The latest cloud infrastructure announcements, technical solutions, and enterprise cloud insights.

Connecting to the NIPRNet for Impact Level 4 and 5 Workloads in Oracle Cloud Infrastructure

Mark Comishock
Director, Product Management

Department of Defense (DoD) mission owners have a responsibility to protect impact levels 4 and 5 data within a cloud service provider (CSP) enclave. The DISA Cloud Connection Process Guide outlines a process for Mission Owners and Cloud Services Providers to follow. The process ensures production-controlled unclassified information (CUI) impact level 4 (IL4) and impact level 5 (IL5) data is protected and data spillage avoided.

Protecting Sensitive Data

DoD framework for sensitive unclassified data conforms to the FedRAMP+ by adding specific controls based on the data classification and using the FedRAMP assessment necessary to meet and assure DoD’s critical mission requirements. Controls for mission objectives are specified in the DoD cloud computing security requirements guide (SRG).

DoD mission owners can use several deployment models, such as private, community, public, and hybrid clouds. Mission owners determine the suitable model for their infrastructure and applications based on several factors, such as access and control of resources, scale, cost, SLAs, and availability of resources.

Mission owners determine the control status of application data. Mission owners must ensure that the protection status of the CSP accommodates the data and network access, such as NIPRNet or SIPRNet, to the data through the DoD information system network (DISN).

CSP-CSO Connection to the DISA Enterprise Boundary Cloud Access Point (BCAP).
Figure 1: CSP-CSO Connection to the DISA Enterprise Boundary Cloud Access Point (BCAP) (Department of Defense CCPG- Page 17, figure 6)

How the Process Works

The mission owner starts the process by submitting the DoD Cloud IT project initial contact form to DISA. DISA helps the mission owner navigate the connection process. Once the project gets approval for connection by DISA, the mission owner is notified, and a technical exchange meeting is scheduled with the mission owner. The mission owner must submit the SNAP C-ITP package into the DISA SNAP database. Once DISA issues the cloud permission to connect (CPTC) approval the technical exchange meeting with the CSP, such as Oracle Cloud Infrastructure for Government, DISA and the mission owner can begin the connection process to the boundary cloud access point (BCAP).

The mission owner determines the connection requirements to BCAPs ahead of time. Based on disaster recovery and high-availability requirements, the mission owner should consider having at least two connections to each of the East and West BCAPs. The mission owner works with the CSP and DISA to ensure that the correct number of physical circuits are established in each BCAP region.

A lot goes into establishing the BCAP connection for a cloud IT project. The process requires good documentation and planning on the part of the mission owner. While the physical and virtual connections to the BCAP by the CSP can take several weeks, the CSP and the mission owner on DISN can’t overlook extensive testing while planning the network connections to application.

BCAP Connection Phases

Phase 1: Connection Planning

  • System network approval process (SNAP) identification number

  • Obtain cloud IPs— cloud permission to connect (CPTC)

  • Obtain cybersecurity service provider (CSSP)

  • Contract vehicle

  • Approved commercial provider account connection planning

Phase 2: Connection Request

  • System network approval process (SNAP) registration (four days after submission)

  • Request SCCA services

  • SNAP ID and application data (IPs and subnets)

  • CPTC

  • Technical exchange (as required)

Phase 3: Connection and Sustainment

  • Connection and validation testing

  • CSSP feeds connected

  • Application owner customizes environments to meet mission requirements

Oracle Cloud Infrastructure DoD regions have received the cloud authority to connect, based on the DoD Cloud Connection Process Guide (CCPG). Consult your Oracle solution consultant to help you through the process.

Join the discussion

Comments ( 2 )
  • David Knox Saturday, September 12, 2020
    Great way to simply expalin a complex but much needed process.
  • Tim Hickey Tuesday, September 15, 2020
    Mark, Great Blog thanks for sharing.
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha