DoD Secure Cloud Computing Architecture Functional Requirements V2.9
Developed by DISA for the DoD - Publish Date: 01/31/17
As the Department of Defense strives to meet the objectives of the DoD CIO to maximize the use of commercial cloud computing, the Defense Information System Network (DISN) perimeter and DoD Information Network (DoDIN) systems must continue to be protected against cyber threats. DISA is responsible for developing the DISN protection requirements and guidance to secure the connection point to the Cloud Service Provider (CSP). DISA is well positioned to provide enterprise capabilities to secure DoD Mission Owner systems deployed to the commercial cloud.
The purpose of the Secure Cloud Computing Architecture (SCCA) is to provide a barrier of protection between the DISN and commercial cloud services used by the DoD while optimizing the cost-performance trade in cybersecurity. The SCCA will proactively and reactively provide a layer of overall protection against attacks upon the DISN infrastructure and mission applications operating within the commercial cloud. It specifically addresses attacks originating from mission applications that reside within the Cloud Service Environment (CSE) upon both the DISN infrastructure and neighboring tenants in a multi-tenant environment. It provides a consistent CSP independent level of security that enables the use of commercially available Cloud Service Offerings (CSO) for hosting DoD mission applications operating at all DoD Information System Impact Levels (i.e. 2, 4, 5, & 6).
Requirements defined herein cover the array of CSOs to include Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). However, the authors have been careful to word requirements with sufficient specificity to address the DoD cloud security posture while enabling innovation and allowing flexibility in implementations. The shared responsibility model is assumed to persist so that, where important for cost savings, identified security capabilities can be delivered by either DoD, commercial CSP, or 3rd party organizations.