When a military information system needs to move data from a SECRET network to an UNCLASSIFIED one — or from a TOP SECRET compartmented environment to a coalition partner network — it cannot simply route the traffic through a standard firewall. The classification barrier is not an access-control problem solvable by network policy. It is a content-integrity problem: the information itself may carry markings, compartments, or embedded data elements that must not leave the higher-classification enclave. The mechanism designed to solve this is the cross-domain solution, and engineering one correctly requires understanding guard architecture, content filtering logic, marking standards, and a government accreditation process that typically takes longer than the application it protects.
This article explains how CDS guards work from the inside — the reference monitor model that underpins every approved product, the filter rule logic that implements CAPCO marking enforcement, the protocol-specific inspection techniques for XML and SMTP pipelines, and the NSA accreditation path that determines whether a deployment is legally authorized to operate. It is written for engineers and programme managers who need to understand the constraints before they commit to an architecture.
What is a cross-domain solution and when is it required
A cross-domain solution is a product or system that enforces a security policy when data moves between networks accredited at different classification levels or with incompatible access controls. The term covers hardware data diodes, software-based bidirectional guards, and combinations of the two. What distinguishes a CDS from an ordinary network gateway is that it operates at the content layer, not the packet layer — it inspects payloads, reads classification markings, applies structured filter rules, and makes an allow-or-reject decision for each data item individually.
A CDS is mandated whenever two conditions are both true: the source network holds information at a higher classification level than the destination network is accredited to receive, and the operational requirement is to transfer some — but not all — of that information to the lower network. If nothing should ever move from high to low, physical isolation (an air gap) is cheaper and more secure. If everything on the high side can move to the low side, the networks should be merged or the destination network should be re-accredited. It is the selective transfer case that requires a CDS.
Common scenarios that mandate a CDS in defense programs include: transferring sanitized track data from a SECRET common operational picture to an UNCLASSIFIED coalition partner display; publishing releasable intelligence products from a TS/SCI analysis environment to a SECRET dissemination network; feeding sensor data from a classified collection platform to an unclassified archive for long-term retention; and connecting a national intelligence network to a NATO-accredited combined network where the classification schemes differ. In each case, the CDS is the boundary enforcement mechanism — and its accreditation is what gives the connecting authority confidence that the boundary is being enforced correctly.
The alternative to a CDS in some limited scenarios is manual review: a human reviewer reads the document, determines it can be released, and re-types or re-drafts the content on the lower network. This is the original cross-domain "solution" and remains in use for low-volume, high-sensitivity transfers where automated filtering cannot be trusted to catch all sensitive content. Automated CDS products are appropriate only when the content is structured enough (marked XML, SMTP with classification headers, well-defined message formats) that a filter can reliably enforce the policy without human judgement for each transfer. Unstructured free-text — narrative assessments, analytical reports, commander's estimates — often still requires human review before release, even when a CDS guard is present for the technical transfer.
For programs that need to address not just the transfer mechanism but the broader security posture of the classified environment, the zero trust for defense software architecture provides the surrounding access control framework into which a CDS integrates.
CDS guard architectures
Four architectural patterns cover the majority of CDS deployments. Each trades security assurance, operational complexity, and capability against the others.
Hardware data diode. A physical device using optical or electrical isolation that guarantees unidirectional data flow at the hardware level. Electrons — and by extension, signals — cannot travel in the blocked direction. A diode between a classified network and an unclassified one ensures that even if the software on the low side is fully compromised, no signal from the low side can reach the high side. The limitation is strict: the application protocol must tolerate one-way flow. TCP's acknowledgment mechanism breaks over a diode; UDP streaming, syslog, and file replication over custom protocols work. Diodes are appropriate for bulk unidirectional exports — sensor streaming, log replication, video distribution — where the high side never needs confirmation of delivery.
Bidirectional guard with separated proxy processes. The most common architecture for applications requiring request-response protocols. The guard runs a high-side proxy process and a low-side proxy process with no shared address space, shared file system, or direct interprocess communication between them. The only path from high to low — and from low to high — passes through the guard kernel, which enforces the security policy for each transfer. The application on the high side connects to the high-side proxy; the application on the low side connects to the low-side proxy. From the network's perspective, each side sees only its own proxy. The guard kernel is the reference monitor — a small, formally specified, independently evaluated component whose only function is to enforce the transfer policy.
