This dissertation shows that information assurance properties can be both specified within a formal model of systems to which the properties are applied using the same formal theory for modeling, specification, and reasoning and enforced in such a way that enforcement is performed consistently across multiple, heterogeneous nodes and organizational domains while retaining the semantics of the formal model. The properties, referred to as security policies, can be specifically enforced at the operating system level and are constructed in such a way that automated reasoning mechanisms derive lower abstraction layer properties from higher semantic levels specified by administrative personnel based on the formal abstract model and interpretations thereof. Moreover, operations to be performed are permitted based on proofs obtained within the formal model while required operations are also derived within the model. To permit the consistent enforcement of an arbitrarily large set of security policies and scalability across large organizations and networks, externally controlled reference monitors and external reference monitors are introduced which control layered enforcement mechanisms that can be implemented both in systems constructed ab initio and as an add-on to existing, particularly commercially available operating systems even if no source code is available for modification to ease the transition to secure systems while permitting mission fulfillment based on legacy systems. These aspects are demonstrated using the Microsoft Windows 2000 operating system as an example. Enforcement mechanisms are described using the reference interpretation including modification and augmentation of file system and network protocol stack behavior along with the implicit benefits derived from the use of these enforcement mechanisms. Specifically, the implementation of dynamic distributed network firewalling and intrusion detection as well as multilevel security capabilities under the control of consistent policies are discussed. For this purpose the suitability of the framework for modeling multisensor data fusion as applied to intrusion detection is discussed. To demonstrate the capabilities of the layered enforcement system for application-specific domains, the use of visible and invisible labeling mechanisms for hard copy output is furthermore discussed.