The Romulus Report describes the Romulus Computer Security Properties Modeling Environment. Romulus is an environment and methodology for the modeling, analysis, and verification of trusted computer systems, together with supporting tools. The Romulus methodology is based on a mathematical theory of security developed at Odyssey Research Associates. The theory formalizes multilevel information flow security by introducing restrictiveness, a hookup security property. This means that a collection of secure restrictive composite system. Because of its composability, restrictiveness is a useful security property for large, complex, distributed systems. Volume I presents an overview of the important ideas and tools incorporated into the Romulus system. Volume II describes the underlying theory of security as well as Mathesis, the mathematical foundation of Romulus. ; See also Volume 3, AD-B154 848.