Content filter guard. A guard whose primary enforcement mechanism is content inspection — parsing the payload, extracting classification markings, matching against filter rules, and either passing, rejecting, or sanitizing the content before forwarding. Content filter guards implement the CAPCO marking vocabulary as their policy language. They are appropriate when the transferred data is structured and well-marked, and when the policy requires selective pass-through rather than wholesale blocking. Most modern bidirectional guards include a content filter as the first stage after the bidirectional separation.
Reference monitor model. The foundational security principle that all four architectures implement. A reference monitor is a component that: mediates every access request between a subject (the sender) and an object (the data item being transferred); is always invoked (no transfer bypasses it); is tamper-resistant (it cannot be modified or disabled by either side); and is small enough to be formally verified. In CDS terms, the reference monitor is the guard kernel — and its tamper resistance and complete mediation properties are what evaluators verify during the accreditation process. A CDS product that allows transfers to bypass the guard kernel under any condition — maintenance mode, high-load fallback, error state — fails the reference monitor requirement and cannot be accredited for classified network boundaries.
The following diagram shows the bidirectional guard architecture with separated proxy processes:
┌──────────────────────┐ ┌──────────────────────┐
│ SECRET Network │ │ UNCLASSIFIED Network │
│ (High Side) │ │ (Low Side) │
│ │ │ │
│ ┌─────────────────┐ │ │ ┌─────────────────┐ │
│ │ C2 Application │ │ │ │ COP Display │ │
│ └────────┬────────┘ │ │ └────────▲────────┘ │
│ │ │ │ │ │
│ ┌────────▼────────┐ │ │ ┌────────┴────────┐ │
│ │ High-Side Proxy│ │ │ │ Low-Side Proxy │ │
└──┴────────┬────────┴──┘ └──┴────────▲────────┴──┘
│ │
│ ┌─────────────────┐ │
└────────►│ Guard Kernel ├───────┘
│ (Reference │
│ Monitor) │
│ │
│ ┌───────────┐ │
│ │ Filter │ │
│ │ Rules │ │
│ │ (CAPCO) │ │
│ └───────────┘ │
│ │
│ ┌───────────┐ │
│ │ Audit Log │ │
│ │ (Signed) │ │
│ └───────────┘ │
└─────────────────┘
Physical separation
of proxy processes
No shared memory/FS
Content-based filtering: what guards inspect
Content-based filtering is the mechanism that gives CDS guards their selective pass-through capability. Instead of blocking everything or passing everything, a content filter guard reads the data, extracts the security-relevant fields, applies policy rules, and makes an allow/reject/sanitize decision per message.
CAPCO marking parsing. The foundation of content filtering in U.S. classified systems is the CAPCO marking standard, which defines a controlled vocabulary of tokens that appear in classification banners, portion marks, and structured metadata fields. A guard's CAPCO parser reads the classification metadata element from each incoming message and extracts the component tokens. For a message marked SECRET//SI//REL TO USA,GBR, the parser produces: classification level = SECRET; SCI compartment = SI; dissemination control = REL TO; releasability = USA, GBR. Each token is then checked against the policy matrix for the destination network. If the destination is not accredited for SI compartment, the transfer is rejected. If the destination is accredited for REL TO GBR content, the transfer is permitted — but the filter still checks whether any other field in the message body carries a higher marking than the document-level marking claims.
Sensitive compartment enforcement. SCI compartment enforcement requires the guard to recognize the full set of compartment tokens defined in the governing classification guide. The most common compartments in U.S. systems are SI (Signals Intelligence), TK (Talent Keyhole, imagery from space), HCS (Humint Control System), and G (Gamma, a sub-compartment of SI). Each must be checked individually against the destination enclave's compartment accreditation. A destination network accredited for SI but not TK must not receive messages carrying TK marking — even if the document-level classification is within the permitted range.
