The hardware runs a type of knowledge management software that examines data coming out of the higher classification subsystem and rejects any data that is classified higher than the lower classification.
Through various rules and filters, the HAG ensures that data is of the lower classification and then allows the transfer.
On the application layer, the HAG runs an "evaluated mandatory integrity policy" that provides sensitive files, data and applications protection from inadvertent disclosure.
The systems are certified via the Common Criteria; depending on the classification, the system may require Common Criteria Evaluated Assurance Level (EAL) 3 or higher.
The HAG is mostly used in email and DMS environments as certain organizations may only have unclassified network access, and they need to send a message to an organization that has only secret network access.