Exercise: Defense-Grade Air-Gapped MCP

defense advanced 60 min

Design a multi-level security (MLS) architecture for MCP in an air-gapped environment.

Scenario

Joint Special Operations Command (JSOC)

JSOC is deploying a local intelligence synthesis platform in a forward-deployed tactical environment. The system must provide AI-assisted analysis of multiple intelligence feeds while maintaining strict physical and logical separation between classification levels.

Current Identity Infrastructure:

Hardware-based PKI (CAC/PIV cards)
Local LDAP/Active Directory within each classification enclave
No connection to external identity providers

Key Challenges:

Large Language Models (LLMs) must run entirely on local GPU hardware.
Analysts at different clearance levels need to call the same set of analytical tools, but those tools must only access data appropriate for the user's current session enclave.
Audit logs must be aggregated to a secure security information and event management (SIEM) system across enclaves.

Constraints

No internet connectivity (Air-gapped)
Must support UNCLASSIFIED, SECRET, and TOP SECRET data streams
Cross-domain solution (CDS) required for data movement
Must comply with NIST 800-171 / CMMC Level 5

Your Task

Propose a technical architecture for JSOC's air-gapped MCP deployment. Address the challenges of multi-level security and local inference.

Address these aspects:

Local LLM deployment strategy
Enclave-based MCP server architecture
Multi-level security (MLS) mapping for MCP permissions
Cross-domain audit log aggregation

Your Response

200-600 words

0 words