Military systems that process classified information must operate in a secure manner; that is, they must adequately protect information against unauthorized disclosure, modification, and withholding. A goal of current research in computer security is to facilitate the construction of multilevel secure systems, systems that protect information of different classifications from users with different clearances. Security models are used to define the concept of security embodied by a computer system. A single model, called the Bell and LaPadula model, has dominated recent efforts to build secure systems but has deficiencies. We are developing a new approach to defining security models based on the idea that a security model should be derived from a specific application. To evaluate our approach, we have formulated a security model for a family of military message systems. This paper introduces the message system application, describes the problems of using the Bell-LaPadula model in real applications, and presents our security model both informally and formally. Significant aspects of the security model are its definition of multilevel objects and its inclusion of application-dependent security assertions. Prototypes based on this model are being developed. Categories and Subject Descriptors: C.2.0 [Computer-Communication Networks]: General--Security and protection; D.4.6 [Operating Systems]: Security and Protection--access controls; information flow controls; verification; F.3.1 [Logics and Meaning of Programs]: Specifying and Verifying and Reasoning about Programs-- assertions; invariants; specification techniques; H.4.3 [Information Systems Applications]: Communications Applications--electronic mail