Interoperability

Coalition web services API gateway: managing cross-national service integration

By Corvus Intelligence Engineering Team · About the team →

June 25, 2026 11 min read

An API gateway is the first architectural decision most organizations reach for when they need to manage access to a portfolio of web services. In an enterprise, that decision is relatively contained: one corporate identity provider, a shared PKI, a common policy engine, and a network perimeter the organization controls. In a coalition of sovereign nations, every one of those foundations is missing. Each partner brings its own PKI, its own identity provider, its own data classification regime, and its own legislative constraints on what its systems may share and with whom. The API gateway that works for a single enterprise is not the API gateway that works for a 10-nation coalition operating under three overlapping data-sharing agreements.

This article examines the specific engineering decisions that make a coalition API gateway production-ready: federated authentication across national PKIs, versioning policies that respect sovereign upgrade autonomy, schema translation between heterogeneous national formats, rate limiting that can accommodate operational surges, audit trails that satisfy data sovereignty requirements, and deployment topologies that balance resilience against policy complexity. The coalition data sharing challenges that motivate this architecture are treated in depth separately; this article focuses on the gateway layer that addresses them.

Why coalition API management is harder than enterprise API management

The enterprise API gateway problem is well understood: authenticate callers against a corporate directory, enforce rate limits by client application, route to backend services, log access for compliance. The coalition version of this problem differs in every dimension that matters.

The most fundamental difference is the trust model. An enterprise gateway trusts one identity provider — typically an Active Directory or cloud IdP the organization controls. A coalition gateway must trust multiple independent identity providers that the gateway operator did not build, does not control, and cannot compel to change. When Nation A's identity provider issues a credential and Nation B's gateway must decide whether to honor it, that decision cannot be delegated to a shared authority, because no shared authority exists. Every trust relationship must be explicitly established and maintained bilaterally.

The second difference is authorization policy. An enterprise policy engine evaluates a user's role against a resource's required role — a relatively flat, organization-defined mapping. A coalition policy engine must evaluate the intersection of a user's nationality, clearance level, and role against a resource's classification label, its owning nation, and the set of nations to which it is releasable under the applicable data-sharing agreement. The same resource may be accessible to one partner nation's users and blocked to another's, depending on bilateral agreements that exist outside the gateway's codebase.

The third difference is operational tempo. An enterprise gateway can be taken down for maintenance. A coalition gateway supports operations that may be running around the clock, and its consumers are sovereign systems operated by nations that cannot be compelled to wait. Downtime is not a scheduled event — it is an operational incident with potential mission impact. This means the gateway must achieve high availability without the maintenance windows that enterprise systems assume.

Versioning adds a further dimension. An enterprise can mandate that all internal consumers upgrade within a fixed window. Coalition consumers are sovereign programs with their own acquisition cycles, national approval processes, and engineering constraints. A deprecation that gives an internal team 90 days might require 36 months for a partner nation's national system. The gateway must support heterogeneous API versions concurrently for extended periods.

Federated identity and authentication

Federated identity in a coalition environment means accepting credentials from national identity providers that the gateway does not operate, using trust relationships established through technical and bilateral agreement rather than shared infrastructure. The two primary protocols are SAML 2.0 for browser-based and system-to-system federation across national PKIs, and OAuth2/OIDC with JWT for service-to-service authentication in Federated Mission Networking deployments.

SAML 2.0 federation begins with metadata exchange. Each participating nation's Identity Provider publishes a metadata document that includes its signing certificate (anchored in the national PKI), its SSO endpoints, and the NameID formats it supports. The gateway imports each partner's metadata and maintains it as the basis for validating assertions from that partner. When a user from Nation A authenticates and requests a coalition service, Nation A's IdP issues a SAML assertion signed with its national certificate; the gateway validates the assertion signature against the certificate in Nation A's metadata, extracts the asserted attributes (clearance level, nationality, roles, releasability authorizations), and maps them to the gateway's internal identity model.

The attribute mapping step is where much of the integration work lives. Each nation expresses identity attributes in its own schema — one nation's clearance attribute might be a structured code from its national security framework; another's might be a plain string. The gateway's identity broker must normalize these into a common attribute vocabulary before the authorization policy engine can evaluate them consistently. Establishing the attribute mapping for each partner nation is a bilateral technical negotiation, not a configuration task.

