system gives that nurse access to the Emergency Medicine compartment and the Oncology compartment. The nurse can read and update records for patients they are currently caring for in those areas. But if the same nurse, because they are curious, tries to look at the records of a celebrity patient who is in the hospital for a non-emergency procedure in a totally different ward, the system refuses. The nurse has a high-level badge (they can work in the hospital), but they have no need-to-know for that patient’s records, nor are they in the correct compartment. This prevents gossip and protects patient privacy.
In this hospital system, the administrators have to be very careful. They must define the compartments clearly. Is there a compartment for each hospital ward? For each type of illness? For each patient case? They also need to decide when a doctor moves from one department to another, the old compartments must be revoked, and new ones must be added. If the system is not well designed, a doctor might accidentally be left with access to a department they no longer work in, which would be a security violation. Also, the system must handle overlapping compartments. A patient might have a heart condition and be seeing a psychiatrist. Their record could be labeled with both Cardiology and Psychiatry compartments. A doctor who needs to see both would need to be in both compartments. This is similar to a military intelligence officer needing to see files about both a weapons system and a foreign policy strategy to understand a threat. The compartmented security mode ensures that information is only visible to those with a legitimate need, even when everyone has high-level trust. It is a way of applying the principle of least privilege on top of a clearance-based system.
Why This Term Matters
Compartmented security mode matters in IT because it represents a fundamental approach to protecting sensitive information in environments where the risk of insider threats is high. In many organizations, especially in government, defense, and finance, information is not just classified by its level of secrecy but also by its specific topic area. Without a system that enforces compartmented access, an employee with high-level clearance could roam freely through all sensitive documents, which could lead to unauthorized leaks, espionage, or unintentional data exposure. This mode provides a formal structure for enforcing the need-to-know principle, which is a cornerstone of information security. For IT professionals, implementing this mode requires a deep understanding of access control models, operating system security features, and careful administrative processes. It is not a feature you can simply turn on; it requires a complete overhaul of how subjects and objects are labeled and how access decisions are made.
From a practical standpoint, compartmented security mode forces an organization to clearly define what information belongs to which projects and who exactly needs access. This often leads to better data governance and more efficient work processes, because users are not overwhelmed with irrelevant files. It also makes auditing more effective. If a security breach occurs, the logs will show exactly which compartment boundary was crossed, making it easier to trace the source of the leak. This mode is a key requirement for many compliance frameworks that deal with classified or high-sensitivity data, such as those in the US Federal Government (e.g., FISMA, NIST SP 800-53) and certain ISO 27001 implementations for high-security contexts. Understanding this term helps an IT professional prepare for these stringent environments.
For the broader cybersecurity landscape, the concept of compartmented access has been adapted into modern zero trust architectures, where access is granted based on continuous verification of identity, device, and data sensitivity, rather than assuming trust based on a single login. While you may not see a system explicitly labeled as running in compartmented security mode in a commercial cloud environment, the underlying principle is used in features like AWS IAM policies with condition keys that restrict access based on resource tags, or in Azure role-based access control with custom roles that are scoped to specific resources. Knowing the origin of these principles helps you design more secure systems. When you take an exam like the CISSP, this term tests your understanding of the different modes of operation and how they relate to the Bell-LaPadula model, which is a core concept in Domain 2 (Asset Security). Ignoring the nuances of this mode could lead to a wrong answer on a question about system security architecture.
How It Appears in Exam Questions
On certification exams, questions about compartmented security mode typically fall into three categories: definition-based, scenario-based, and comparison-based. Definition-based questions are straightforward, asking something like, 'Which mode of operation requires all users to have clearance for the highest classification level, but restricts access based on need-to-know?' The answer is compartmented security mode. Another variation might ask for the mode that implements mandatory access control with compartments. Scenario-based questions are more common. For example, 'A defense contractor has a system that processes Top Secret, Secret, and Confidential data for three different projects: Project Alpha, Project Beta, and Project Gamma. All employees have Top Secret clearances. The company wants to ensure that employees working on Project Alpha cannot access files for Project Beta. Which security mode should be implemented?' The correct answer is compartmented security mode. A trick in the scenario might be that some employees only have Secret clearance. In that case, the mode would not be compartmented, because not all users are cleared for the highest level. The correct answer then would be multilevel security mode.
