This document provides a guidance as to the formulation of security models for trusted systems at all levels of trust. It helps the developer understand the essential concepts of security modeling, as well as expected content for the model. This document provides guidance on the construction, evaluation, and use of security policy models for automated in formation systems (AIS) used to protect sensitive information whose unauthorized disclosure, alteration, loss, or destruction must be prevented. In this context, sensitive information includes classified information as well as unclassified sensitive information.