This blog is part 1 of our multipart series on the Oracle Cloud Native SCCA Landing Zone solution.
U.S. Department of Defense (DoD) customers who deploy workloads to the cloud must follow the Cloud Computing Requirements Guide (CC SRG) and build an architecture that's compliant with the Secure Cloud Computing Architecture (SCCA) Functional Requirements Document (FRD) established by the Defense Information Systems Agency (DISA). These documents define the application and security standards to deploy DoD workloads connected to DoD Non-classified Internet Protocol Router Network (NIPRNet) and Secret Internet Protocol Router Network (SIPRNet).
In this blog series, we examine the critical aspects of building an SCCA-compliant architecture. Let’s start by looking at the SCCA framework and how the Oracle Cloud Native SCCA Landing Zone solution helps DoD customers build secure and compliant architectures.
SCCA compliance is required to protect DoD networks inside the Department of Defense Information Network (DODIN), from systems hosted on a public cloud. Figure 1 shows the following main components of SCCA:
These SCCA components and controls are verified by a DoD Authorizing Official (AO) and DISA cyber personnel before issuing an interim authorization to test (IATT) or authority to pperate (ATO). Mission owners may migrate their workloads to the cloud once IATT is complete and ATO is granted.
Figure 1: The four components of SCCA
DoD mission owners have struggled to meet SCCA requirements in order to migrate to the cloud and modernize their workloads. DoD mission owners and their assigned systems integrators have invested significant time and money to build custom SCCA implementations. These custom implementations often require third-party software, which further increases the total cost to maintain SCCA compliance. Multiple DoD customers have asked us for an SCCA solution that is less labor-intensive and more cost-effective.
The Oracle Cloud Native SCCA Landing Zone automates the process of building a SCCA-compliant architecture using Terraform scripts to make it easy to build and deploy your DoD IL4 and IL5 workloads. The landing zone includes baseline configurations, rules, and templates delivered using an infrastructure-as-code (IaC) template. Customers can launch the templates from the Oracle Cloud Native SCCA Landing Zone, answer a few simple questions about their configuration, and have an architecture set up that same day. The landing zone configures identity domains, virtual cloud networks (VCNs), network firewalls, load balancers, vulnerability scanning, and more. Customers can find the landing zone via GitHub or in the Oracle Cloud Console.
Oracle helps customers satisfy and document required controls. We built our Cloud Native SCCA Landing Zone with integrated cloud native platform services to meet the SCCA controls that are the responsibility of the cloud service provider (CSP). We also provide tools, services, and guidance to meet the additional SCCA controls that are your responsibility as a DoD mission owner.
The DISA FRD has controls that can be logically distributed in different control areas as depicted in Figure 2. The Oracle Cloud Native SCCA Landing Zone meets the CSP portion of SCCA controls. The shared responsibility matrix provides guidance on your DoD mission owner responsibility, as documented in the SCCA Architecture Guide and SCCA Customer Responsibility Guide.
Figure 2: Key SCCA requirements in the DISA SCCA FRD
The automation and guidance provided by the Oracle Cloud Native SCCA solution enables DoD mission owners to establish a compliant security architecture in just a few hours or days, instead of months. The Oracle Cloud Native SCCA Landing Zone script and associated technical documentation are provided at no separate or additional charge under a customer's contract. Underlying consumable cloud services used to stand up the SCCA compliant architecture in a customer's tenancy may be billable in accordance with the customer's contract. Oracle provides upgrades, maintenance, and enhancements to all these services at no additional cost. The Oracle Cloud Native SCCA solution saves you a significant amount of time and money that can be better used to further your DoD mission.
Up next in our blog series, we will discuss best practices for migrating IL4 and IL5 workloads with the Oracle Cloud Native SCCA Solution.
For more information on the Oracle Cloud Native SCCA solution, please reach out to the DoD Product Management team.
George Boateng is a Solution Architect supporting ONSRs. He has a background in OCI, AWS, DEVOPS, Linux, and Windows. He has experience automating infrastructure using CloudFormation and Terraform. George assists customers in solving technical challenges as well as helping to drive work. He is a key member of the team working on the Oracle Cloud Native SCCA Landing Zone for DoD customers.
John is a 15-year Oracle veteran and 20-year USAF veteran. He has worked across a broad set of Oracle teams including consulting, cloud architecture, Oracle Applications architecture for Cloud, and US Government Cloud.
Rakesh Kumar is the Director of Product Management for Oracle DoD Cloud. He is responsible for managing product and services in Oracle’s DoD Cloud and leads the Cloud Native SCCA business and go-to-market team.
Mr. Kumar is a Graduate of M.I.T. Sloan School of Management and has several degrees from Harvard schools including Harvard Business School.
Nelson Chen is a Senior Principal Product Manager for Oracle Cloud Infrastructure and is responsible for OCI Landing Zone products and services. He has more than 20 years of experience in IT Infrastructure/Security, and he is a certified Oracle Cloud Architect Professional, CISSP, CISA, and CISM.