Another common question pattern involves troubleshooting. For instance, 'A system administrator notices that a user with Top Secret clearance is unable to access a file that is also marked Top Secret. The system is operating in compartmented security mode. What is the most likely cause?' The answer would be that the user does not have a need-to-know for the compartment associated with that file. The question might also ask about the implications of assigning a user to too many compartments. For example, 'What is a potential risk of granting a user access to many compartments in a system operating in compartmented mode?' The correct answer is that it increases the risk of unauthorized information disclosure, because the user gains visibility into more projects than necessary. Questions might also ask about the administrative overhead: 'What is a primary challenge of implementing compartmented security mode?' Answer: 'The complexity of defining and maintaining user-to-compartment assignments.'
In the CISSP, you might see a question that asks about the difference between the reference monitor and the security kernel. But a more specific question could be: 'In a system operating in compartmented security mode, which component is responsible for checking that the subject's compartment list is a superset of the object's compartment list?' The answer is the security kernel or the reference monitor. Another advanced question could ask about the impact of the *-property in compartmented mode. For example, 'In compartmented security mode, can a subject with Top Secret clearance for compartments A and B write to a file labeled Secret for compartment C?' The answer is no, because the *-property prevents writing down to a lower classification, even though the compartments don't match. The subject's clearance is above the file's classification, so writing down is disallowed. This tests the interaction between the hierarchical classification and the non-hierarchical compartments. Always remember that the Bell-LaPadula rules still apply on the classification hierarchy, even when compartments are used.
Study CISSP
Test your understanding with exam-style practice questions.
Example Scenario
You are a security architect for a large international corporation that works on three top-secret projects: Project Solar (renewable energy patents), Project Lunar (new satellite communications), and Project Stellar (a new type of aircraft engine). The company decides to use a single server to store all data for these projects, because it is more cost-effective. All engineers who work on these projects have been vetted and have a high-level security clearance that allows them to access the server. However, the company wants to ensure that an engineer working on Project Solar cannot accidentally see the design blueprints for Project Lunar. The company decides to implement compartmented security mode.
The system administrator creates three compartments: SOLAR, LUNAR, and STELLAR. Each file related to a project is labeled with the appropriate compartment. For example, a document about solar panel efficiency is labeled as 'Confidential, SOLAR'. A file about satellite frequencies is labeled 'Secret, LUNAR'. An engineer named Alice is working on Project Solar and Project Stellar. The administrator assigns Alice a security label that includes her Top Secret clearance and adds her to the SOLAR and STELLAR compartments. When Alice logs in, she can see all files that have the SOLAR or STELLAR compartments, provided her clearance level (Top Secret) is at least as high as the file's classification. She can read a Top Secret file about solar materials, because her clearance is Top Secret and she is in SOLAR. She cannot read a Secret file about satellite frequencies, because even though her clearance is high enough, she is not in the LUNAR compartment. She also cannot write to a file that is lower classification than her clearance if that file is in a compartment she is not in, because of the *-property. This scenario perfectly illustrates the need for compartmented security mode.
Now, suppose the company later hires a new engineer, Bob, who only works on Project Lunar and has a Secret clearance. Bob tries to access a Top Secret file about lunar engines. Because Bob only has Secret clearance and the file is Top Secret, the system denies access. This is a simple clearance mismatch. But even if Bob had Top Secret clearance, he still would not get access unless he was in the LUNAR compartment. This example shows that compartmented security mode adds a layer of access control on top of the clearance hierarchy. The system is complex to manage because the administrator must update compartments whenever an engineer changes projects. If Alice leaves Project Solar and joins Project Lunar, her SOLAR compartment must be removed and the LUNAR compartment added. This ensures that she no longer has access to past project files that she no longer needs. In an exam, you might be asked: 'In this scenario, what would happen if the administrator accidentally removed Alice from the SOLAR compartment but forgot to remove her from STELLAR?' The answer is that she would lose access to SOLAR files but still have access to STELLAR files, which could be a security violation if she no longer works on that project. This highlights the administrative burden of this mode.
Common Mistakes
Thinking that all users must have the same clearance level.
In compartmented security mode, all users must have clearance for the highest classification level in the system, but they do not need to have the same clearance. They must all be cleared at the highest level, meaning they must have at least that level. For example, if the system contains Top Secret data, all users must hold Top Secret clearance. But they could also hold higher clearances if they exist. The key is that there is no user with a lower clearance.
Understand that the mode requires all users to meet the highest classification present, not that they all share identical clearances.
Confusing compartmented security mode with system-high security mode.
In system-high mode, all users have the same clearance level, and they also have access to all data at that level. There are no need-to-know restrictions. In compartmented mode, access is restricted based on compartments even among users with the highest clearance. The distinction is that system-high gives blanket access, compartmented gives restricted access despite shared high clearance.
If the scenario says all users have Top Secret clearance but cannot see all Top Secret files, it is compartmented mode. If they can see all Top Secret files, it is system-high mode.
