No read up, no write down.

Advantage: This model is suited for military agencies, where information flows between different levels of classification (top secret, secret, confidential, unclassified). This model is used anywhere that the flow of information through the agency must be tightly controlled.

Disadvantage: This model addresses the confidentiality of data, but is not suitable for agencies that must protect the integrity of data.

Essentially, users cannot read data that is in a higher security class, or higher level. Information only flows in one direction, upwards. This model does not allow you to write down, on a lower level of clearance. By the high water-mark principle, users start out at a low level of access. Once the user starts advancing and going into higher clearances, they are restricted from writing within lower levels of clearance. Not being able to write down can restrict people from doing useful operations within the system. It is difficult to truly restrict information flows in a system, and covert channels have indeed been a serious concern. It is difficult to eliminate covert channel flows from a system, and in practical settings not all illegal information flows can be restricted.