Portion marking enforcement. A classified document often contains paragraphs, sections, or data elements with different sensitivity levels. CAPCO requires each portion to carry its own marking. A guard enforcing portion markings must parse not just the document-level banner but every paragraph-level (S//SI) or (U//FOUO) tag and make a separate policy decision for each. Sanitization — stripping the portions that fail the policy while forwarding the remainder — is more complex than wholesale rejection but is operationally essential for mixed-content documents.
Attachment stripping. SMTP messages and HTTP multipart payloads frequently carry attachments that the guard must inspect independently of the message body. Each attachment part is parsed separately: the MIME content-type determines the parser to use, the attachment is inspected for embedded classification metadata (PDF document properties, Word custom properties, image EXIF fields), and the policy is applied to each attachment individually. Attachments in formats the guard cannot parse — unrecognized binary formats, encrypted archives — are rejected by default, never passed through uninspected.
The interaction between CAPCO marking enforcement at the CDS layer and the underlying data model is described in detail in the article on military data fusion explained, which covers how classification propagates through a multi-source track database. For NATO environments, the binding between CAPCO-equivalent markings and the NATO confidentiality labeling standard is covered in the STANAG 4774/4778 labeling implementation reference.
Data formats and protocols supported by modern CDS products
A CDS guard is only as useful as its support for the formats your application actually uses. The guard's parser must understand the format deeply enough to extract classification fields and inspect content — surface-level header inspection is not sufficient.
| Format / Protocol | Classification field location | Typical military use | Guard inspection complexity |
|---|---|---|---|
| XML (IC-ISM / UCORE) | Namespace attributes on root element and each classified portion | Track messages, intelligence products, NiemXML reports | High — full schema-aware XPath evaluation |
| JSON with ISM metadata | Top-level ism:classification field or embedded marking objects |
REST API payloads, modern C2 microservices | Medium — schema-dependent, recursive inspection needed |
| SMTP / MIME | X-Classification: header + body banner + per-attachment marking |
Intelligence product dissemination, SITREP distribution | High — recursive MIME parsing, attachment type detection |
| HTTP/HTTPS (REST) | Custom header + payload body | API calls between classified and unclassified services | Medium — TLS termination + content re-inspection required |
| MTF (Message Text Format) | CLASSIFICATION field in message header set | NATO/legacy military messaging, USMTF, ADatP-3 | Medium — fixed-field format, well-specified parsing |
| PDF / Office documents | Custom document properties, XMP metadata, banner text in body | Finished intelligence products, orders, plans | Very high — embedded objects, macros, metadata stripping required |
| Video (RTP/RTSP) | Stream metadata headers (if present); frame-level overlay text | ISR video downlink, UAV feeds | Very high — typically requires diode + dedicated video proxy |
For XML-based military messages, filter rules are expressed in XPath. A rule that rejects any message carrying a TK compartment token looks like:
<!-- Guard filter rule: reject if TK compartment is present -->
<FilterRule id="REJ-TK-001" action="REJECT">
<Description>Reject messages carrying Talent Keyhole (TK) compartment</Description>
<Condition>
<XPathExpression>
//*[contains(
translate(
@ism:SCIcontrols,
'ABCDEFGHIJKLMNOPQRSTUVWXYZ',
'abcdefghijklmnopqrstuvwxyz'
),
'tk'
)]
</XPathExpression>
</Condition>
<AuditMessage>Transfer rejected: TK compartment detected in payload</AuditMessage>
</FilterRule>
<!-- Sanitization rule: strip SI-marked portion elements before forwarding -->
<FilterRule id="SAN-SI-001" action="SANITIZE">
<Description>Strip SI-marked portions from otherwise-releasable documents</Description>
<Condition>
<XPathExpression>//*[@ism:SCIcontrols='SI']</XPathExpression>
</Condition>
<SanitizeAction>REMOVE_ELEMENT</SanitizeAction>
<AuditMessage>Sanitized: SI-marked element removed from document</AuditMessage>
</FilterRule>
NSA approval and accreditation process
A CDS guard protecting a connection between two U.S. government classified networks must be approved by NSA/CSS before it operates. There is no waiver path for operational urgency — deploying an unapproved CDS is a reportable security incident. Understanding the accreditation process and its timeline is a prerequisite for any program that includes a classified boundary.