Thinking compartmented security mode allows users with lower clearances to access data at higher classifications as long as they are in the right compartment.
This is false. The mode explicitly requires all users to be cleared for the highest classification in the system. A user with only Secret clearance cannot operate in compartmented mode if the system contains Top Secret data. The mode does not permit any downgrading of the hierarchical classification requirement. The compartment restrictions apply only after the clearance requirement is met.
Remember that clearance is a prerequisite. The compartment is an additional restriction, not a substitute for clearance.
Assuming that compartmented security mode is the most secure of the four modes.
It is very secure, but multilevel security mode is often considered more secure in a different way because it allows users with different clearances to operate on the same system, with the system preventing information flow from higher to lower. Multilevel mode is more complex and can protect against a wider range of threats. Compartmented mode is less flexible because it requires everyone to be cleared at the top level.
Understand that security depends on the threat model. Compartmented mode protects against internal threats among high-cleared personnel, while multilevel mode also protects against threats from lower-cleared users. Both are strong in different contexts.
Believing that compartments only apply to classification levels, not to categories.
Compartments are non-hierarchical categories that are separate from the classification level (Confidential, Secret, Top Secret). A file can be Top Secret in one compartment and Secret in another. The compartment is the specific project or topic area. The classification is the sensitivity level within that topic. Both are checked separately by the system.
Think of classification as the height of a shelf and compartments as different shelves for different topics. A user needs to be tall enough (clearance) and assigned to the correct shelf (compartment) to reach a book.
Confusing compartmented security mode with role-based access control (RBAC).
While both can restrict access, compartmented mode is a mandatory access control (MAC) model, where the system enforces the policy based on labels. Users cannot change these labels. RBAC is a discretionary or non-discretionary model where administrators assign roles. In compartmented mode, the labels are tied to objects and subjects by the TCB. RBAC does not inherently handle hierarchical classifications.
Compartmented mode is about sensitivity labels and need-to-know. RBAC is about job roles and permissions. They can be used together, but they are fundamentally different concepts.
Exam Trap — Don't Get Fooled
{"trap":"A question describes a system where users have different clearances (e.g., some Secret, some Top Secret) and the system uses compartments to restrict access to specific projects within the same system.
The answer choices include 'compartmented security mode' and 'multilevel security mode'. Many learners choose 'compartmented' because they see the word 'compartment' and think it fits.","why_learners_choose_it":"The term 'compartmented' appears in the question scenario, leading learners to match the keyword without considering the full definition.
They forget that compartmented mode requires all users to be cleared at the highest level present. The scenario with mixed clearances is a classic setup for multilevel security, but the keyword lure is strong.","how_to_avoid_it":"Always read the question for the clearance requirements first.
If the scenario explicitly states that some users lack the highest clearance, the mode cannot be compartmented. The correct answer is multilevel security mode. If the question says all users have the highest clearance, and then talks about restricting access to compartments, then it is compartmented mode.
Focus on the clearance condition before looking at compartments."
Commonly Confused With
In system-high security mode, all users are cleared to the highest classification level of the system, and they have access to all data at that level. There is no compartment-based restriction. For example, in a system-high Top Secret system, any user with Top Secret clearance can read all Top Secret files. In compartmented mode, they cannot, because they are limited by need-to-know compartments.
A system-high system is like a library where everyone with a master key can open all rooms. A compartmented system is the same library, but each room also has a separate lock, and each person only gets keys for the rooms they are assigned to.
Multilevel security mode allows users with different clearances to access the same system, with the system preventing information flow from higher to lower classifications. In compartmented mode, all users must have the highest clearance, but they are restricted by compartments. The key difference is that MLS handles multiple clearance levels, while compartmented mode handles multiple need-to-know compartments at the same high clearance.
In MLS, a Secret-cleared user and a Top Secret-cleared user can work on the same server, with the Secret user only seeing Secret data. In compartmented mode, both users must be Top Secret, but one might not see data from Project X while the other can.
Dedicated security mode is the simplest. All users have the same clearance, and all data is at the same classification level. There is no need for compartments. Everyone can access everything. Compartmented mode is for systems with multiple classification levels (even if all users are cleared for the highest) and multiple compartments, which is more complex.
Dedicated mode is like a single secret room where everyone inside has the key and all documents are the same level. Compartmented mode is a building with many rooms of different secrecy levels, but everyone has a pass for the highest level, but only specific room keys.
RBAC is a non-mandatory access control model that grants permissions based on organizational roles. Compartmented security mode is a mandatory access control (MAC) model that enforces security labels defined by the system administrator. In compartmented mode, users cannot override the labels. In RBAC, roles can be changed by administrators, and the model does not inherently involve classification levels or need-to-know compartments.