For JWT-based authentication, the gateway maintains a multi-issuer key registry. On receiving a JWT, the gateway extracts the iss claim, retrieves the corresponding JWKS from its registry (with a short cache TTL to handle key rotation), validates the signature, and then evaluates coalition-specific claims. Standard JWT claims (exp, nbf, aud) are checked first; the aud must match the gateway's configured audience to prevent token reuse across services. The audience check is particularly important in a coalition where a token issued for one nation's service should not be accepted by another's.

Mutual TLS operates beneath the authentication layer, at the connection level. Every system-to-system connection between national systems uses mTLS: both client and server present certificates, and both validate the counterpart's certificate against their trust store. The trust store contains the CA roots for each partner nation's PKI — not blanket trust in each CA, but scoped trust for the specific entity identifiers representing that nation's authorized gateway systems. A cross-coalition mTLS trust store is a carefully maintained inventory, not a catch-all CA bundle. See our companion article on REST API design for NATO C2 for how authentication requirements flow into API contract design.

API contract versioning for multinational programs

API versioning in a coalition environment is a governance problem as much as a technical one. The technical mechanism is straightforward — URI-based major versioning with header-based minor negotiation — but the policy around it determines whether partners can actually operate on different versions without service disruption.

The starting point is a semantic versioning policy applied to the API contract. A MAJOR version increment signals a breaking change: a field removed, a field renamed, a validation rule tightened, an authentication mechanism changed. A MINOR increment signals backward-compatible additions: a new optional field, a new endpoint, a new filter parameter. A PATCH increment signals non-functional changes: documentation corrections, performance improvements that do not alter the response. The policy must define precisely what constitutes a breaking change, because the definition determines when a new major version is required and when an existing version's consumers must migrate.

The coalition-specific complication is that breaking changes in the API contract may be forced by updates to the underlying NATO data standards the API serves. A new version of the MIP4 Information Exchange Data Model may add mandatory fields, rename existing ones, or change code list values. These changes are not under the gateway operator's control — they are set by the standardization body — but their impact on consumers is the same as any API breaking change. The versioning policy must account for standards-driven breaks separately from programme-driven breaks, because the migration timeline for a standards change depends on when each partner nation's system is certified against the new standard version, which may be outside anyone's control.

Backwards-compatibility obligations must be encoded in the programme's legal framework, not just its technical documentation. A partner nation's system integrator needs contractual certainty that version N-1 will remain available for a defined period after version N is released, so they can plan the migration without operational risk. The typical commitment for a coalition programme is 24–36 months of parallel support for a deprecated major version, though sovereign programmes with long acquisition cycles may require longer. Announcing the deprecation timeline through the federated service registry — so all registered consumers receive the notification — is the minimum distribution requirement.

Schema evolution discipline is enforced at the gateway's schema validation layer. Payloads that do not conform to the declared version's schema are rejected at the boundary, not silently accepted and partially processed. This strict enforcement prevents the schema drift that erodes interoperability over time: optional fields omitted here, code lists extended there, until the payload the gateway serves no longer validates against the schema the standard defines.

Schema and protocol translation at the gateway

Coalition environments accumulate heterogeneous data formats across decades of national procurement decisions. A gateway that can only accept a single canonical format is not a coalition gateway — it is a demand for all partners to implement that format, which is rarely politically or technically feasible. The alternative is translation at the gateway layer: accept each partner's native format and translate to the service's canonical representation, or translate from the canonical representation to each consumer's required format on egress.

The most common translation pair in coalition land operations is NATO Friendly Forces Information (NFFI) to Cursor on Target (CoT). Both formats represent friendly unit position, identity, and status, but they differ in schema structure, coordinate conventions, entity identity encoding, and the metadata fields they carry. NFFI is an XML format anchored in a structured unit identity model that references a force structure database; CoT is a simpler XML format with a flat uid string and a looser entity model. The translation proceeds field by field — NFFI position elements to CoT lat/lon/hae attributes, NFFI unit identity codes to a stable, reversible CoT uid encoding, NFFI classification metadata to CoT extension elements — but the details of each mapping require careful review against both format specifications, because apparent similarities conceal semantic differences that produce incorrect data if not handled explicitly.

