Designing a Protected Distribution System (PDS): Carriers, Conduit, and Inspection Intervals
A Protected Distribution System (PDS) is a US government construct that allows unencrypted classified national-security information to traverse wireline or fiber telecommunications infrastructure—provided that infrastructure incorporates physical and electromagnetic safeguards sufficient to deter, detect, and impede unauthorized access. The governing authority is the Committee on National Security Systems (CNSS), and the current controlling document is CNSSI No. 7003 (2015), which superseded the historical predecessor NSTISSI No. 7003 (1996). Any design effort must reference CNSSI No. 7003 as the operative standard; NSTISSI No. 7003 is retained for historical context only.
This guide provides infrastructure and data-center professionals with a structured framework for selecting carrier types, specifying conduit, and establishing compliant inspection schedules under CNSSI No. 7003.
PDS Categories and Design Philosophy
CNSSI No. 7003 defines two principal PDS categories, each reflecting a different balance between physical hardening and continuous electronic monitoring:
- Hardened Distribution System: Relies primarily on robust physical construction—sealed, tamper-evident enclosures, rigid conduit, and controlled-access pathways—to make physical penetration difficult and detectable through visual means.
- Simple/Alarmed Carrier PDS: Supplements or partially replaces heavy physical hardening with continuous electronic monitoring of the carrier itself, detecting intrusion attempts in real time and alerting security personnel.
The design choice between these categories depends on facility threat posture, the classification level of traffic, path length, and the availability of continuous monitoring infrastructure. Neither category eliminates the requirement for periodic physical inspection; they differ in how detection is achieved between inspections.
Carrier Selection
Fiber vs. Copper
Fiber-optic cable is the preferred medium in modern PDS installations. It does not radiate electromagnetic signals in a manner exploitable by passive interception, which simplifies the boundary between PDS obligations and the adjacent but separate discipline of TEMPEST (emanations security). TEMPEST addresses radiated and conducted emanations and is governed by distinct requirements; a PDS addresses physical line protection and the two must not be conflated in design documentation.
Copper conductors may be used where fiber is impractical, but they introduce additional TEMPEST risk considerations that must be evaluated separately. Regardless of medium, the cable must be routed and terminated in a manner that supports verifiable inspection at all access points.
Alarmed Carrier Technology
The Alarmed Carrier category of PDS benefits substantially from purpose-built sensing infrastructure. Heather Technologies partners with CyberSecure IPS, whose Alarmed Carrier PDS solution embeds specialized optical fibers within the conduit assembly capable of sensing acoustic vibration caused by intrusion attempts. The system provides centrally managed, continuous monitoring and is designed to automate and document the Periodic Visual Inspection (PVI) and testing obligations required under CNSSI No. 7003. For facilities where inspection staffing is constrained or conduit runs traverse high-risk zones, this approach materially reduces compliance risk.
Conduit Specification and Physical Carrier Requirements
The conduit system is the foundational physical carrier of a PDS and must be designed to make unauthorized access both difficult and detectable. The following principles govern compliant conduit design under CNSSI No. 7003:
- Continuous, sealed pathways: Conduit runs must form a continuous, sealed enclosure from origin to termination. Junctions, pull boxes, and splice points are potential vulnerability locations and must be treated with equivalent rigor—secured, sealed, and included in inspection records.
- Material and construction: Rigid metallic conduit is typically specified for Hardened Distribution System configurations. The material must resist penetration and tampering sufficiently to meet the deterrence standard established by CNSSI No. 7003. Flexible sections, where necessary, require special attention to tamper evidence.
- Access control at termination points: All conduit terminations, including equipment room entry points and cross-connect locations, must be within controlled-access areas. The PDS boundary ends at the termination; any extension beyond requires its own protection assessment.
- Labeling and documentation: Complete as-built documentation of conduit routing, junction locations, and access-point coordinates is a prerequisite for both initial accreditation and ongoing inspection compliance.
Conduit in the Context of Modern Data-Center Infrastructure
Data-center environments introduce density and routing challenges not common in traditional government communications facilities. Overhead cable trays, raised-floor pathways, and hot-aisle/cold-aisle architectures must each be evaluated against the physical-access deterrence and detection requirements of CNSSI No. 7003. PDS conduit sharing a tray or pathway with non-PDS cabling requires clear physical separation and documentation demonstrating that access to classified-cable conduit does not become inadvertently available through adjacency.
Inspection Intervals and Periodic Visual Inspection (PVI)
CNSSI No. 7003 establishes the requirement for Periodic Visual Inspection of the PDS physical plant. The purpose of PVI is to detect evidence of tampering, physical damage, unauthorized access, or degradation of seals and tamper-evident features between accreditation cycles.
| PDS Type | Primary Detection Mechanism | PVI Requirement |
|---|---|---|
| Hardened Distribution System | Physical construction and sealing | Required per CNSSI No. 7003 schedule; physical inspection of full conduit path |
| Simple/Alarmed Carrier PDS | Continuous electronic monitoring supplementing physical controls | PVI required; continuous monitoring supports and documents compliance between intervals |
Inspection records must document the inspector, date, sections covered, condition of seals and conduit, and any anomalies noted. Anomalies trigger a security review process defined within the facility's accreditation authority procedures. Organizations using the CyberSecure IPS Alarmed Carrier platform gain automated logging and alert histories that directly support this documentation requirement, reducing the administrative burden of inspection recordkeeping.
Accreditation Authority Coordination
Inspection intervals under CNSSI No. 7003 interact with the accreditation authority's requirements for the classified system the PDS supports. Design teams must coordinate with the relevant Authorizing Official to ensure that inspection schedules, documentation formats, and anomaly-response procedures align with the broader system accreditation package. The PDS design alone does not constitute accreditation; it is a component of a larger security architecture subject to formal authority-to-operate processes.
Design Checklist Summary
- Identify PDS category (Hardened or Simple/Alarmed Carrier) based on threat posture and monitoring capability
- Select cable medium (fiber preferred; copper requires separate TEMPEST assessment)
- Specify continuous, sealed, tamper-evident conduit with compliant materials
- Document all conduit routing, junctions, and termination points in as-built records
- Establish PVI schedule and recordkeeping procedures per CNSSI No. 7003
- Evaluate Alarmed Carrier monitoring solutions (such as CyberSecure IPS) for automated compliance support
- Coordinate with the Authorizing Official to integrate PDS design into the system accreditation package
A correctly designed and maintained PDS provides the physical assurance layer that permits classified communications to traverse an infrastructure environment without cryptographic protection of the signal itself—a capability that demands rigorous design discipline, ongoing inspection commitment, and close coordination with accreditation authorities throughout the system lifecycle.