In both military operations and the commercial world, cyber situation awareness (SA) is a key element of mission assurance. Due to the needs for mission damage and impact assessment and asset identification (and prioritization), cyber SA is beyond intrusion detection and attack graph analysis. In this paper, we propose a cross-layer situation knowledge reference model (SKRM) to address the unique cyber SA needs of real-world missions. SKRM provides new insight on how to break the 'stovepipes' created by isolated situation knowledge collectors and gain comprehensive level big picture awareness. Through a concrete case study, we show that SKRM is the key enabler for two SA capabilities beyond intrusion detection and attack graph analysis. The potentials and the current limitations of SKRM and SKRM-enabled analysis are also discussed.