NSA/CSS Evaluated Products List (EPL). NSA evaluates CDS products and publishes the results on the Evaluated Products List. An EPL listing certifies that a specific product version, in a specific configuration, implements the reference monitor model correctly and resists the attack classes that evaluators tested. The EPL listing specifies the exact hardware model and firmware version, software version, and configuration options that were evaluated. Deviating from the evaluated configuration — even applying an operating system patch that was not part of the evaluated baseline — requires re-evaluation or a deviation authorization. Programs must track which EPL version their deployed guard corresponds to and maintain that correspondence through the guard's operational life.
Raise the Bar (RTB) initiative. Following a series of incidents in which inadequately designed guards allowed data to pass improperly, NSA/CSS issued the Raise the Bar requirements for CDS products. RTB mandates hardware separation of high-side and low-side processing paths, formal documentation of every filter rule and its security rationale, cryptographically signed audit logs (so log tampering is detectable), independent third-party verification of guard logic, and a defined patching procedure that includes re-verification after security-relevant changes. RTB-compliant products are listed on the EPL with an explicit RTB designation. Non-RTB products may still be on older EPL lists but cannot be newly approved for U.S. government classified boundaries.
DISA Unified Capabilities Approved Products List (UC APL). For DoD programs, the DISA UC APL listing is required in addition to the NSA EPL. The UC APL evaluation focuses on interoperability with DoD network infrastructure and compliance with DoD security technical implementation guides (STIGs). A product may be on the NSA EPL but not the UC APL, or vice versa — both are required for most DoD classified network deployments. Check both lists when evaluating candidate CDS products.
Site-specific Authority to Operate (ATO). Even with an EPL/UC APL product, each deployment requires a site-specific ATO that covers: the specific hardware and software configuration deployed; the network topology and physical security of the guard installation; the filter rule set and its relationship to the classification policies of the connected networks; continuous monitoring procedures; and the patch management and configuration change process. The ATO package is reviewed by the Authorizing Official (AO) for the systems on both sides of the boundary. For connections between networks owned by different agencies, a bilateral agreement between the two AOs is required before the ATO can be granted. Timeline: 6 to 18 months for a product already on the EPL in an uncomplicated configuration.
Integration patterns for C2 and ISR pipelines
Integrating a CDS guard into an operational C2 or ISR pipeline requires thinking through both the data flow architecture and the performance constraints the guard introduces.
The SECRET-to-UNCLASSIFIED COP pattern. The most common integration is a publish-subscribe pipeline where a SECRET broker feeds classified track updates, and a CDS guard subscribes to the SECRET broker, inspects each update, and re-publishes sanitized updates to an UNCLASSIFIED broker that coalition partners or lower-side consumers subscribe to. The guard in this architecture acts as a filtering subscriber on the high side and a publishing producer on the low side — never as a pass-through router. This ensures no direct connection exists between the two brokers.
SECRET Network UNCLASSIFIED Network
───────────── ────────────────────
┌─────────────┐ track updates ┌─────────────────────────────┐
│ SECRET │ ─────────────────►│ CDS Guard │
│ Message │ │ │
│ Broker │ │ High-Side Low-Side │
│ │ │ Subscriber Publisher │
│ │ │ │ │ │
│ │ │ ▼ │ │
│ │ │ CAPCO Filter │ │
│ │ │ SI/TK/HCS check │ │
│ │ │ Sanitize/Reject │ │
│ │ │ │ │ │
│ │ │ └──────────────► │
└─────────────┘ └─────────────────────────────┘
│
▼ sanitized updates
┌───────────────────┐
│ UNCLASSIFIED │
│ Message Broker │
└─────────┬─────────┘
│
▼
┌───────────────────┐
│ Coalition COP / │
│ UNCLASSIFIED │
│ Display │
└───────────────────┘
Latency planning. A CDS guard introduces processing latency for every message it inspects. For small XML track-update messages (under 4 KB), commercial guards typically add 50 to 200 milliseconds of inspection latency. For large messages carrying binary attachments or requiring sanitization of multiple portions, latency can reach 500 milliseconds to 2 seconds. For PDF documents or complex MIME messages, processing can take several seconds. This must be factored into the COP refresh rate and the SLA for intelligence product dissemination. Guard throughput ratings are published in EPL documentation — verify that the rated throughput at the message size and complexity of your application is sufficient before committing to a product.
