Soldiers on the tactical edge can find communication stymied when trying to share critical information across classified and unclassified networks. Certification is helping one Army lab bring more options to the table faster than in the past.
Certification comes from the Defense Department's Unified Cross Domain Services Management Office (UCDSMO), and it gives the U.S. Army Communications-Electronics Research, Development and Engineering Center (CERDEC) the green light to do hands-on testing of cross-domain solutions.
Since winning certification in May the lab has put one solution into the testing regimen, which can take four to six months, and it has two others in queue.
"There has been a backlog for this kind of testing," said Philip Payne, a computer engineer in CERDEC's Space and Terrestrial Communications Directorate and team lead for the cross-domain solutions lab. "This means solutions will get on a quicker timeline to certification, and the quicker we can get them certified, the quicker we can field."
The idea of cross-domain communications can seem counterintuitive: The point of having a classified and an unclassified network is that they
don't
talk to each other. But there are times when tactical necessity calls for a degree of cross-pollination.
"Maybe in a tactical environment you only have access to a classified network, but you have uncleared soldiers at the tactical edge and you don’t want to try to get clearances for every person in the battalion," Payne said.
Sometimes intelligence can evolve in the field, driving the need for network flexibility. "You may take a picture that is unclassified, but when you combine that with other information and other resources, it then becomes classified. Now you need a way to get it to the classified network," he said.
The need can go in the other direction, too: Sometimes a piece of classified data gets repurposed for an unclassified use.
"My guys at the lowest edge may only need a target; they don’t need to know who that target is or where it is going. That kind of information is classified," Payne said. "So the cross-domain solutions work in both ways, from low to high and from high to low."
Such solutions exist and are commonly employed. CERDEC can now test-drive new variations, performing lab-based security assessments at the request of diverse entities across defense. Sometimes new solutions come to the fore when vendors implement new methodologies. In other cases a vendor may change operating systems, or may simply put out a routine update. Because of the sensitivity surrounding cross-domain networking, all these must be vetted and cleared before going out to the field.
Few labs get certified to do such work. CERDEC’s is the first in over a decade to win UCDSMO approval and only the fourth in the country. The others are Space and Naval Warfare Systems Center Atlantic in Charleston, South Carolina; Air Force Research Lab in Rome, New York; and Information Systems Engineering Command’s Technology Integration Center in Fort Huachuca, Arizona.
In an Army release, UCDSMO Director Dr. Maurice M. McKinney called the lab’s certification a "monumental achievement," while NSA Deputy Chief Donald Heckman said certification positioned the lab to play a critical role in national security.
Often a cross-domain solution comes down to a set of policies regarding the kind of information that can or cannot move between networks. This is no small matter, as such policies must be extremely detailed.
"It has to be very granular and very specific, and you can’t necessarily take the vendor at their word," Payne said. "You are not supposed to be able to send a video through, so we try to send video through, we try to send text, we send all sorts of combinations. Then we have to look at the auditing. How do failures get recorded? What happens when something goes through that shouldn’t have? It is a very arduous process."
There is no one perfect solution to the cross-domain challenge, since individual networks and changing tactical needs often dictate how such traffic can or should be handled. CERDEC researchers do have one simple rule of thumb, however, to help guide them in their efforts: Better out than in.
Most solutions that pass muster rely on white lists — a predefined set of allowable data characteristics — as opposed to blacklists, which seek to define forbidden traffic.
"We want to implicit deny rather than implicit allow," Payne said. "This way you can be very specific about what goes through, and if you are not specific enough, the worst that that happens is it gets blocked. The worst case is, you keep the network safe."