RBAC is like job titles: a manager role can approve purchase orders. Compartmented mode is like security clearances: you need a Top Secret badge and a special chip for the nuclear codes room. They are often used together, but they are different concepts.
DAC allows the owner of an object to grant or deny access to others at their discretion. Compartmented mode is mandatory access control (MAC), where the security policy is centrally controlled and users cannot change the access rules. In a compartmented system, even a file owner cannot grant access to someone who is not in the same compartment.
In DAC, you can share a document from your Google Drive with anyone. In compartmented mode, even if you own the file, you cannot share it with a colleague who does not have the right compartment label.
Step-by-Step Breakdown
Classification of the system's data
The organization first determines the highest classification level of data that will be stored on the system (e.g., Confidential, Secret, Top Secret). This sets the baseline clearance requirement for all users. Then, the organization identifies the distinct projects or topics that need to be separated into compartments. Each compartment is assigned a unique label, such as 'Alpha', 'Beta', 'Gamma'.
Define user clearances and compartments
Every user who will access the system is vetted and given a clearance that must equal or exceed the highest classification in the system. Each user is assigned a list of compartments for which they have a need-to-know. For example, a user working on Project Alpha and Gamma is added to the Alpha and Gamma compartments. This assignment is recorded in the system's user database within the trusted computing base.
Label all objects with sensitivity labels
Every file, database record, and resource on the system is labeled with a sensitivity label that includes both a classification level and a list of compartments. For example, a document might be labeled 'Top Secret, {Alpha, Gamma}', meaning it is top secret and belongs to both the Alpha and Gamma compartments. This labeling is enforced by the operating system at creation time and cannot be changed by users.
System boots and security kernel initializes
When the system starts, the security kernel loads the security policy database that contains the clearance and compartment assignments for users, as well as the allowed actions. The reference monitor is initialized to intercept all access requests. The system enters a trusted state where only authorized software can run.
User authentication and subject creation
A user attempts to log in. The system validates their identity through credentials (password, smart card, etc.). Upon successful authentication, the system creates a security context for the user, which includes their maximum clearance and list of compartments. This context is attached to every process the user runs.
Subject requests to access an object
The user (subject) attempts to open a file or resource (object). The request is intercepted by the security kernel. The reference monitor extracts the subject's security context (clearance, compartments) and the object's sensitivity label (classification, compartments).
Reference monitor checks Bell-LaPadula rules
The reference monitor first applies the Bell-LaPadula simple security property: the subject's clearance must be equal to or greater than the object's classification for read access. Then it applies the *-property (no write down). For compartmented mode, an additional check is performed: the subject's compartment list must be a superset of the object's compartment list. In other words, every compartment listed on the object must also be assigned to the subject.
Grant or deny access based on the check
If the subject's clearance is high enough and all compartments match, the access is granted. If either the clearance is insufficient or any single compartment is missing from the subject's list, the access is denied. A log entry is created recording the decision, which is auditable by security administrators.
Continuous enforcement during session
The reference monitor intercepts every subsequent access request throughout the user's session. It remains always invoked and tamperproof. Even if a user has opened a file from compartment A, they cannot open a file from compartment B unless they are in that compartment. The security kernel ensures that no process can change its security context after creation without re-authentication.
Practical Mini-Lesson
In practice, implementing compartmented security mode in a modern IT environment involves a combination of identity management, data classification, and access control policies. For example, in a Microsoft 365 tenant, you would use Microsoft Purview to create sensitivity labels that represent your compartments. Let us say your organization has compartments for "HR Data," "Financial Data," and "R&D Data." You create these as sensitivity labels. You then configure label policies that auto-assign these labels to documents based on content patterns (e.g., any document containing a social security number gets the "HR Data" label). Next, you create protection policies that restrict access to these labeled documents. For instance, you can configure that only members of the "HR Team" Azure AD group can decrypt and read documents labeled "HR Data." This is the compartmented security mode in action: the label is the compartment, and the group membership is the need-to-know authorization.
When a user in the Engineering department tries to open a document labeled "HR Data," they are blocked because their token does not include the "HR Team" group. Even if that user has a Global Admin role (high clearance), they cannot access the document. This illustrates the core principle: clearance alone is insufficient; compartment authorization is required. In AWS, a similar approach uses S3 bucket policies with conditions based on tags. You can tag an S3 object with a key "Compartment" and value "Finance." Then you create an IAM policy that allows access only if the user has a matching tag "Department:Finance." This enforces compartment-level access at the object level.