ISR sensor data paths. For ISR sensors operating at the classified level that must feed data to lower-classification consumers, the data path typically involves a classified processing stage that produces sanitized derivative products, which then cross the CDS boundary. Raw sensor data (full-fidelity imagery, raw SIGINT intercepts) should never be designed to flow through a CDS guard — the classification of raw ISR is typically far above what the low side can receive, and content filtering of raw sensor data is unreliable. The design pattern is: process at the classification level of the data, produce derivative products stripped of the sensitive source indicators, and transfer only the derivative products through the guard.
Operational security for CDS deployments
A CDS guard is a high-value target precisely because compromising it is equivalent to eliminating the classified boundary. The operational security controls around a deployed guard must be proportionate to that risk.
Physical security. The guard hardware must be installed in a physically secure location — a locked equipment room with access-controlled entry and visitor logging. Both the high-side network connection and the guard hardware must be within the physical security perimeter of the higher-classification network. Guard tampering — inserting a covert channel device on the network connection, replacing firmware — is a real threat that physical controls address.
Out-of-band management. The guard's management interface must be on a dedicated physical network separate from both the operational high-side and low-side networks. Management traffic — configuration changes, software updates, log retrieval — that transits either operational network creates a covert channel vector. Management workstations should be located inside the higher-classification security perimeter and accredited accordingly.
Log integrity and tamper detection. CDS audit logs are the primary evidence that the boundary was correctly enforced. Logs must be cryptographically protected — each log record includes an HMAC over the record content and the hash of the previous record (a hash chain). This makes insertion, deletion, or modification of any record detectable when the chain is verified. Logs must be written to a system that neither the high-side nor the low-side network can write to or delete from — a dedicated log server accessible only to the security administrator through the out-of-band management network. Log review must be an active, daily activity: rejection anomalies, unusual message volumes, or repeated policy violations by the same sender are indicators of probing or attack.
Configuration change control. Every change to the filter rule set — adding a rule, modifying a condition, removing a rule — must go through a documented change process that includes: a written change request with security rationale; independent review by a second security officer; test execution against the representative traffic sample; and post-change audit of the first 24 hours of production decisions to verify the rule behaves as intended. Changes that have not been through this process must not be applied to production guard configurations. A standing change freeze should apply during high-tempo operational periods when a guard misconfiguration would be most damaging.
Patch management. Security patches for the guard operating system and application require careful handling. Applying a patch that is not part of the evaluated configuration may invalidate the ATO — and not applying security patches creates exploitable vulnerabilities. The procedure is: receive and assess the patch; determine whether it affects the evaluated configuration baseline; if it does, consult with the EPL vendor and obtain an evaluation deviation authorization or schedule a re-evaluation; test the patch in an isolated guard environment that mirrors production; apply to production during a scheduled maintenance window with brief service interruption; verify that filter rule behavior is unchanged after patching.
Red-team testing. Annual penetration testing of the CDS installation should be a requirement in the security plan. The test scope should include: attempted extraction of classified content via the low-side interface using format injection and encoding attacks; attempted covert channel exploitation via timing, storage, and protocol-level channels; attempted guard management interface access from operational networks; and attempted physical tampering scenarios. Findings from red-team testing feed directly into the continuous monitoring report and may trigger configuration changes or re-evaluation.
Key insight: The most common operational failure mode in CDS deployments is not a filter rule gap — it is configuration drift. A guard deployed and accredited in a defined configuration gradually diverges from that configuration through unauthorized patches, ad-hoc rule changes, and hardware component substitutions. After 18 months of operation without a formal configuration audit, most guards are running in a configuration that was never evaluated. Build configuration audits into the operational schedule from the start.