Standards and Classification
Cross-domain solutions do not exist in a vacuum. They are built, tested, and certified against a web of international standards, national evaluation schemes, and classification systems that together determine what a CDS can do and where it can be deployed.
This section covers three interconnected topics:
- International Standards
- The frameworks that define how CDS products are evaluated -- Common Criteria assurance levels, NIST security controls, NATO interoperability standards, and industrial security standards like IEC 62443.
- Certification and Evaluation
- The practical process of getting a CDS product certified for use -- who evaluates, how long it takes, what it costs, and why mutual recognition between nations is more limited than you might expect.
- Classification Systems
- The security classification schemes that CDS must enforce -- NATO, US, UK, Australian, Canadian, and French systems. Includes a cross-national mapping table and the classification pair matrix that determines what level of CDS assurance is needed for each boundary.
These three topics are deeply intertwined. The classification pair between two domains determines the assurance level required. That assurance level maps to a Common Criteria EAL or national equivalent. And the certification process determines how long and how much it costs to achieve that level.
For background on the CDS types and architectures that these standards apply to, see The Three Types of CDS and the Hardware CDS and Software CDS sections.