Legacy national systems frequently speak XML while modern coalition services expect JSON. The gateway's XML-to-JSON translation must handle the structural impedance mismatch: XML attributes versus JSON properties, XML's ordered element sequences versus JSON's unordered object properties, XML's namespace prefixes versus JSON's flat key space, and XML's mixed content (text nodes and child elements interleaved) which has no direct JSON equivalent. A naive XML-to-JSON converter produces structurally valid JSON that is semantically wrong for schemas that rely on these distinctions. The translation layer must implement the schema-aware mapping, not a generic format conversion.

Content negotiation at the gateway allows a single resource to serve multiple format variants. A client that can consume NFFI XML sends an appropriate Accept header; a client that requires CoT XML sends another. The gateway routes each request to the translation pipeline matching the requested content type, so the backend service exposes a single canonical representation and the format translation burden stays at the gateway boundary. This keeps the backend services simple and makes adding a new consumer format a gateway configuration change rather than a backend development task.

The broader patterns for coalition API gateway design in the context of data sharing are covered in our API gateway for coalition data sharing guide, which addresses the policy and access control layers alongside translation.

Rate limiting and quota management for coalition APIs

Rate limiting in a coalition gateway serves a different purpose than in an enterprise gateway. In an enterprise, rate limiting primarily prevents a malfunctioning or abusive internal client from degrading service for other consumers. In a coalition, rate limiting also encodes the resource allocation agreements between nations: the capacity of shared gateway infrastructure is a programme resource, and each nation's entitlement to that capacity is a programme-governance decision.

The quota structure is a hierarchy. At the top level, the gateway has a total throughput capacity defined by its infrastructure deployment. That capacity is divided into per-nation allocations, each nation's allocation is further divided into per-endpoint-category sub-limits (read operations typically allowed higher rates than write operations, and track queries higher than order submissions), and burst allowances are defined on top of the steady-state limits.

Burst allowances matter operationally. Tactical operations produce bursty access patterns: a unit's COP system may be idle for an hour and then issue 500 track queries in 30 seconds as a situation develops. A rate limiter that applies a strict per-minute average will throttle legitimate operational traffic while allowing a steady low-rate drain that is less operationally significant. The standard pattern is a token-bucket or leaky-bucket algorithm with a burst capacity several times the steady-state rate and a replenishment rate equal to the steady-state limit, giving each nation the ability to absorb short bursts without accumulating debt that throttles subsequent requests.

Profile	Steady-state rate	Burst ceiling	Burst window
Default (peacetime)	200 req/min per nation	600 req/min	90 s
Exercise operational	400 req/min per nation	1 200 req/min	120 s
Degraded mode	80 req/min per nation	160 req/min	30 s

Operational profiles allow the gateway operator to switch between rate-limit configurations in response to declared operational states. Before a major exercise, the operator switches to the exercise profile, elevating burst ceilings to accommodate the higher-than-usual activity of all participating nations simultaneously. If gateway or upstream capacity becomes constrained — a backend service is degraded, a network path is reduced — the operator switches to the degraded profile, which applies lower limits uniformly and activates traffic shedding for non-critical endpoint categories (historical data queries, administrative calls) while protecting mission-critical endpoints (real-time track updates, task submission).

Per-nation rate-limit telemetry must be visible to gateway operators in real time. A dashboard showing each nation's current consumption versus its quota, burst token depletion rate, and throttled-request count is essential during exercises and operations. Without visibility, a partner nation that is being throttled cannot distinguish a rate-limit event from a service outage, and the gateway operator cannot distinguish a misconfigured national system from legitimate operational demand.

Operational audit trails for cross-national data access

Every access to classified coalition data through the gateway must be recorded in an audit trail that can reconstruct the full chain of custody: who accessed what, from which nation, at what time, under what authorization, and with what result. This is not a compliance checkbox — it is the operational evidence base for classification incidents, data sovereignty disputes, and insider threat investigations.

The minimum audit record for each request includes: the request timestamp in UTC to millisecond precision; the authenticated identity of the requestor (nation identifier, user or system identifier, the credential type used); the full resource URI and HTTP method; the classification label of the data returned (or the label of the most sensitive resource in a collection response); the access control decision (permit or deny) and the specific policy rule that produced it; the HTTP response status code; and the volume of data transferred in bytes. These fields are the minimum chain of custody. They answer the core questions of a classification incident — what classified data did this nation's user access, and was the access authorized?

