Cross Domain Solution Overlay

1. Characteristics and Assumptions

This Cross Domain Solution (CDS) Overlay applies to system owners, program managers,
developers, implementers, integrators and those required to manage and maintain Cross Domain
Solutions.
The CDS Overlay addresses security requirements and controls based on security best practices,
policy, local requirements and guidance. This overlay identifies the security controls required to
protect against threats and manage security risks presented when utilizing a CDS to connect
security domains (i.e., domains with differing classification or sensitivity levels).
A CDS is a form of controlled interface, utilizing a trusted operating system and enforcing a
security policy to provide access to and/or transfer of data between different security domains.
There are three types of CDSs:
 Access – An Access CDS provides access to a computing platform, application, or data
residing on different security domains from a single device.
 Transfer – A Transfer CDS facilitates the movement of data between information systems
operating in different security domains.
 Multi-level – A Multi-level CDS uses trusted labeling to store data at different
classifications and allows users to access the data based upon their security domain and
credentials.
Security controls selection varies based upon CDS type because of the differences in technical
and operational constraints and associated interconnection risks. For example, an Access CDS
provides a remote desktop for users to access each connected security domain without allowing
the transfer of data between security domains; consequently, some of the AC4 information flow
controls are not applicable.

2. Applicability
Use the following questions to determine CDS Overlay applicability:
1. Is the CDS being deployed. or in development for use on U.S. Government networks; e.g.
to establish a connection between networks operating at different classification levels
such as connecting an Unclassified and Secret network? If the answer to this question is
no, this overlay does not apply. If the answer is yes, continue through the additional
questions below to determine the type of CDS and the guidance that applies.
2. Will the CDS be used to transfer data between security domains? If the answer is yes,
then follow the guidance in this overlay for Transfer CDS.
3. Will the CDS be used to provide access to a computing platform, application, or data
residing on different security domains? If the answer is yes, then follow the guidance in
this overlay for Access CDS.
4. Will the CDS be used to label and store data; allowing users access based upon their
security domain and credentials? If the answer is yes, then follow the guidance in this
overlay for Multi-level CDS.

Cross Domain Solution Overlay

09/27/2013 1 Attachment 3 to Appendix F
3. Implementation
The CDS Overlay is based on:
 NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information
Systems and Organizations, August 2009 with May 2010 errata updates
 CNSSI No. 1253, Version 2, Security Categorization and Control Selection for National
Security Systems, March 15, 2012
This CDS Overlay is designed for and shall be used with a Moderate Confidentiality, Moderate
Integrity, and Moderate Availability (MMM) baseline as defined in CNSSI No. 1253. There are
no additional overlays required by this overlay for use with Cross Domain Solutions; however
other overlays may be applicable to address additional needs of an information system.
The determination of when a CDS is required is left to the discretion of the responsible
Authorizing Official and/or the Risk Executive body responsible for making the approval to
operate or connect decision. The determination decision will include consultation with the
System Owner, the Information Owner, and the Cross Domain Support Element (CDSE) at a
minimum. The CDS Risk Management Framework (RMF) model requires that the CDSE, as a
key Cross Domain focal point, work with these individuals throughout the RMF process in
making this determination.
Not all controls in the Overlay required CDS specific supplemental guidance. Section 5, provides
CDS specific guidance for select controls in the Moderate Confidentiality, Moderate Integrity,
and Moderate Availability baseline set of controls

4. Table of Overlay Controls

The below table presents a listing of CNSSI No. 1253 security controls that are applicable to a
Cross Domain Solution. A plus sign (“+”) in the overlay column indicates the applicability of
the control above the controls identified in CNSSI No. 1253 Moderate Confidentiality, Moderate
Integrity and Moderate Availability baseline. Dashes (“--") in the overlay column indicate the
security control is not required and is tailored out of the final control set.

Table 1: Security Controls Specifications for Cross Domain Solutions

CROSS DOMAIN SOLUTIONS
CONTROL
TRANSFER ACCESS MULTILEVEL
AC-2(2) + + +
AC-2(5) + + +
AC-2(7) + + +
AC-3(2) + + +
AC-3(3) + + +
AC-3(5) + + +
AC-3(6) + + +
AC-4 + +
AC-4(1) + +

