The Bell-LaPadula model is a formal security model developed for the US Department of Defense to enforce confidentiality in multilevel security systems. It defines access rules based on classification levels: no read up (subjects cannot read objects at higher classification) and no write down (subjects cannot write to objects at lower classification).
Bell-LaPadula focuses exclusively on confidentiality. The Biba model serves as its integrity counterpart. CISSP candidates are regularly tested on how these models complement each other and where their limitations lie, particularly because Bell-LaPadula does not address integrity at all.
CISSP Relevance
Bell-LaPadula is covered in Domain 3 (Security Architecture and Engineering). CISSP candidates must understand it alongside Biba, Clark-Wilson, and Brewer-Nash, and be able to explain which security property each model addresses.
External reference: NIST Glossary Bell-LaPadula Model
Related terms: Mandatory Access Control, Data Classification