Multiple Independent Levels of Security/Safety (MILS) is a high-assurance security architecture based on the concepts of separation[1] and controlled information flow.
It is implemented by separation mechanisms that support both untrusted and trustworthy components; ensuring that the total security solution is non-bypassable, evaluatable, always invoked, and tamperproof.
A MILS solution allows for independent evaluation of security components and trusted composition.
'Trustworthy' means that the component have been certified to satisfy well defined security policies to a level of assurance commensurate with the level of risk for that component (e.g., we can have single level access control guards evaluated at CC EAL4; separation mechanisms evaluated at High Robustness; two-level separation guards at EAL 5; and TYPE I crypto all in the same MILS system).
'Untrusted' means that we have no confidence that the system meets its specification with respect to the security policy.