Many who work regularly with classified data would be well served by a computer sensitive to the classification of data which could be trusted to follow the regulations for the handling of such data. The Orange book describes operating system criteria presumably sufficient to ensure compliance with such regulations.

A worker is free to store paper documents of mixed classification together. It would be awkward if storing an unclassified document in a secret safe transformed the document into secret. If the worker uses different machine for different categories it is somewhat like having different offices for different categories.

It would be highly convenient for the worker to talk to one machine about documents in different categories. One sort of valid activity that this enables is the transfer of information from one document to another in a higher category.

A general approach to this function is a front end to trusted data holding objects that makes manifest the security category of the object. The front end would not allow operations that modified the object. It is necessary to trust the object to meet its specifications with regards to operations specified not to change the object to indeed not changing it. If the object is trusted in this regard it could as well be trusted to declare its own category.