NCSC publishes updated cross-domain guidance for secure data movement

The UK’s National Cyber Security Centre (NCSC) has released new guidance aimed at making cross-domain technologies easier to understand and deploy across government, industry and the wider security co...

The UK’s National Cyber Security Centre (NCSC) has released new guidance aimed at making cross-domain technologies easier to understand and deploy across government, industry and the wider security community.

Cross-domain systems are used to move data safely between environments with different levels of trust. They are already well established in defence and intelligence settings, but the NCSC says the need has widened as more sectors face targeted attacks and complex supply chain risks.

Why the guidance has changed

According to the NCSC, modern organisations often run interconnected systems that were not originally designed to work together securely. At the same time, attackers are becoming more capable, and advances in AI are expected to make vulnerability discovery and exploitation faster. That combination, the agency says, means cross-domain security is now relevant to organisations handling highly sensitive data, valuable intellectual property or critical services.

The revised material shifts the focus away from fixed product categories and toward the overall architecture needed to support secure business functions. Examples include document transfer, video communications and integration with services hosted in other environments, including via APIs.

What the new guidance covers

The NCSC says the updated approach is built around understanding data flows, system connections and the threats that apply both to individual systems and to linked environments. It also explains key ideas such as trust zones, trust boundaries and control points, while emphasising layered controls rather than reliance on a single safeguard.

  • How cross-domain functions fit into end-to-end system design
  • The role of trust zones and control points
  • Why assurance should apply across the full data flow
  • How to think about threats in interconnected environments

The new guidance largely replaces the NCSC’s older security principles for cross-domain solution design when it comes to new end-to-end architectures. Those principles will still be used for the agency’s Principles Based Assurance process in the near term.

Existing import and export design patterns are also being phased out, with new cross-domain patterns expected later.

What comes next

The NCSC said it plans to expand the guidance with more practical material, including step-by-step architecture advice, recommendations on choosing suitable technologies and standardised patterns that can be reused across different use cases.