Operation HIGHMAST Validates ACP 240: The New Standard Powering Coalition Data Sharing
The HIGHMAST Challenge: When Networks Can’t Keep Up with Missions
“In the DOD, policy for a long time has been very network centric,” explains Tim Clayton, a former AWS senior solutions architect who led Mission Partner Environment efforts before joining Virtru. “If you think about networks like NIPR, SIPR, JWICS, these are classification based…anytime you need to cross data between them, you have to use some sort of cross-domain solution.”
For HIGHMAST commanders, this meant their forces were operating with one foot in the past and one in the future. They could use data-centric approaches for some operations—where classification traveled with the data itself, whether it was a PDF, a geospatial image, or a chat message. But legacy requirements forced them to maintain parallel network-centric systems for others.
The operational friction was palpable. As Dana Morris, Virtru’s head of product engineering and host of this Hash It Out episode, observed from the Brussels Mission Partner Environment Summit: “Their biggest frustration was just that they had to use their legacy network-centric systems for some aspects of their mission and the data-centric aspect for other parts.”
ACP 240: The Standard That Changes Everything
This is where ACP 240 enters the picture. Developed under the Combined Communications-Electronics Board within the Five Eyes alliance, ACP 240 represents a fundamental shift in how allied nations approach data security. Rather than relying on isolated networks to protect information, it embeds security directly into data objects using the Zero Trust Data Format (ZTDF).
“Everybody was talking about the same standard,” Morris recalled in the podcast discussion from his experience in Brussels. “ACP 240…describes data-centric interoperability as a concept, and it documents how the Trusted Data Format that Virtru is known for is a key part of that.”
The adoption has been remarkably swift. In just two years, ACP 240 has gone from concept to operational standard, driving innovation for not just Five Eyes nations, but also NATO and the U.S. Joint Chiefs of Staff. As Clayton noted during the Hash It Out conversation, “When NATO came out and said, hey, this is what we’re going to use as our standard. That’s a huge, huge green flag.”
From Standards Document to Operational Reality
What makes HIGHMAST significant isn’t just that it used ACP 240, it’s that it proved the standard works under real operational conditions. The carrier strike group successfully shared classified data across multiple command boundaries, with multiple allied partners, maintaining security while dramatically improving agility.
The technical implementation builds on Virtru’s Trusted Data Format (TDF), which serves as the foundation for ZTDF. This open standard approach means that whether data moves through email, file shares, or collaboration tools, the security policies travel with it. Classification isn’t determined by which network the data sits on, but by attributes embedded in the data itself.
“Data-centric security is kind of a key,” Clayton explains in his first appearance on Hash It Out. “It’s gonna unlock the ability to have data that exist in two systems that can have the data interact and have those users interact with the data, but the users don’t actually have to transit those network systems.”
This granular, object-level security provides several critical capabilities:
- Dynamic Access Control: Partners can be added or removed from data access in minutes, not months
- Insider Threat Protection: Data can only be decrypted by personnel with proper attributes, regardless of network access
- Audit Trail: Every interaction with protected data is logged and traceable
- Coalition Flexibility: New partners can join operations without rebuilding infrastructure
Building the Ecosystem for Tomorrow’s Missions
The success of HIGHMAST has catalyzed a growing ecosystem of defense technology partners building ACP 240-compliant capabilities. Companies like Everfox (a new Virtru partner) are integrating Virtru’s Data Security Platform into cross-domain solutions, while Pexip is incorporating data-centric security into secure video conferencing, all aligned with ACP 240 requirements.
This ecosystem approach is critical because, as the Brussels summit made clear, Mission Partner Environments are shifting from “experiments” to “mission support.” As discussed in detail on the podcast, General Stanton’s announcement that DISA would assume executive agency for MPE from the Air Force signals that data-centric security isn’t a future capability, it’s an operational requirement today.
The Indo-Pacific Imperative
As attention turns to the Indo-Pacific, where partners aren’t part of existing coalitions like NATO or Five Eyes, the lessons from HIGHMAST become even more critical. Indo-Pacific Command covers 50% of the world’s geography, and building effective partnerships there requires exactly the kind of dynamic, flexible data sharing that ACP 240 enables.
“A lot of those allies are not part of our traditional data sharing partners,” Clayton notes. The traditional approach of spending 6-12 months to establish secure networks simply won’t work when partnerships need to form and adapt at mission speed.
The 2027 timeline that pervaded discussions in Brussels represents what intelligence communities see as a critical inflection point. As Morris observed in the Hash It Out episode, there’s been a fundamental shift in priorities: “It used to be security and then agility. And I’ve seen in the last few years those words switched around. It’s agility and security.”
The Path Forward
Operation HIGHMAST has proven that ACP 240 isn’t just another standard. It’s the enabler for coalition operations in an era where mission partners change as quickly as the threat landscape. For military commanders asking, “Why can’t we just do it all with data centricity?”… The answer is increasingly: You can.
As we prepare for TECHNET INDOPAC this November, and explore these topics in depth on our Hash It Out podcast, the question isn’t whether to adopt ACP 240 and data-centric security. It’s how quickly defense organizations can implement it to meet the challenges ahead. The standard is proven. The technology exists. The ecosystem is building.
The only question remaining is whether we’ll move fast enough to meet the moment.