The U.S. Department of Defense (DoD) mission is to provide the military forces needed to deter war and ensure our nation's security, and with that comes the challenge of protecting associated information systems. In the last two decades, cloud computing emerged as a technology with tremendous potential, and the DoD has embraced its possibilities. At the same time, cloud computing raises important questions:
In 2018, the DoD released a framework called the Secure Cloud Computing Architecture (SCCA). Building on existing DoD constructs such as NIPRNet (Non-Secure Internet Protocol Router Network) and Information Impact Levels (IL2, IL4, IL5), “the SCCA is designed to meet the boundary protection needs of the Defense Information Systems Network (DISN) by protecting the DISN from cyberattacks originating from within the Cloud Service Provider’s Cloud Service Environment (CSE).” Use the information on this page as guidance—complementing the DoD documents—for achieving SCCA goals.
To understand the need for SCCA, it helps to understand what came before SCCA.
Information Impact Levels:
In 2015, the Defense Information Systems Agency (DISA) noted that information comes in different impact levels (IL), and that information systems need to be rated according to the level of information protection they provided. The DoD identified these information impact levels:
As a result, each cloud service provider (CSP) supporting the DoD must go through an accreditation process for each cloud region to determine its IL level. As an example, the following Oracle Cloud regions have IL4/5 accreditation:
Oracle Cloud Region |
Information Impact Level |
Connects to BCAP |
---|---|---|
U.S. DoD East | IL4/IL5 | Yes |
U.S. DoD North | IL4/IL5 | Yes |
U.S. DoD West | IL4/IL5 | Yes |
U.S. Gov East | IL4 | No |
U.S. Gov West | IL4 | No |
Cloud Computing–Security Requirements Guide:
The IL levels listed above were part of a broader document called the “Cloud Computing – Security Requirements Guide” (CC SRG). The Defense Information Systems Agency (DISA) created this document in 2015 to provide detailed requirements on what a commercial cloud region needed to provide adequate protection of DoD information. This document included sections on:
Networks–NIPRNet, SIPRNet:
In today’s interconnected world, the network itself is both a vital asset and a potential threat vector. The DoD, working alongside the Intelligence Community (IC), uses two networks below that are “fit for purpose” for specific workload categories:
Government Network |
Purpose |
---|---|
NIPRNet | Unclassified information |
SIPRNet | Classified information, up to and including Secret |
Each of these prior security constructs was successful and provided guidance to industry partners on how to offer solutions that meet DoD needs. By 2017, the DoD saw new emerging needs that motivated the creation of an additional framework: SCCA.
If your organization is considering a SCCA, an important question to ask is, “What role will we play?”
The SCCA FRD identifies three primary SCCA roles:
SCCA Role |
Description |
---|---|
Mission owner (MO) | A DoD entity responsible for delivering and operating a DoD mission system. MOs are responsible for the procurement, deployment, and secure operations of mission systems deployed to the cloud environment. Accordingly, MOs are expected to maintain trusted configuration baselines and to perform continuous monitoring for deployed mission systems. |
Mission cyberspace protection (MCP) | The DoD entity charged with the responsibility of securing a MO’s enclave and networked systems by establishing and delivering cybersecurity capabilities. The MCP is specifically responsible for cyber defense of MO systems. |
DISN boundary cyberspace protection (BCP) | The DoD entity charged with the responsibility to establish and deliver cybersecurity capabilities to protect the DISN. This entity will be DISA. |
For your organization, questions to ask include:
Each of these prior security constructs was successful and provided guidance to industry partners on how to offer solutions that meet DoD needs. By 2017, the DoD saw new emerging needs that motivated the creation of an additional framework: SCCA.
SCCA includes four primary technical components, described below:
SCCA Component |
Description |
---|---|
Cloud access point (CAP) |
Connects the DISN or NIPRNet to a commercial cloud. There are three variants of a CAP:
Major functions:
|
Virtual data center security stack (VDSS) |
Serves as the virtual security enclave protecting applications and data hosted in commercial environments. Core services:
|
Virtual data center management Service (VDMS) |
Provides the security systems that manage the security posture of the mission owner enclave. Enable mission owners to:
|
Trusted cloud credential manager (TCCM) |
Controls and monitors privileged user access for cloud environments. The TCCM owns and maintains the cloud credential management plan (CCMP). In contrast to CAP, VDSS, and VDMS, the TCCM is a person (or role) and associated processes and procedures. Responsibilities:
|
Oracle Cloud Infrastructure (OCI) has introduced a new Secure Cloud Computing Architecture (SCCA) solution for the DoD, making security compliance and cloud adoption for mission-critical workloads easier, faster, and more cost effective by using a framework of cloud native services.
Oracle’s Cloud Native SCCA Landing Zone provides a framework for securely running DoD mission workloads and storing Impact Level 2, 4, and 5 data in OCI government regions. The automation provided by the SCCA Landing Zone enables DoD mission owners to establish a compliant security architecture in just a few hours or days, instead of months. It uses cloud native infrastructure services, significantly accelerating the time to deployment of mission critical workloads by reducing architecture time and minimizing decision points.
Cloud Native SCCA Landing Zones solves mission owner challenges:
Terraform based templates enable you to deploy multiple core services into OCI with the following benefits:
Building on DISA’s foundational guidance, the next logical question might be, “How can my organization implement an SCCA-compliant solution using the Oracle Cloud?”
Customers can implement SCCA in four primary ways:
Contact your Oracle team to discuss these options, and which is best for you.