Connecting The Disconnected
Copyright © 4Secure Ltd.
All rights reserved
Company
About
Clients
News
Insights
Privacy Policy
Solutions
Components
Software
Cross-Domain
Solutions
Consulting
Get it right, and your programme moves forward with confidence. If you get it wrong, you may face delayed accreditation, rework costs, and potential re-procurement.
This guide gives you a practical structure for evaluating the market: who the major vendors are, what technical capabilities actually matter, and why UK sovereignty deserves its own column in your comparison matrix.
What Is a Cross-Domain Solution, and Why Does Vendor Choice Matter?
In UK government and defence environments, that often means securely moving information between domains such as OFFICIAL, OFFICIAL-SENSITIVE, SECRET, and TOP SECRET, while maintaining the security boundaries between them.
Choosing the right vendor shapes more than just the technology you deploy. It can influence your accreditation journey, long-term support experience, supply chain confidence, and how smoothly your project moves from planning to operation.
And while two solutions may appear similar on paper, the real differences often emerge during deployment, integration, and assurance activities. Understanding those differences early can make the path to accreditation far more efficient.
What Is a Cross-Domain Solution, and Why Does Vendor Choice Matter?
US-Based Vendors
- Everfox (formerly Forcepoint’s government division): One of the most widely recognised names in the CDS space, offering a broad portfolio of high assurance guards and data transfer products.
- Owl Cyber Defense: Specialises in data diodes and unidirectional security gateways, with a strong presence in critical national infrastructure (CNI) and defence environments.
- BAE Systems: Brings a defence-prime perspective to CDS, with solutions designed for intelligence and military applications.
- General Dynamics Mission Systems: Offers high assurance cross-domain products used across US federal and allied programmes.
These vendors have genuine technical depth. For programmes operating within US government frameworks, they’re often the natural first port of call.
UK and European Alternatives
- 4Secure: A UK-sovereign CDS specialist with over two decades of experience in defence, government, and CNI.
- Infodas: A German company, offers cross domain products with a European assurance perspective.
- Element.io: Addresses secure messaging across classification boundaries, though they serve a different part of the CDS requirement space. This is more ideal for specific collaboration use cases.
What Does NSA Approval Actually Mean – and Does It Apply to Your Programme?
NSA approval carries genuine weight. But it doesn’t automatically satisfy UK accreditation requirements. The UK National Cyber Security Centre (NCSC) and frameworks such as JSP 440 (the Ministry of Defence’s security policy) have their own assurance processes. A product evaluated by the NCDSMO still needs to go through UK-specific accreditation before it can operate in a UK classified environment.
If you’re a UK government or defence buyer, check the accreditation pathway with your Accreditor early rather than assuming an NSA-evaluated product is pre-cleared for your programme. Ask vendors directly about their track record in UK assurance processes. The answer matters more than the product brochure.
US Vendors vs UK-Sovereign Solutions: What Is the Practical Difference?
Sovereign assurance means more than simply where a solution is manufactured. A UK-sovereign cross-domain solution (CDS) is designed, built, and supported entirely within the UK, with clear supply chain visibility and assurance throughout the lifecycle.
That includes UK-controlled development and support, no reliance on foreign-owned parent organisations, and no export licence constraints that could complicate deployment or long-term operations.
For many UK government and defence programmes, this is a hard requirement, not a preference. The Security Policy Framework and Cabinet Office guidance on supply chain risk both point in the same direction: understand who built your technology and who can access it.
Using a US-built CDS in a UK classified environment introduces questions that take time and effort to resolve.
- Can the vendor’s support engineers access the system?
- What are the export control implications?
- Who holds the intellectual property?
These aren’t reasons to automatically rule out US vendors, but they are questions that need clear answers before you commit.
What Technical Capabilities Should You Compare Across CDS Vendors?
Content Inspection Depth
Unidirectional vs Bidirectional Capability
A data diode enforces one-way data flow at the hardware level. There is no network path that allows data to travel in the reverse direction. This is the right choice when you need absolute separation, such as forwarding Splunk logs from a low-side network to a high-side SIEM without any return path.
Full CDS products support bidirectional data exchange, using two separate unidirectional paths to enable request-response protocols like HTTP/HTTPS, RDP, and VNC. This is more complex to implement and accredit, but necessary for use cases like remote screen replication or command-and-control applications across classification boundaries.