Cross Domain Solution Overlay

09/27/2013 2 Attachment 3 to Appendix F
 CROSS DOMAIN SOLUTIONS
CONTROL
TRANSFER ACCESS MULTILEVEL
AC-4(2) + + +
AC-4(3) + + +
AC-4(4) + +
AC-4(5) + +
AC-4(6) + +
AC-4(7) + + +
AC-4(8) + +
AC-4(9) + +
AC-4(10) + +
AC-4(11) + +
AC-4(12) + +
AC-4(13) + +
AC-4(14) + +
AC-4(15) + +
AC-4(16) + +
AC-4(17) + +
AC-6 + + +
AC-6(3) + + +
AC-6(4) + + +
AC-6(6) + + +
AC-7 + + +
AC-7(2) + + +
AC-9(1) + + +
AC-9(2) + + +
AC-9(3) + + +
AC-10 + + +
AC-14 -- -- --
AC-14(1) -- -- --
AC-16(1) + +
AC-16(2) + +
AC-16(3) + + +
AC-16(5) + + +
AC-19(1) + + +
AU-2 + + +
AU-2(3) + + +
AU-3(1) + + +
AU-4 + + +
AU-5 + + +
AU-5(1) + + +
AU-5(2) + + +
AU-5(4) + + +

Cross Domain Solution Overlay

09/27/2013 3 Attachment 3 to Appendix F
 CROSS DOMAIN SOLUTIONS
CONTROL
TRANSFER ACCESS MULTILEVEL
AU-6(7) + + +
AU-8(1) + + +
AU-9 + + +
AU-9(3) + + +
AU-10-(1) + + +
AU-10(2) + + +
AU-10(3) + + +
AU-10(4) + + +
AU-12 + + +
AU-12(1) + + +
AU-12(2) + + +
CA-3(1) -- -- --
CM-2(6) + + +
CM-5(1) + + +
CM-5(4) + + +
CM-5(7) + + +
CM-6(2) + + +
CM-6(4) + + +
CM-8(6) + + +
CP-9 + + +
CP-9(2) + + +
CP-9(3) + + +
CP-10(4) + + +
CP-10(6) + + +
IA-2(5) + + +
IA-4(3) + + +
IR-2(1) + + +
IR-5(1) + + +
MA-4(1) + + +
MA-4(4) + + +
MA-5(2) + + +
MA-5(3) + + +
MA-5(4) + + +
PE-3(1) + + +
PE-3(4) + + +
PE-3(5) + + +
PE-13(1) + + +
PE-13(2) + + +
PE-13(3) + + +
PE-13(4) + + +
PE-18 + + +

Cross Domain Solution Overlay

09/27/2013 4 Attachment 3 to Appendix F
 CROSS DOMAIN SOLUTIONS
CONTROL
TRANSFER ACCESS MULTILEVEL
PL-4(1) + + +
PS-3(1) --
PS-3(2) --
RA-5(3) + + +
RA-5(9) + + +
SA-4(2) + + +
SA-5 + + +
SA-5(4) + + +
SA-7 + + +
SA-11(1) + + +
SA-11(2) + + +
SA-11(3) + + +
SA-13 + + +
SC-3 + + +
SC-3(2) + + +
SC-3(3) + + +
SC-4(1) + + +
SC-5(2) + + +
SC-6 + +
SC-7(9) + +
SC-7(10) + +
SC-7(12) + + +
SC-7(15) + + +
SC-7(16) + + +
SC-7(17) + + +
SC-8(2) + +
SC-9(2) --
SC-12(2) + + +
SC-13(1) + + +
SC-13(2) + + +
SC-13(3) + + +
SC-15 -- --
SC-15(1) -- --
SC-15(3) -- -- --
SC-16 + +
SC-16(1) + +
SC-28(1) + + +
SC-31 + + +
SC-31(1) + + +
SI-3(5) + + +
SI-4(13) + + +

Cross Domain Solution Overlay

09/27/2013 5 Attachment 3 to Appendix F
 CROSS DOMAIN SOLUTIONS
CONTROL
TRANSFER ACCESS MULTILEVEL
SI-7 + + +
SI-7(1) + + +
SI-7(2) + + +
SI-7(4) + + +
SI-13(4) + + +

5. Supplemental Guidance
The supplemental guidance in this section elaborates on the supplemental guidance in NIST SP
800-53 and provides unique considerations for implementation specific to a CDS.

AC-2 ACCOUNT MANAGEMENT

Control Enhancement: 2
CDS Supplemental Guidance: The use of temporary and emergency accounts is only
permitted during installation and maintenance periods. Remove any temporary and
emergency accounts prior to CDS operational use.
Control Enhancement: 7
CDS Supplemental Guidance: At a minimum, include roles for audit administration and
CDS filter administration.

