Throughout the 1990s, however, many offices in the defense and intelligence communities took advantage of falling computing costs to deploy desktop systems classified to operate only at the highest classification level used in their organization.
In addition, each computer was connected to its own LAN at the appropriate classification level, meaning that multiple dedicated cabling plants were incorporated (at considerable cost in terms of both installation and maintenance).
Although no strict requirements by way of federal legislation specifically address the concern, it would be appropriate for such a monitor to be quite small, purpose-built, and supportive of only a small number of very rigidly defined operations, such as importing and exporting files, configuring output labels, and other maintenance/administration tasks that require handling all the collocated MSL peers as a unit rather than as individual, single-level systems.
The periods processing model offered the promise of a single computer but did nothing to reduce multiple cabling plants and proved enormously inconvenient to users; accordingly, its adoption was limited.
In addition, Trusted Computer Solutions has developed a thin-client product, originally based on the NetTop technology concepts through a licensing agreement with NSA.
This product is called SecureOffice(r) Trusted Thin Client(tm), and runs on the LSPP configuration of Red Hat Enterprise Linux version 5 (RHEL5).
One readily perceives that the MLS architecture and design issues have not been eliminated, merely deferred to a separate stratum of software that invisibly manages mandatory access control concerns so that superjacent strata need not.
What has been positively achieved by the set-of-MSL-peers abstraction, albeit, is radical restriction of the scope of MAC-cognizant software mechanisms to the small, subjacent MOS.
To permit data sharing between computers working at different classification levels, such sites deploy cross-domain solutions (CDS), which are commonly referred to as gatekeepers or guards.
In general, these are subject to the same restrictions that have imposed challenges on other MLS solutions: strict security assessment and the need to provide an electronic equivalent of stated policy for moving information between classifications.
that the term "high-assurance" as employed here is to be evaluated in the context of DCID 6/3 (read "dee skid six three"), a quasi-technical guide to the construction and deployment of various systems for processing classified information, lacking both the precise legal rigidity of the Orange Book criteria and the underlying mathematical rigor.
(The Orange Book is motivated by, and derived from, a logical "chain of reasoning" constructed as follows: [a] a "secure" state is mathematically defined, and a mathematical model is constructed, the operations upon which preserve secure state so that any conceivable sequence of operations starting from a secure state yields a secure state; [b] a mapping of judiciously chosen primitives to sequences of operations upon the model; and [c] a "descriptive top-level specification" that maps actions that can be transacted at the user interface (such as system calls) into sequences of primitives; but stopping short of either [d] formally demonstrating that a live software implementation correctly implements said sequences of actions; or [e] formally arguing that the executable, now "trusted," system is generated by correct, reliable tools [e.g., compilers, librarians, linkers].)