What can go wrong? The most common issue is mislabeling. If a sensitive document is labeled incorrectly (e.g., given a lower compartment label), it may become accessible to unintended users. To mitigate this, use automatic classification with machine learning, and always require manual override approval for sensitive labels. Another problem is over-entitlement: users accumulate compartment authorizations over time because no one revokes old ones. This breaks the need-to-know principle. Regular access recertification is essential. Finally, if the reference monitor (e.g., Azure Information Protection scanner or AWS IAM) is not properly configured, users might bypass the check by downloading and sharing the file outside the system. Use persistent protection (encryption that follows the file) to prevent this.
Minimum Clearance Requirements in Compartmented Security Mode
Compartmented Security Mode is a highly restrictive security operating mode defined within the Trusted Computer System Evaluation Criteria (TCSEC) and referenced heavily in CISSP and Security+ exam objectives. In this mode, all users must possess both the appropriate security clearance for the highest classification level of information processed by the system AND formal approval (need-to-know) for ALL compartments of information handled by the system. This is the strictest of the four security modes (Dedicated, System High, Compartmented, Multilevel). The critical distinction is that a user cannot access any compartment unless they have explicit authorization for every single compartment present on the system.
From an architectural perspective, implementing Compartmented Security Mode requires a reference monitor that enforces mandatory access control (MAC) based on security labels. The system must prevent any user from reading, writing, or executing data outside their authorized compartments. For example, if a system contains data labeled "TOP SECRET//SAP//NOFORN" and "TOP SECRET//SI//TK," a user cleared for TOP SECRET but only authorized for the first compartment cannot access the second. This creates a significant administrative overhead because the security officer must carefully vet every user's compartment authorizations before granting access.
In the AWS cloud environment, Compartmented Security Mode aligns with the use of AWS Organizations Service Control Policies (SCPs) combined with IAM permissions boundaries and resource-based policies. While AWS does not enforce TCSEC modes natively, architects design compartmented enclaves by using separate VPCs, KMS key policies that require specific cmk grants, and IAM conditions that check for the presence of specific tags or session tags representing compartment codes. The exam emphasis is on understanding that Compartmented Security Mode is not about whether the user has clearance for the highest level of data; it is about having explicit authorization for every single compartment on the system.
A common misconception tested in the CISSP and Security+ exams is confusing Compartmented Mode with System High Mode. In System High Mode, all users need the clearance for the highest classification but do not need formal access approval for all compartments; they only need need-to-know for the data they access. In Compartmented Mode, the requirement is absolute: every user must be formally approved for every compartment that exists on the system, regardless of whether they actually access that compartment. This difference is a frequent trick question.
Another critical exam point is the Trusted Computing Base (TCB) implications. In Compartmented Security Mode, the TCB must be sufficiently robust to enforce separation between compartments. If a single user is authorized for all compartments, the TCB still must prevent any accidental or malicious data flow between compartments through covert channels. The system must label all objects and subjects with sensitivity labels and compartments, and the security kernel must mediate every access. This places significant performance constraints on the system, which is why Compartmented Security Mode is rarely used in commercial cloud environments without extensive customization.
Labeling Infrastructure and Data Tagging for Compartmented Security Mode
In Compartmented Security Mode, the system must maintain a labeling infrastructure that accurately represents the hierarchical classification level and the set of compartments (non-hierarchical categories) assigned to every object and subject. This labeling infrastructure is the backbone of the mandatory access control (MAC) policy. The system uses security labels that are composed of a classification level (e.g., UNCLASSIFIED, CONFIDENTIAL, SECRET, TOP SECRET) and a set of compartments (e.g., SAP, SI, TK, NOFORN, FOUO). The labels must be stored in a tamper-proof manner, typically within the system's Trusted Computing Base (TCB).
From a practical implementation perspective, in a cloud environment like AWS, labeling is often achieved through resource tags, AWS Lake Formation cell-level security, or S3 object tags with conditions in IAM policies. However, native AWS services do not natively enforce TCSEC-style compartmented security. Architects must build custom policy engines using AWS Lambda, DynamoDB, and IAM policy variables. For example, an IAM policy condition might check if the user's session tag "compartment" matches the object's tag "compartment" exactly. If a user is authorized for compartments A, B, and C, they must have a session tag that includes ALL compartments present on the system, not just the compartments they intend to access. This is the core requirement of Compartmented Security Mode.
