You didn't mention what the unclassified systems were rated at (C1/C2/B1/B2) or whether the personnel involved were at different security clearances which may have a significant impact on what you do and how it is done. Overall, it sounds as though you are referring to either a multilevel secure or multilevel security mode issues. There are a couple of avenues you should probably look at such as Common Criteria, Rainbow Series documentation and industry specific criteria (i.e., HIPPA laws). Gary Meech (my work associate) suggests you review the Joint DODIIS Manual, the Trusted Network Interpretation NCSC-TG-005 RED Book (from the Rainbow Series), and because it could have been a local directive created by the federal agency/group, check with them.
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.