AC-3 ACCESS ENFORCEMENT

Control Enhancement: 3
CDS Supplemental Guidance: By definition, a CDS uses a trusted operating system that
implements non-discretionary access control (e.g., Mandatory Access Control (MAC)).

AC-4 INFORMATION FLOW ENFORCEMENT

CDS Supplemental Guidance: Apply flow control to data transferred between security
domains by means of a set of hardware and/or software collectively known as the “filter”.
Flow control includes the inspection sanitization, and/or rejection of data from one
security domain prior to transfer of data to a different security domain. For an access
CDS, the remote desktop architecture provides the capability for a user to have access
from a single device to computing platforms, applications, or data residing on multiple
different security domains; while preventing any information flow between the different
security domains.
Control Enhancement: 1
CDS Supplemental Guidance: Use source and destination security attributes as part of
flow control decisions and policies.
Control Enhancement: 2
CDS Enhancement Supplemental Guidance: The flow processing path for each security
domain must be isolated from other domains. The CDS must ensure that subject(s) in the
Cross Domain Solution Overlay
09/27/2013 6 Attachment 3 to Appendix F
 trusted path are confined only to interactions with the next consecutive subject(s) in the
defined processing flow - to include interactions with associated objects. The CDS must
also ensure that input, processing, and output domains are not shared and that individual
processes decisions are executed in independent domains.
Control Enhancement: 4
CDS Supplemental Guidance: Block the transfer of encrypted/encoded data the CDS is
unable to decrypt/decode, inspect, and sanitize.
Control Enhancement: 6
CDS Supplemental Guidance: Block the transfer of data with malformed security
attribute metadata structures.
Control Enhancement: 7
CDS Supplemental Guidance: Use of hardware enforced flow direction is preferable in
high risk environments but is not mandatory. Do not enable any connections between
security domains beyond the specified one-way flow.
Control Enhancement: 8
CDS Supplemental Guidance: Define specific filters and their order of execution for
each information flow.
Control Enhancement: 9
CDS Supplemental Guidance: Display the data which requires human review to the
authorized reviewer in its native form (i.e., consistent with how it would be displayed by
the application that created the data). Require a response from the authorized reviewer
prior to taking action on the transfer data and then take appropriate actions as indicated
by the reviewer, (e.g., reject, forward, reply, etc.) but do not allow the reviewer to
circumvent any additional filtering mechanisms.
Control Enhancement: 11
CDS Supplemental Guidance: Do not allow CDS filter reconfiguration when the CDS is
in an operational state.

AC-6 LEAST PRIVILEGE

CDS Supplemental Guidance: The principle of least privilege for CDS extends to the
sanitization of data prior to processing subsequent data transfers destined for a different
security domain, thus precluding inadvertent access. Additionally, processes running on
the CDS are not allowed access to the network if the access is not explicitly required for
functionality, (e.g., A firewall is used to control access to and from the CDS).

AC-16 SECURITY ATTRIBUTES

Control Enhancement: 2
CDS Enhancement Supplemental Guidance: Only the CDS regrader process is
authorized to modify security labels. Ensure the security labels do not change outside of
the regrader process and the security policy is enforced.

Cross Domain Solution Overlay

09/27/2013 7 Attachment 3 to Appendix F
AC-19 ACCESS CONTROL FOR MOBILE DEVICES
Control Enhancement: 1
CDS Supplemental Guidance: Prevent removable media devices from being mounted to
the CDS when not a part of a configurable list of acceptable devices (white list).

AU-2 AUDITABLE EVENTS

Control Enhancement: 3
CDS Supplemental Guidance: The list of auditable events is not configurable on all
CDS’s. Review auditable events on the CDS to ensure conformance with requirements
and update.

AU-3 CONTENT OF AUDIT RECORDS

Control Enhancement: 1
CDS Supplemental Guidance: Ensure the CDS is capable of implementing journaling.

AU-4 AUDIT STORAGE CAPACITY

CDS Supplemental Guidance: Ensure the CDS audit record storage capacity is not
exceeded under normal operation; otherwise, the CDS will shut down. In the event
communication with a log management server is lost, buffer logs locally on the CDS.
Ensure the CDS is able to store a reasonable amount of data based on the robustness of
the solution and the load capacity under normal conditions to allow network engineers
and/or system administrator’s time to re-establish communications with the log server
before the system shuts down.

AU-6 CONTENT OF AUDIT RECORDS

Control Enhancement: 7
CDS Supplemental Guidance: Audit records can only be written or deleted by privileged
processes or accounts.

