Ensure CDSs Separate Upward and Downward Data Paths
CDSs have independent security controls for data going both up and down between networks.
Plain language
A Cross Domain Solution (CDS) ensures that when information is sent between different networks, the path for sending information from a less sensitive network to a more sensitive one is kept separate from the path going in the opposite direction. This is important because mixing these paths could allow unauthorised access to sensitive information or cause data leaks, similar to leaving a door unlocked for outsiders to slip in unnoticed.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
CDSs implement independent security-enforcing functions for upward and downward network paths.
Why it matters
Improper separation can allow cross-domain leakage or a bypass, enabling data exfiltration downward or compromise of high-side networks via the wrong path.
Operational notes
Regularly confirm CDSs enforce separate, independent security functions for upward and downward paths, and test that failures in one path cannot affect the other.
Implementation tips
- System owners should ensure that their networks have separate paths for sending and receiving data. They can do this by consulting with a security expert to create clear flow paths in the network design, specifically for handling different levels of sensitive data.
- IT teams need to implement and maintain separate technology controls for each data path. They can achieve this by using network configurations that distinctly separate the routing of 'upward' (less to more sensitive) and 'downward' (more to less sensitive) data flows, ensuring no overlap.
- Managers should regularly train their staff on the importance of these separations. This can be achieved through workshops or e-learning modules that explain the separation concept in practical terms for everyday activities.
- Procurement officers must acquire and maintain the right tools and technologies that enforce these separations. They should work with vendors to ensure that products purchased have features that support separation of data flows according to Australian Cyber Security Centre (ACSC) guidelines.
- Policies should be put in place by governance teams to ensure compliance with this control. These policies should clearly document the need for separation, and regular internal audits should verify adherence to these policies and the effectiveness of the separation.
Audit / evidence tips
-
Askthe network design documents: Request diagrams and descriptions detailing how data flows between networks are managed
Goodshows clear, separate paths for each direction with documented security controls
-
Goodprovides logs with timestamps verifying that information flows separately through designated paths
-
Goodincludes attendance logs or certificates showing all relevant staff attended recent training sessions
-
Asksystem configuration settings: Request access to actual network configurations or screenshots showing CDS settings. Check for settings that enforce the separation of data paths
Goodis explicit settings in network management systems that enforce path separation requirements
-
Askrecords showing which tools and technologies are authorised for ensuring path separation
Goodprovides evidence that technologies used have been vetted for compliance with the separation requirement
Cross-framework mappings
How ISM-1522 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (3) expand_less | ||
| Annex A 8.20 | ISM-1522 requires CDSs to enforce security independently on upward and downward transfer paths to prevent cross-domain leakage or backflow | |
| Annex A 8.22 | ISM-1522 requires CDSs to implement independent security-enforcing functions for both upward and downward data paths across network bound... | |
| Annex A 8.27 | ISM-1522 requires a CDS architecture where upward and downward data paths have independent security-enforcing functions | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.