The Security+ exam often tests the concept of security labels and compartments. A typical question might describe a system where data is marked with compartments and ask which operating mode is being used. The key is that if the scenario states that users must be cleared for the highest classification AND be formally approved for all compartments that exist on the system, the answer is Compartmented Security Mode. The CISSP exam goes deeper, asking about the implications for the security kernel and the TCB. The TCB must ensure that no subject can read an object unless the subject's label is greater than or equal to the object's label (in the Bell-LaPadula model's simple security property) and that the subject's compartment set is a superset of the object's compartment set.
When troubleshooting labeling issues, you might observe that a user who is cleared for TOP SECRET and authorized for compartments "SAP A" and "SAP B" still gets access denied to a TOP SECRET document with only compartment "SAP A." This seems counterintuitive, but in Compartmented Security Mode, the user must also be authorized for every compartment on the system. If the system has a third compartment "SAP C" that the user is not authorized for, they cannot access even the documents in their authorized compartments. This is a frequent source of confusion and a prime exam scenario.
The infrastructure must also handle label integrity. If a user tries to create an object, the system must assign it a label that is dominated by the user's label. In Compartmented Security Mode, the user cannot declassify or downgrade objects. This is tested in the context of the Bell-LaPadula *-property (star property), which prevents write-down. The TCB must enforce that a subject can only write to objects at the same or higher security level. Compartmented Security Mode amplifies this because the compartments must match exactly or be a superset for reading, but for writing, the subject's compartment set must be a subset of the object's compartment set to prevent leaking data to a compartment the subject is not authorized for.
Cost and Performance Overhead of Compartmented Security Mode Deployments
Implementing Compartmented Security Mode introduces significant cost and performance overhead compared to other security modes. The primary cost drivers are administrative labor, specialized infrastructure, and reduced system efficiency. On the administrative side, every user must undergo a thorough background investigation to obtain the highest clearance level (e.g., TOP SECRET) and then receive formal compartment approval for every single compartment present on the system. This process is time-consuming and expensive, often requiring months of investigation and continuous periodic reinvestigations.
In a cloud environment such as AWS or Azure, the cost of implementing Compartmented Security Mode is compounded by the need to use multiple isolated accounts or VPCs to enforce strict compartment boundaries. Because most cloud-native services do not natively support compartment-level MAC at the granularity required by TCSEC, architects often resort to creating separate AWS accounts per compartment, using AWS Organizations to apply SCPs that restrict data movement between accounts. This increases compute, storage, and network costs because resources cannot be shared across compartments. For example, a single database server that could serve multiple compartments must be partitioned into separate RDS instances, each with its own KMS key and IAM policies.
Performance overhead is another critical factor. The TCB must mediate every access request, comparing labels on subjects and objects. This adds latency to every read and write operation. In high-throughput systems, this can become a bottleneck. The reference monitor must be implemented in hardware or hypervisor level (like AWS Nitro Enclaves) to achieve acceptable performance, but even then, the overhead of label checking can degrade throughput by 10-30% depending on the complexity of the compartment set.
The MS-102 and AZ-104 exams rarely go into this depth, but the CISSP and Security+ exams may ask about the trade-offs. A typical question might ask: "Which security mode provides the highest security but also incurs the highest cost and administrative burden?" The answer is Compartmented Security Mode. Another common exam focus is the cost-benefit analysis: Compartmented Security Mode might be mandated for systems processing Special Access Programs (SAP) or Sensitive Compartmented Information (SCI), where the cost of a data leak far outweighs the operational overhead.
From a deployment perspective, you might use cost management tools to track the expense of compartment isolation. For example, in AWS, you could use Cost Explorer with tags to see the spending per compartment account. The exam clue is that the high cost of Compartmented Security Mode leads organizations to prefer System High Mode when possible, but System High Mode does not provide the same level of compartment separation. The CISSP exam specifically tests the understanding that Compartmented Security Mode requires all users to be cleared for the highest confidential level in the system and formally approved for all compartments, which is more restrictive than System High Mode where users only need need-to-know for the data they access.
Another performance consideration is the TCB size. Compartmented Security Mode requires a smaller, more trusted TCB to minimize the attack surface. This often means using a formally verified separation kernel, which can be costly to license and maintain. The system must also undergo regular penetration testing and assurance evaluations, adding to the operational cost. These factors are why Compartmented Security Mode is reserved for the most sensitive government and military systems.
Trusted Computing Base and Security Kernel in Compartmented Security Mode
The Trusted Computing Base (TCB) is the totality of protection mechanisms within a computer system that is responsible for enforcing the security policy. In Compartmented Security Mode, the TCB must be especially robust because it must enforce mandatory access control (MAC) based on both hierarchical classification levels and non-hierarchical compartments. The security kernel is the core component of the TCB that implements the reference monitor concept. The reference monitor must satisfy three fundamental requirements: it must be tamper-proof (cannot be bypassed), always invoked (every access must pass through it), and small enough to be analyzed and verified.
