Cross-domain solution

A cross-domain solution (CDS) is an integrated information assurance system composed of specialized software, and sometimes hardware, that provides a controlled interface to manually or automatically enable and/or restrict the access or transfer of information between two or more security domains based on a predetermined security policy. CDSs are designed to enforce domain separation and typically include some form of content filtering, which is used to designate information that is unauthorized for transfer between security domains or levels of classification, such as between different military divisions, intelligence agencies, or other operations which depend on the timely sharing of potentially sensitive information.

The goal of a CDS is to allow a trusted network domain to exchange information with other domains, either one-way or bi-directionally, without introducing the potential for security threats. CDS development, assessment, and deployment are based on comprehensive risk management. Every aspect of an accredited CDS is usually evaluated under what is known as a Lab-Based Security Assessment (LBSA) to reduce potential vulnerabilities and risks. The evaluation and accreditation of CDSs in the United States are primarily under the authority of the National Cross Domain Strategy and Management Office (NCDSMO) within the National Security Agency (NSA).

CDS filter for viruses and malware; content examination utilities; in high-to-low security transfer audited human review. CDS sometimes has security-hardened operating systems, role-based administration access, redundant hardware, etc.

The acceptance criteria for information transfer across domains or cross-domain interoperability is based on the security policy implemented within the solution. This policy may be simple (e.g., antivirus scanning and whitelist (or "allowlist") check before transfer between peer networks) or complex (e.g., multiple content filters and a human reviewer must examine, redact, and approve a document before release from a high-security domain ). Unidirectional networks are often used to move information from low-security domains to secret enclaves while assuring that information cannot escape. Cross-domain solutions often include a High Assurance Guard.

Though cross-domain solutions have, as of 2019, historically been most typical in military, intelligence, and law enforcement environments, one example is the flight control and infotainment systems on an airliner.

Types
There are three types of cross-domain solutions (CDS) according to Department of Defense Instruction (DoDI) 854001p. These types are broken down into Access, Transfer, and Multi-level solutions (MLS) and all must be included in the cross-domain baseline list before Department of Defense-specific site implementations.  Access Solution "An access solution describes a user’s ability to view and manipulate information from domains of differing security levels and caveats. In theory, the ideal solution respects separation requirements between domains by preventing overlapping data between domains, which ensures data of different classifications cannot ‘leak’ (i.e. data spill) between networks at any host layer of the OSI/TCP model. In practice, however, data spills are an ever-present concern that system designers attempt to mitigate within acceptable risk levels. For this reason, data transfer is addressed as a separate CDS". Transfer Solution offers the ability to move information between security domains that are of different classification level or different caveat of the same classification level. Multi-level Solutions "Access and transfer solutions rely on multiple security levels (MSL) approaches that maintain the separation of domains; this architecture is considered multiple single levels. A multi-level solution (MLS) differs from MSL architecture by storing all data in a single domain. The solution uses trusted labeling and integrated Mandatory Access Control (MAC) schema as a basis to mediate data flow and access according to user credentials and clearance to authenticate read and write privileges. In this manner, an MLS is considered an all-in-one CDS, encompassing both access and data transfer capabilities."

Unintended consequences
In previous decades, multilevel security (MLS) technologies were developed. These enforced mandatory access control (MAC) with near certainty. Automated information systems sometimes share information contrary to the need to avoid sharing secrets with adversaries. When the ‘balance’ is decided at the discretion of users, the access control is called discretionary access control (DAC), that is more tolerant of actions that manage risk where MAC requires risk avoidance.

These documents provide standards guidance on risk management:
 * , SP 800-53 Rev3
 * , Instruction No. 1253