AU-9 PROTECTION OF AUDIT INFORMATION

CDS Supplemental Guidance: Protects audit information, tools and data by enforcing
access controls on audit records, audit settings, and audit reports by leveraging both
MAC and Discretionary Access Control (DAC) to prevent unauthorized access,
modification, and deletion.

AU-12 AUDIT GENERATION

CDS Supplemental Guidance: The list of auditable events for specific components
within a cross domain solution is locked at certification. The list of auditable events
should not be modified following certification.

CP-9 INFORMATION SYSTEM BACKUP

Cross Domain Solution Overlay

09/27/2013 8 Attachment 3 to Appendix F
 CDS Supplemental Guidance: CDS backup material and information shall be protected
consistent with the highest classification level of information processed by the CDS and
its interconnected information systems.

CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION

Control Enhancement: 4
CDS Supplemental Guidance: Verify integrity-protected disk images prior to CDS
reimage. The CDS components should have integrity-check mechanisms in place during
restoration.

IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)

Control Enhancement: 5
CDS Supplemental Guidance: Prevent console logon privileges to group accounts
(roles). Associate only one role per user account.

PE-3 PHYSICAL ACCESS CONTROL

Control Enhancement: 4
CDS Supplemental Guidance: Lock the CDS case with a token (e.g., a key). Store the
token in a secure location (e.g., make sure the key is not taped to the top of the case).
Train on site personnel on the procedures to lock and unlock the casing, including any
audits that must be performed and where to retrieve and store the token.
Control Enhancement: 5
CDS Supplemental Guidance: Stop processing data in the event of CDS tamper or
hardware modification (e.g., replacement of a network card).

SA-5 INFORMATION SYSTEM DOCUMENTATION

CDS Supplemental Guidance: Include the following in the CDS documentation:
 CDS account capabilities and account management;
 Implementation of non-discretionary access control;
 CDS filter capabilities;
 The configuration procedures for unsanctioned data detection;
 Mechanism(s) used to implement the access control policy for remote access;
 Mechanism(s) to identify and take corrective action upon detection of
unauthorized remote connections;
 The environments in which the system is expected to be deployed; also state that
the system is to be placed in a lockable case;
 Mechanism(s) to restrict Denial of Service (DoS) attacks;
 Mechanism(s) to balance the load among multiple connections on each interface;
 Communications protection policy, procedures addressing session authenticity,
and requirements for randomly generating unique session identifiers; and
 Design documentation, configuration settings, and associated documentation.

Cross Domain Solution Overlay

09/27/2013 9 Attachment 3 to Appendix F
SA-7 USER-INSTALLED SOFTWARE
CDS Supplemental Guidance: Only privileged users can install software on a CDS.

SC-5 DENIAL OF SERVICE PROTECTION

Control Enhancement: 2
CDS Supplemental Guidance: The CDS balances the load among multiple connections
on each interface to ensure the CDS is able to perform any required network functions
even in the event that the system is flooded with information over the network.

SC-7 BOUNDARY PROTECTION

Control Enhancement: 12
CDS Supplemental Guidance: Protect each CDS interface with a host-based
firewall/access beginning at system start-up.

SC-13 USE OF CRYPTOGRAPHY

Control Enhancement: 1
CDS Supplemental Guidance: Use Federal Information Processing Standard (FIPS)
Publication 140-2, Security Requirements for Cryptographic Modules, compliant
cryptography.

SC-16 TRANSMISSION OF SECURITY ATTRIBUTES

CDS Supplemental Guidance: CDS security attributes include the classification and all
appropriate associated security markings of the information processed on the CDS.
Control Enhancement: 1
CDS Supplemental Guidance: Validate the integrity of all transmitted information
including labels and security attributes for incoming and outgoing files.

SI-3(5) MALICIOUS CODE PROTECTION

CDS Supplemental Guidance: CDS do not have general users. System administrators
and/or security engineers may use removable media for updating system applications,
operating systems and malicious code signatures and applications when approved by
program managers and/or configuration control boards.

SI-7 SOFTWARE AND INFORMATION INTEGRITY

CDS Supplemental Guidance: Implement a system integrity checker to protect all
security-relevant data on the system and take automated actions based upon the results
from the checker.

Cross Domain Solution Overlay

09/27/2013 10 Attachment 3 to Appendix F
6. Specific Value Parameters
These value parameters are intended to complement the specifications in CNSSI No.1253
Appendix J. As such, readers of this document should read and reference CNSSI No. 1253
Appendix J in parallel with guidance below.

