The assurance a r gument that a trusted system satis es its information security requirements must be c onvincing, because the argument supports the accreditation decision to allow the computer to process classi ed information in an operational environment. Assurance is achieved through understanding, but some evidence that supports the assurance a r gument can be di cult to understand. This paper describes a novel application of a technique, called literate programming 11 , that signi cantly improves the readability of the assurance a r gument while maintaining its consistency with formal speci cations that are input to speci cation and veri cation systems. We describe an application of this technique to a simple example and discuss the lessons learned f r om this e ort.