Department of Defense (DoD) mission owners have a responsibility to protect impact levels 4 and 5 data within a cloud service provider (CSP) enclave. The DISA Cloud Connection Process Guide outlines a process for Mission Owners and Cloud Services Providers to follow. The process ensures production-controlled unclassified information (CUI) impact level 4 (IL4) and impact level 5 (IL5) data is protected and data spillage avoided.
DoD framework for sensitive unclassified data conforms to the FedRAMP+ by adding specific controls based on the data classification and using the FedRAMP assessment necessary to meet and assure DoD’s critical mission requirements. Controls for mission objectives are specified in the DoD cloud computing security requirements guide (SRG).
DoD mission owners can use several deployment models, such as private, community, public, and hybrid clouds. Mission owners determine the suitable model for their infrastructure and applications based on several factors, such as access and control of resources, scale, cost, SLAs, and availability of resources.
Mission owners determine the control status of application data. Mission owners must ensure that the protection status of the CSP accommodates the data and network access, such as NIPRNet or SIPRNet, to the data through the DoD information system network (DISN).
Figure 1: CSP-CSO Connection to the DISA Enterprise Boundary Cloud Access Point (BCAP) (Department of Defense CCPG- Page 17, figure 6)
The mission owner starts the process by submitting the DoD Cloud IT project initial contact form to DISA. DISA helps the mission owner navigate the connection process. Once the project gets approval for connection by DISA, the mission owner is notified, and a technical exchange meeting is scheduled with the mission owner. The mission owner must submit the SNAP C-ITP package into the DISA SNAP database. Once DISA issues the cloud permission to connect (CPTC) approval the technical exchange meeting with the CSP, such as Oracle Cloud Infrastructure for Government, DISA and the mission owner can begin the connection process to the boundary cloud access point (BCAP).
The mission owner determines the connection requirements to BCAPs ahead of time. Based on disaster recovery and high-availability requirements, the mission owner should consider having at least two connections to each of the East and West BCAPs. The mission owner works with the CSP and DISA to ensure that the correct number of physical circuits are established in each BCAP region.
A lot goes into establishing the BCAP connection for a cloud IT project. The process requires good documentation and planning on the part of the mission owner. While the physical and virtual connections to the BCAP by the CSP can take several weeks, the CSP and the mission owner on DISN can’t overlook extensive testing while planning the network connections to application.
System network approval process (SNAP) identification number
Obtain cloud IPs— cloud permission to connect (CPTC)
Obtain cybersecurity service provider (CSSP)
Contract vehicle
Approved commercial provider account connection planning
System network approval process (SNAP) registration (four days after submission)
Request SCCA services
SNAP ID and application data (IPs and subnets)
CPTC
Technical exchange (as required)
Connection and validation testing
CSSP feeds connected
Application owner customizes environments to meet mission requirements
Oracle Cloud Infrastructure DoD regions have received the cloud authority to connect, based on the DoD Cloud Connection Process Guide (CCPG). Consult your Oracle solution consultant to help you through the process.