Defense and intelligence organizations regularly collect and share information between networks of varying security levels and threat profiles. They traditionally use cross-domain solution (CDS) technologies to protect transfers of and access to that information being shared. In the past few years, the threat profiles for these operations have significantly increased in sophistication and scope. In response, the U.S. government is formally labeling some information sharing connection points as high threat networks (HTN), and defining CDS architecture upgrades to address the new HTN threat profiles.
HTNs are networks whose cyber hygiene is known to be insufficient, known to not have robust and effective defensive cyber operations capabilities or that lack ownership or ability to influence the security posture. Defense or intelligence unclassified networks connected to the Internet/NIPRNet are high threat networks. If an information-sharing partner’s classified network connects to the Internet with just boundary firewalls, then that partner’s classified network is an HTN. There is an assumption that any software CDS connected to an HTN will be corrupted by a malicious attacker using network or data attack vectors either to infiltrate classified networks or exfiltrate classified data. So the government is requiring that CDSs must now be designed, implemented and operate with higher assurance levels of protection. Those include the required use of hardware-enforced separation at the HTN boundary with a classified network and hardware-enforced filtering of information being shared between any HTN and classified networks. Software-only controls (e.g., firewalls, software-enforced CDSs) are no longer sufficient to provide protection against the emerging attack vectors.
CDSs are used by defense and intelligence organizations to segment their networks and share information. The National Security Agency’s National Cross Domain Strategy and Management Office (NCDSMO) regularly issues updated guidance for CDSs, known as raise the bar (RTB). The latest HTN guidance includes additional requirements for multi-domain software CDSs and identifies hardware-enforced controls (e.g., separation, filtering) to be employed as part of one way transfer (OWT) design patterns to protect HTN connections and data flows. These design patterns require a layered approach. All HTN traffic must go over a separate hardware-enforced, one-way transfer mechanism in each direction to ensure separate unidirectional and bidirectional CDS ingress and egress paths. The guidance also enforces the rule of three, meaning all information must be processed by three independent filtering pipelines before transfer of data flows back to the HTN. This is straightforward when the high-to-low (H2L) and low-to-high (L2H) data flows are independent. When true bi-directional TCP-based protocols are needed, the rule of three requires some added complexity. This layered defense makes it much more difficult for an attacker to set up a command-and-control connection to launch an attack on the CDS.
The NCDSMO hardware-enforcement requirements are being phased in over three plus years.
- By the end of 2021, an NSA evaluated hardware-based (e.g. a data diode) mechanism must be implemented for each HTN connection to a classified U.S. government (USG) national security systems (NSS) for enterprise unidirectional and bidirectional data flows.
- By the end of 2022, the requirement is to implement such mechanisms for HTN connections to classified USG NSS for all enterprise, tactical, and P2P unidirectional and bidirectional data flows.
- By the end of 2023, hardware-based filtering will be required for HTN connections for enterprise data flows.
- Finally, by the end of 2024, hardware-based filtering will be required for all enterprise, tactical and P2P data flows.
The scope and complexity of meeting the NCDSMO guidance and requirements will depend on a given CDS’ architecture. Hardware-enforced diodes and CDSs from Owl Cyber Defense simplify the effort.
Owl Cyber Defense CDSs provide deterministic data transfer for both L2H and H2L data flows. An integrated CDS, our solution provides hardware separation, built-in data verification and filtering capabilities in one packaged offering. We support existing software-enforced multi-domain CDS connections to an HTN, often without requiring changes to the existing enterprise CDS or the HTN application.