Protocol Support and OT Compatibility
Government buyers typically focus on document transfer and web protocols. CNI buyers have additional requirements: OT protocols, SCADA data feeds, industrial control system (ICS) telemetry. Not every CDS vendor has deep OT capability. If your programme involves IT/OT integration, ask specifically about protocol support for your operational environment.
Deployment Flexibility
Hardware-only solutions offer strong physical assurance but limited deployment flexibility. Software-led approaches, deployable on-premise or in cloud environments, give you more options as your architecture evolves. The best programmes combine both, using hardware enforcement where the assurance case demands it and software-defined inspection where flexibility matters.
How Do Zero Trust Principles Apply to Cross-Domain Solutions?
A firewall controls who can connect. A CDS controls what data can cross the boundary, inspecting content against defined policies before allowing transfer.
That’s Zero Trust applied at the data level. Vendors vary significantly in how deeply their architecture supports Zero Trust policy enforcement. Some offer granular, content-level controls.
Others provide basic access control presented in Zero Trust language. Ask vendors to describe their policy enforcement model in technical terms, not marketing ones.
How to Build a CDS Vendor Shortlist for a Government or CNI Programme
A practical shortlisting process works across six areas. Work through each before you compare product features.
- Accreditation pathway: Which vendors have a demonstrable track record of passing assurance in your regulatory context? Ask for specific examples, not general claims.
- Operational fit: Does the vendor support your specific data types, protocols, and throughput requirements? A vendor strong in document transfer may not be the right choice for real-time OT data.
- Sovereign requirements: Is UK-built a hard requirement for your programme, or a preference? Get clarity from your security authority before shortlisting.
- Support model: In-country support, defined response SLAs, and access to engineers who understand your environment matter as much as the product itself.
- Framework availability: Check whether the vendor is available through Crown Commercial Service (CCS), G-Cloud, or JOSCAR. This simplifies procurement and reduces commercial risk.
- Integration capability: Can the solution work alongside your existing SIEM, anti-virus, and content disarm and reconstruction (CDR) tools, or does it require a standalone architecture?
One question worth asking every vendor: how long did your last UK government accreditation take, and what were the main points of challenge? The answer tells you more than any product datasheet.
Where Does 4Secure Fit in the CDS Market?
4Secure is a UK-sovereign CDS specialist, established in 2003, with a track record spanning defence, government, and CNI programmes.
The company’s TrustedFilter® platform takes a software-led approach to content inspection, performing syntactic and semantic verification of data at the transfer layer. It’s deployable on-premise or in cloud environments and works alongside hardware-enforced data diodes where unidirectional assurance is required.
That combination is deliberate. Hardware-only vendors can’t offer the deployment flexibility that modern programmes need. Software-only vendors can’t always satisfy the assurance requirements of the highest classification environments.
4Secure’s approach gives you both, with a UK supply chain that removes sovereign assurance questions before they become programme blockers.
We work with organisations including BAE Systems, BT, EDF, Thales, and HM Government.
Speak with the 4Secure team or explore our cross-domain solutions to understand how we approach your specific requirements.
Frequently Asked Questions About Cross-Domain Solutions
Which CDS vendors are recognised by the NSA or NCSC?
The NSA’s NCDSMO evaluates products for US government use, with recognised vendors including Everfox, Owl Cyber Defense, and General Dynamics. UK NCSC accreditation follows a separate process. UK buyers should confirm accreditation status directly with vendors and their programme accreditor.
What is the difference between a data diode and a cross-domain solution?
A data diode is a hardware device that enforces one-way data flow at the physical layer. A full CDS is a broader system that may include data diodes, content inspection engines, and policy enforcement for bidirectional data exchange across classification boundaries.
Are there UK-built CDS vendors, or is this market US-dominated?
The market is US-dominated, but UK-sovereign options exist. 4Secure is a UK-built CDS provider with over 20 years of experience in defence, government, and CNI. For programmes requiring UK supply chain assurance, this distinction matters significantly.
How do I evaluate a CDS vendor for a UK government programme?
Focus on accreditation track record in UK environments, sovereign supply chain credentials, protocol and content inspection depth, framework availability (CCS, G-Cloud, JOSCAR), and in-country support capability. Start with your accreditation pathway before comparing product features.