Beyond the minimum, coalition agreements may require recording the specific resource identifiers returned in a collection response (for high-classification resources), the session token identifier linking multiple requests in a session, and the network address of the originating system (for attribution). The decision about which fields to record at which classification level is a bilateral or multilateral policy decision that must be made before the gateway goes live, not retrofitted after the first incident.

Data sovereignty implies that each nation's audit records for its own data are accessible to that nation's security officers and to no one else. The audit log must be partitioned by data-owning nation (for records of who accessed data labeled as owned by that nation) and by accessing nation (for records of what data that nation's users accessed). Providing each nation's security team access to the relevant partition, while preventing access to other nations' partitions, requires careful role-based access control on the audit log storage itself.

Tamper-evident audit logs are standard practice: append-only writes, cryptographic chaining of log records, and periodic export to write-once storage. The retention period is defined in the coalition's information security policy, typically 7–10 years for classified data access records. Log integrity must be verifiable: a security officer who retrieves a three-year-old audit record must be able to confirm it has not been altered since it was written.

Gateway deployment patterns: centralized vs federated gateway topology

The deployment topology of the coalition API gateway determines its resilience, its policy consistency, and the operational burden of maintaining it. Three patterns cover the realistic design space: a centralized gateway hosted at the coalition headquarters node, a per-nation gateway at each national boundary, and a gateway mesh that combines elements of both.

The centralized topology, typically hosted at a Combined Air Operations Center or coalition headquarters, concentrates all policy enforcement and routing at a single node. All coalition API traffic flows through it. The advantages are operational simplicity: one gateway to configure, one audit log to monitor, one place to update authorization policy. The disadvantages are equally clear: the central gateway is a single point of failure and a traffic choke point. Nations geographically distant from the central node see higher latency on every API call, and a gateway outage affects the entire coalition simultaneously.

The per-nation topology places a gateway at each national boundary. Each nation's gateway enforces policy for outbound requests from its systems and for inbound requests to its services. Traffic stays within a nation's network until it crosses the coalition boundary, where it is mediated by the destination nation's gateway. The resilience advantage is clear: a failure at one national gateway affects only that nation. The disadvantages are policy synchronization and audit log correlation. Every gateway must enforce the same authorization policy, and policy updates must propagate to all national gateways before taking effect — a distributed coordination problem that is non-trivial when the update is a response to a security incident requiring immediate enforcement.

The gateway mesh pattern deploys per-nation gateways that peer with each other over a dedicated management plane, sharing a synchronized policy store. Policy changes propagate through the mesh to all nodes, typically with a convergence time measured in seconds. Audit logs from all nodes are aggregated into a central store without requiring all traffic to flow through that store. The mesh gives most of the resilience benefits of the per-nation topology while maintaining the policy consistency of the centralized model, at the cost of the most complex operational model: the mesh control plane itself must be highly available, and its failure mode must be explicitly designed (fail-open or fail-closed).

Most large coalition programs end up with a hybrid: a central gateway at the coalition level for services that are genuinely coalition-shared (common operational picture access, joint tasking), and per-nation gateways acting as enforcing proxies for national services that are exposed selectively to coalition partners. The central gateway handles the multi-tenant policy complexity for shared services; the national gateways keep national system integration under national control. The design decision is which services belong in each tier, and that decision is as much a political and governance question as a technical one.

Key insight: The coalition API gateway is not a product — it is an architecture that must be configured, bilaterally negotiated, and operationally validated with every participating nation. The technical components (identity broker, policy engine, schema translation pipelines, rate limiter, audit store) are available in commercial and open-source API gateway platforms, but the coalition-specific configuration of each component requires bilateral technical agreements that cannot be automated. The engineering investment is substantial, but it is the only alternative to point-to-point national integrations that scale combinatorially with the number of partner nations.

Build coalition-ready API integration into your defense system

Corvus Intelligence builds interoperability layers for multinational defense programs — federated identity integration, schema translation pipelines, and ABAC policy engines aligned with Federated Mission Networking requirements.

Explore Corvus HEAD → Book a Briefing

This analysis was prepared by Corvus Intelligence engineers who design and implement API integration layers for multinational defense programs. Learn about our team →

Frequently Asked Questions

Why is coalition API management harder than enterprise API management?