In a Compartmented Security Mode system, the security kernel must maintain a security label for every active subject (process, user) and every object (file, memory segment, device). Each label contains a classification level and a set of compartments. The kernel enforces the Bell-LaPadula model's simple security property (no read up) and the *-property (no write down) but with the added complexity of compartments. For a read operation, the subject's classification level must be greater than or equal to the object's level, AND the subject's compartment set must contain all compartments present in the object's label. For a write operation, the subject's level must be less than or equal to the object's level, AND the subject's compartment set must be a subset of the object's compartment set. This is stricter than System High Mode, where compartment sets are not enforced at the kernel level but only through discretionary access controls.
The CISSP exam frequently tests the implications of Compartmented Security Mode on the TCB. One classic question is: "In which security mode does the TCB enforce mandatory access control based on both clearance and compartments?" The answer is Compartmented Security Mode. Another question might ask about the size of the TCB: because the TCB must handle compartment labels and enforce complex label comparisons, it tends to be larger than in Dedicated Security Mode, but it must still be as small as possible to allow formal verification. This creates a tension between functionality and verifiability.
In a cloud context, the TCB extends to the hypervisor, container runtime, and even the cloud provider's API layer. For example, in AWS, the Nitro hypervisor acts as part of the TCB for EC2 instances. If you are running a Compartmented Security Mode workload in a Nitro Enclave, the enclave's security kernel must enforce compartment separation. However, because cloud providers do not natively support custom compartment labels in their TCB, architects often rely on separate virtual machines or containers per compartment, which shifts the TCB boundary to include the operating system kernel of each VM. This increases the attack surface and makes formal verification difficult.
Troubleshooting issues with the TCB in Compartmented Security Mode often involve kernel bugs that allow bypassing label checks. For example, a memory corruption vulnerability in the security kernel could allow a user in one compartment to read data from another. The symptom might be that an unauthorized user sees data they shouldn't, or a process crashes when attempting to access a file. The explanation is that the kernel's reference monitor failed to enforce the compartment check. The exam clue is that the integrity of the TCB is paramount; any compromise of the security kernel leads to a complete loss of compartment separation.
Another common exam scenario involves the concept of the TCB audit trail. In Compartmented Security Mode, the TCB must log every access attempt, including successful and failed compartment checks. This audit trail is critical for forensic analysis. Administrators might observe that the audit log is missing certain compartment access events, which indicates that the security kernel was bypassed or the audit mechanism was compromised. The exam focuses on understanding that the TCB must be self-protecting, meaning that even the audit subsystem must be part of the TCB and cannot be modified by unauthorized subjects.
Troubleshooting Clues
Compartmented access denied despite correct clearance
Symptom: User with TOP SECRET clearance and explicit need-to-know for compartment A gets access denied to a file marked TOP SECRET//A.
In Compartmented Security Mode, the user must be formally approved for ALL compartments on the system. If the system has compartments A, B, and C, and the user is only approved for A, the system denies access even to A because the user lacks approval for B and C.
Exam clue: CISSP and Security+ exams use this exact scenario to differentiate Compartmented Mode from System High Mode.
Label mismatch between subject and object in TCB
Symptom: A process running with label SECRET//SAP cannot read a file labeled SECRET//SAP//NOFORN, even though both are SECRET.
The object's compartment set includes NOFORN, which is not in the subject's label. The TCB's reference monitor enforces that the subject's compartment set must be a superset of the object's compartment set for read operations.
Exam clue: Tests the Bell-LaPadula simple security property with compartments. Common in CISSP domain 4.
Improper downgrade attempt blocked in compartmented mode
Symptom: A user with label TOP SECRET//SAP cannot write a file to a folder labeled SECRET//SAP.
The *-property (no write down) prohibits a subject from writing to an object at a lower classification. Even though the compartments match, the classification level is lower, so the write is denied.
Exam clue: Security+ and CISSP ask about write-down prevention in MAC. This is a classic trick: compartments match but classification level does not.
Compartment labels not propagated to cloud resources
Symptom: In AWS, an S3 object tagged with compartment='SAP-A' is accessible to users who are not authorized for that compartment.
The IAM policy might be using resource tags but the condition is not enforced correctly, or the policy lacks a NotAction element to deny access if tags don't match. Compartmented Security Mode requires explicit deny logic.
Exam clue: AWS SAA and Security+ exams test tag-based access control. This scenario highlights misconfiguration of IAM conditions.