Table 2: Values for Parameters

CONTROL VALUE
AC-2 (2) Prior to CDS entering operational state
AC-3(2) Changing policy or flushing audit logs
AC-3(3) Must implement a Mandatory Access Control (MAC) policy, a type enforcement policy
or both over all subjects and objects
AC-4(5) Must make every effort to find and filter or limit/remove embedded data within data files
AC-4(9) Human review should be required unless it is at the discretion of the organization
AC-7 The CDS shall lock accounts after three unsuccessful login attempts
AC-9(2) The CDS shall display successful logons and unsuccessful logins for a period of 30
days
AC-9(3) The CDS shall notify users and administrators of account privilege and/or role changes
that have occurred within the last 30 days
AC-10 The CDS should limit concurrent logins to one; i.e. the user/administrator is logged in
no more than twice at any given time.
AU-2 The CDS shall be configured to audit the following functions at a minimum:
1) Information or data files that cross domains
2) Account changes for administrators
3) System initialization
4) System fault/failure
5) System shutdown
6) Execution of privileged functions
7) Security related events as defined in site policy
AU-5 When the CDS audit capacity is full, the CDS will shut down
AU-5(1) Notify at 80%, 90%, 95%, 98% and 99% of maximum audit storage capacity
AU-5(2) Alert when audit capacity is above 95%, the system is shutting down because of
reaching audit capacity, and/or the system cannot create an audit record
AU-8(1) The CDS shall synchronize the system clock with a Network Time Protocol (NTP)
server from the high side, or Controlling Domain (when available) to ensure
consistency of records with other network devices

7. Regulatory/Statutory Controls
There are no identified security controls that have specific regulatory/statutory requirements for
Cross Domain Solutions.

Cross Domain Solution Overlay

09/27/2013 11 Attachment 3 to Appendix F
8. Tailoring Considerations
For cross domain solutions, start with CNSSI No. 1253, Version 2, dated 15 March 2012 and
then apply this CDS overlay. Care should be taken that security controls are not removed without
a thorough understanding of the system, mission, environment and network. Removing one
security control can affect different aspects of the cross domain solution and jeopardize
certification and accreditation.

9. Duration
This overlay uses the NIST SP 800-53, Revision 3, Recommended Security Controls for Federal
Information Systems and Organizations, August 2009 with May 2010 errata updates and CNSSI
No. 1253, Version 2, dated 15 March 2012, Security Categorization and Control Selection for
National Security Systems. When either document is updated, this CDS overlay will need to be
revisited.

10. Reference

 Cross Domain Management Office (CDMO) Establishment Memo July 2006

 Unified Cross Domain Management Office (UCDMO) Signed Charter March

2007

11. Definitions
This overlay uses the terms in NIST SP 800-53, Rev. 3 and CNSSI No. 4009, National
Information Assurance Glossary. Terms or definitions unique to this publication are identified
below.
Access CDS An Access CDS provides access to a computing platform, application, or data
residing on different security domains from a single device.

Cross Domain A form of controlled interface that provides the ability to manually and/or
Solutions automatically access and/or transfer information between different security
domains.

Journaling A collection of auditable events associated with a CDS data transaction, such as
what happens to data as it flows through a CDS - from initial receipt, through all
security processing steps, and final transmission. A journal contains the raw and
processed files/data sent through the CDS (i.e., images, MS office files, XML
files, USMTF messages, etc.).

Multi-level CDS A Multi-level CDS uses trusted labeling to store data at different
classifications and allows users to access the data based upon their security
domain and credentials.

Cross Domain Solution Overlay

09/27/2013 12 Attachment 3 to Appendix F
Regrader A trusted process explicitly authorized to re-classify and re-label data in
accordance with a defined policy exception. Untrusted / Unauthorized processes
are such actions by the security policy.

Sanitize or The removal of extraneous or potentially harmful data (e.g., malware) within a
Sanitization file or other information container (e.g., network protocol packet).

Security Domain A domain that implements a security policy and is administered by a single
authority.

Transfer CDS A Transfer CDS facilitates the movement of data between information systems
operating in different security domains.

Trusted Operating An operating system in which there exists a level of confidence (based on
System rigorous analysis and testing) that the security principals and mechanisms
(e.g., separation, isolation, least privilege, discretionary and non-
discretionary access control, trusted path, authentication, and security
policy enforcement) are correctly implemented and operate as intended
even in the presence of adversarial activity.

Cross Domain Solution Overlay

09/27/2013 13 Attachment 3 to Appendix F