Enterprise API management operates within a single organization's trust boundary: one identity provider, one PKI, one policy engine, one network perimeter. Coalition API management removes every one of those shared foundations. Each partner nation brings its own PKI, its own identity provider, its own classification policy, and its own data sovereignty requirements. There is no single administrative authority that can mandate changes to all consumers — a nation's sovereign system cannot be forced to upgrade on another nation's schedule. Operational tempo requirements add a further constraint: the gateway must remain available and performant during high-intensity operations, often over degraded coalition links, without the luxury of maintenance windows. The combination of multi-tenant trust, absent shared infrastructure, sovereign autonomy, and unrelenting operational availability requirements makes coalition API management qualitatively harder than even the most complex enterprise environment.

How does SAML 2.0 federation work across national PKIs in a coalition environment?

In a coalition environment, each nation operates its own Identity Provider (IdP) anchored to its national PKI. SAML 2.0 federation is established by exchanging metadata between each national IdP and the coalition Service Provider — in this case, the API gateway. The metadata exchange includes each IdP's signing certificate, endpoints, and supported NameID formats. When a user from Nation A authenticates and requests a coalition service, Nation A's IdP issues a SAML assertion signed with its national certificate; the gateway validates the assertion signature against the trusted certificate in Nation A's metadata and maps the incoming attributes (clearance, nationality, roles) to the gateway's internal authorization model. The federation trust is bilateral: each nation configures its IdP to trust assertions from other coalition IdPs for cross-domain flows, but the gateway maintains a whitelist of trusted IdP entity IDs and rejects assertions from unknown issuers. Cross-certification of national PKIs (each nation's root CA is imported into the gateway's trust store) underpins the whole chain.

How should a coalition API gateway handle JWT token validation?

A coalition API gateway that accepts JWTs must validate tokens from multiple issuers, each with its own signing key material. The gateway maintains a multi-issuer JWKS (JSON Web Key Set) registry, keyed by the issuer claim in the JWT. On receiving a token, the gateway extracts the issuer (iss), retrieves the corresponding JWKS endpoint or cached key set, validates the signature, and then evaluates the standard claims (exp, nbf, aud). The audience claim must match the gateway's configured audience value — tokens issued for one coalition service must not be accepted by another. Beyond standard JWT validation, the gateway must evaluate coalition-specific claims: the presenting nation's identifier, the user's clearance level, and nationality-based releasability attributes. Key rotation from partner IdPs must be handled gracefully, with short-lived JWKS cache TTLs and fallback re-fetch on unknown key IDs, to avoid service disruption when partners rotate their signing keys.

What is the right API versioning policy for a multinational defense program?

Multinational defense programs require a versioning policy that accommodates the sovereign upgrade autonomy of partner nations — you cannot force all consumers to migrate on a single schedule. The recommended approach combines URI-based major versioning (breaking changes increment /v1/ to /v2/) with header-based minor version negotiation for backward-compatible additions. The key policy decisions are: how long a deprecated major version is supported after the successor is released (typically 24–36 months for sovereign programs), how partners are formally notified of deprecation (via the federated service registry and bilateral communication), and what constitutes a breaking change (removing or renaming fields, tightening validation, changing authentication requirements). The gateway must route requests to the correct backend version based on the URI, and must be able to run multiple major versions concurrently during transition windows. Breaking changes driven by updates to underlying NATO standards must be coordinated through the programme's configuration management board before any version is deprecated.

How does schema translation between NFFI and Cursor on Target work at the gateway?

NATO Friendly Forces Information (NFFI) and Cursor on Target (CoT) are structurally similar — both describe the position, identity, and status of a friendly unit — but differ in schema, coordinate conventions, and entity model. Translation at the gateway proceeds field by field: the NFFI unit identity section maps to CoT uid and group attributes; NFFI position elements (in a NFFI-specific geodetic scheme) map to CoT lat/lon/hae attributes; NFFI speed and heading map to CoT track sub-element attributes. Entity identity requires special handling: NFFI uses a structured unit identifier referencing a force structure database, while CoT uses a free-form uid string, so the translation layer must generate a stable, reversible uid encoding that preserves the NFFI entity reference. Classification caveats carried in NFFI metadata must be re-encoded as CoT detail extensions so they survive the translation and can be evaluated by the receiving system's access control layer. The translation is lossy in both directions — each format carries fields the other does not — so the gateway logs the dropped fields for audit.

