Learn About Cross Domain Solutions
Cross domain solutions (CDSs) are secure data transfer devices designed to assure the integrity and data confidentiality of sensitive networks. They are used to secure connections between domains of differing security levels or classification, using sophisticated content inspection and filtering mechanisms that go far beyond those of standard network security tools, such as firewalls.
New to Cross Domain Solutions? Start Here!
What is a “Cross Domain Solution” (CDS)?
The U.S. National Institute of Standards and Technology (NIST) defines cross domain solutions as:
“A form of controlled interface (a boundary with a set of mechanisms that enforces the security policies and controls the flow of information between interconnected information systems) that provides the ability to manually and/or automatically access and/or transfer information between different security domains.”
Do I Need a CDS?
Cross domain transfer of information helps make otherwise siloed data persistently available regardless of security level or geographic location. However, data transfers between networks of differing security levels requires complex control mechanisms. This is why CDSs were created.
Content filtering is one of the key differentiators of cross domain solutions from other network security solutions. It enables the removal, redaction, destruction, logging, and/or quarantine of unauthorized or malicious data from the data flow. There are both standard data filters that have been developed by government agencies and standards bodies, and custom filters which can be designed for fit-for-purpose applications.
Today, certified CDSs are in use across the U.S. Government, Intelligence Community (IC), and DOD to transfer data both high-to-low and low-to-high. There are also derivative CDS technologies in use in critical infrastructure, commercial, and international defense and intelligence applications, providing secure data transfers between vital networks.
How are CDSs Different?
What distinguishes CDSs from other network security devices, such as firewalls and data diodes, is the combination of security technologies, including bidirectional network- and application-layer traffic and data filtering, trusted operating systems, logging and auditing, and typically a hardware-enforced domain separation (with a data diode), to provide layers of assurance rather than a single checkpoint on network access.
Context-appropriate Security enforcing Mechanisms
Leverage industry-leading expertise to enable unmatched security in your sensitive networks. Discover more about our Custom Data Filtering Services
- Policy enforcement
- Known-good / whitelisting
- Content filtering & quarantine
- Data transformation & normalization
- DLP
- Data provenance
- Protocol break
- Flow control
Security Architecture and Design
Comprehensive security assessment of system architecture and configuration for all aspects of operating systems and platform security. Discover more about our Security Architecture Assessments
- Defense in depth
- Secure by design
- Redundant
- Always-Invoked
- Non-bypassable
System Assurance and Secure Operation
Custom security assessments of integrated systems and applications to inform actionable decisions. Learn more about the Owl System Evaluation, Exploitation, and Research (SEER) Laboratory.
- Independent assessments and LBSA
- Trusted platforms (OS) & components
- Secure administration
- Self-protection
- Secure failure
- Opaque operation
- Regular maintenance, training & support
Defense in Depth

Each function within the transfer and filtering must be created and implemented independently, reducing or eliminating a single point of failure by compromising a single component or programming code.
CDS security measures must be non-bypassable, including within the data stream, the device hardware, and the physical environment, or a threat could find and exploit “backdoors” and other circumvention methods.
What are Cross Domain Solutions used for?
Cross domain solutions transfer data between a secure/trusted network (including classified networks) and other domains of differing security level or policy. They can transfer any data type, from unstructured files to structured data, to streaming media. CDSs were developed specifically for use in critical and national security networks where reactive security measures, such as firewalls, SIEM, and IDS, are not sufficient to proactively ensure the security of a trusted domain.
Structured Content Filtering
Uniform content or “fixed format” messages, including text or schema-based XML, is filtered using a process known as linear pipeline. This straightforward approach applies a series of filters and checks in order, each separated into isolated, independent tasks, with handoffs from one to the next.
Unstructured Content Filtering
Complex content or unstructured data, e.g., MS Office, PDF, or imagery, is broken down into more basic elements and filtered using a process known as recursive decomposition. This divide and conquer approach involves decomposing data so that it can be inspected using standard content filters. In some cases, custom filters may still be required for specific data formats.