Audit log missing compartment access events
Symptom: During a security review, the audit log shows no entries for compartment B access attempts, but users have been operating in that compartment.
The audit subsystem might be configured to only log failures, not successes, or the TCB's audit mechanism was bypassed due to a bug or misconfiguration. In Compartmented Mode, all access events require auditing.
Exam clue: CISSP and CySA+ emphasize audit completeness. Missing events suggest a TCB compromise or misconfiguration.
Kubernetes network policy not isolating compartment namespaces
Symptom: Pods in namespace 'compartment-A' can communicate with pods in 'compartment-B' despite network policies intended to restrict traffic.
The network policy might be using podSelector instead of namespaceSelector, or the compartment labels are not applied correctly. In Compartmented Mode, all traffic must be denied by default except explicitly allowed.
Exam clue: AZ-104 and Security+ test Kubernetes network policies for compartment isolation. This is a common misconfiguration scenario.
SELinux policy prevents legitimate system processes from running
Symptom: After enabling compartment enforcement with SELinux, the Apache web server fails to start with a 'permission denied' error.
The default SELinux policy for Apache does not include the compartment label that the system requires. The administrator must create a custom policy module that maps Apache's type to the correct compartment.
Exam clue: CySA+ and CISSP test SELinux policy troubleshooting. This shows the overhead of implementing compartmented Mode at the OS level.
Memory Tip
Think "C.L.E.A.R. first, then C.O.M.P.A.R.T.M.E.N.T.", Clearance for the highest level, Compartment for need-to-know.
Learn This Topic Fully
This glossary page explains what Compartmented security mode means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
CISSPCISSP →CS0-003CompTIA CySA+ →MD-102MD-102 →MS-102MS-102 →AZ-104AZ-104 →SC-900SC-900 →SY0-701CompTIA Security+ →SAA-C03SAA-C03 →220-1102CompTIA A+ Core 2 →PCAGoogle PCA →CDLGoogle CDL →ISC2 CCISC2 CC →Related Glossary Terms
A formal security model that prevents users from reading information at a higher classification level than their own and from writing information down to a lower classification level.
Biba is a security model that uses a lattice-based system to enforce integrity, ensuring that data cannot be corrupted by unauthorized or less trustworthy subjects.
Brewer-Nash is a security model that prevents conflicts of interest by restricting access to data based on the user's past access history and organizational membership.
A security model that enforces data integrity by ensuring that only authorized, well-formed transactions change data, and that those changes are logged and controlled.
Cloud security architecture is the design and organization of security controls, policies, and technologies used to protect data, applications, and infrastructure in a cloud computing environment.
Common Criteria is an international standard (ISO 15408) that provides a common framework for evaluating the security features and capabilities of information technology products.
Quick Knowledge Check
1.In Compartmented Security Mode, what must every user possess before accessing the system?
2.A system processes data at SECRET level with compartments SAP, SI, and TK. User Alice has a SECRET clearance and is formally approved for SAP and SI only. She attempts to read a file labeled SECRET//SAP. What happens?
3.Which of the following is a key performance overhead of Compartmented Security Mode compared to System High Mode?
4.An administrator observes that a user with label SECRET//A is unable to write to a file with label SECRET//A//B. Which security property is being violated?
5.In a cloud environment implementing Compartmented Security Mode, which service is most critical for enforcing compartment isolation at the infrastructure level?
Summary
Compartmented security mode is a strict access control model that requires all users to have the highest level of security clearance and then adds an additional layer of authorization based on specific compartments or need-to-know. This model is defined in the TCSEC Orange Book and is implemented using the Bell-LaPadula mandatory access control rules. It is distinct from other security modes like multilevel, system-high, and dedicated, primarily because it combines hierarchical clearance with non-hierarchical compartment labels.
For IT certification learners, understanding this concept is critical for passing exams like CISSP, Security+, CySA+, and cloud-specific exams such as AWS SAA, Azure AZ-104, and Microsoft SC-900. In these exams, you will be asked to identify the security mode based on scenario descriptions, compare it to other modes, and apply its principles to real-world configuration questions. The key takeaway is to remember that compartmented security mode is about both clearance and need-to-know. A common exam trap is confusing it with multilevel security mode; always look for the phrase "need-to-know" or "specific project compartment" to identify it.
In practice, compartmented security mode is implemented using modern tools like sensitivity labels, group-based access policies, and cloud IAM conditions. It is relevant to any organization that needs to protect sensitive data by ensuring that even trusted users only see information they are specifically authorized to access. By mastering this concept, you will be better prepared to design, implement, and audit secure systems that uphold the principle of least privilege.