How should per-nation rate limits be structured in a coalition API gateway?

Per-nation rate limiting is structured as a quota hierarchy: a total gateway capacity ceiling, per-nation quotas allocated from that ceiling, and per-endpoint sub-limits within each nation's quota. The per-nation quota reflects the nation's expected operational demand and its share of the programme's infrastructure cost allocation. Standard configuration separates steady-state request rates from burst allowances: a nation might be allocated 200 requests per minute in steady state but permitted to burst to 600 for up to 90 seconds, accommodating bursty tactical access patterns without exhausting shared capacity. During declared exercises or operations, the gateway applies a pre-configured operational profile that relaxes steady-state limits or elevates burst ceilings for the duration. Degraded-mode throttle policies define reduced limits for when gateway or upstream capacity is constrained, shedding non-critical traffic gracefully while protecting mission-critical endpoints.

What must a coalition API gateway record for cross-national data access audit trails?

A coalition API gateway's audit trail must record, at minimum: the timestamp of the request (UTC, millisecond precision); the authenticated identity of the requestor (nation, user or system identifier, credential type); the resource URI and HTTP method; the classification label of the data returned; the access control decision (permit or deny) and the policy rule that produced it; the response status code; and the volume of data transferred. These fields are the minimum chain of custody for classification incidents. Beyond the minimum, coalition agreements may require recording the session token identifier, the network address of the originating system, and the specific data elements returned for high-classification resources. Audit records must be tamper-evident, retained for the period specified in the coalition's information security policy (typically 7–10 years), and partitioned so each nation's security officers can access records of their nation's activities without seeing other nations' access logs.

What are the trade-offs between a centralized CAOC-hosted gateway and a per-nation gateway topology?

A centralized gateway hosted at the CAOC or coalition headquarters offers a single point of policy enforcement, a unified audit log, and simpler service discovery — all consumers know where the gateway is, and policy changes deploy once. The trade-offs are a single point of failure, a choke point for all coalition traffic, and latency for nations geographically distant from the central node. A per-nation gateway topology distributes enforcement to each nation's boundary, eliminating the central choke point and keeping traffic local until it crosses the coalition boundary. The trade-offs are policy synchronization complexity and fragmented audit logs. A gateway mesh — per-nation gateways that peer and share a synchronized policy store — captures most of the resilience benefits of the distributed topology while maintaining policy consistency, at the cost of the most complex operational model. Most large coalition programs use a hybrid: a central gateway for coalition-shared services and per-nation gateways as enforcing proxies for national services exposed to the coalition.

How does mutual TLS between national systems differ from standard enterprise TLS?

Standard TLS in enterprise environments typically uses one-way server authentication: the client validates the server's certificate but presents no certificate of its own. Mutual TLS (mTLS) requires both parties to present and validate certificates, establishing cryptographic proof of identity at the connection layer. In a coalition environment, mTLS is complicated by the absence of a shared PKI: the client certificate is issued by Nation A's national CA, and Nation B's gateway must be configured to trust Nation A's CA root — but only for the specific entity identifiers representing Nation A's authorized systems, not blanket CA trust. This requires each gateway to maintain a carefully curated trust store. Certificate revocation must be handled across PKI boundaries — CRL and OCSP endpoints for partner CAs must be reachable from the gateway, or revocation information distributed through a coalition trust management service. Key and certificate lifecycle events at one nation must be communicated to all partners with sufficient lead time to update trust stores before the old certificate expires.

How are data sovereignty constraints enforced at the coalition API gateway layer?

Data sovereignty enforcement means ensuring that data owned by one nation cannot be accessed by another nation beyond the terms of their data-sharing agreement. The gateway enforces this through attribute-based access control (ABAC) and data labeling. Each data resource carries a sovereignty label identifying the owning nation and the set of nations authorized to access it. The gateway's policy engine evaluates every request against these labels: a resource labeled as owned by Nation A and releasable to Nations B and C is accessible to authenticated users from B and C but blocked for all others. Aggregation is a separate concern: a series of individually authorized queries that together reveal information the source nation did not intend to share requires query-level controls — access frequency limits, query-scope restrictions, or mandatory data minimization on collection responses. Sovereignty audit trails (who from which nation accessed which nation's data) are maintained separately and shared with the owning nation on request.