SCCA components and requirements - AWS Prescriptive Guidance

SCCA components and requirements

The Defense Information Systems Agency (DISA) Secure Cloud Computing Architecture (SCCA), adopted by the US Department of Defense (DoD), is intended to be a scalable, cost-effective approach for securing cloud-based applications under a common security architecture. It provides a standard approach for securing IL4 and IL5 data in cloud environments. As described in the DISA SCCA fact sheet, the overarching components of the SCCA include:

  • Cloud Access Point (CAP) Provides access to the cloud, and protects DoD networks from the cloud. Streamlined protections focused on protecting the network boundary.

  • Virtual Data Center Security Stack (VDSS) – Virtual network enclave security to protect applications and data in commercial cloud offerings.

  • Virtual Data Center Managed Services (VDMS) – Application host security for privileged user access in commercial environments.

  • Trusted Cloud Credential Manager (TCCM) – Cloud credential manager to enforce role-based access control (RBAC) and least-privileged access.

The following image shows these components of the SCCA.

Components of the DISA SCCA.

This section discusses each component in detail and the corresponding components in the LZA that can help you adhere to the Defense Information Systems Agency (DISA) standard. The following image shows the LZA multi-account structure that builds the components of the SCCA within the AWS Cloud. This LZA multi-account structure is a foundation that helps you achieve an architecture that is fully compliant with DISA SCCA requirements. For an example of an architecture that helps you fully meet compliance requirements, see the SCCA on AWS GovCloud architecture diagram.

Architecture diagram of the multi-account structure deployed by using the Landing Zone Accelerator on AWS.