24
Requirements
Req. ID
TCCM Security Requirements
2.1.4.7
The TCCM shall limit, to the greatest extent possible, the issuance of customer portal
and other CSP service (e.g., API, CLI) end-point privileges to configure network,
application, and CSO elements
2.1.4.8
The TCCM shall ensure that privileged users are not allowed to use CSP IdAM derived
credentials which possess the ability to unilaterally create unauthorized network
connections within the CSE, between the CSO and the CSP’s private network, or to the
Internet
System Connectivity Requirements
The SCCA CAP, VDSS, and VDMS components provide secure connectivity between cloud-based systems
and DISN management, user, and data networks as illustrated in
Assessment Solutions
CSAAC: Cyber-Situational Awareness
Analytic Cloud
ESM: Enterprise Systems Management
FW: Firewall
HBSS: Host-Based Security Services
HSM: Hardware Security Module
IA: Information Assurance
IAP: Internet Access Point
IDS: Intrusion Detection System
IPS: Intrusion Protection System
IntTrl: Interface Translation
JIA: Joint Information Assurance
LDAP: Lightweight Directory Access Protocol
OCSP: Online Certificate Status Protocol
OOB: Out-of-Band network
RCVS: Robust Certificate Validation Service
SaaS: Software-as-a-Service WAF: SRX:
VDC: Virtual Data Center
Figure 7. Overall, the SCCA is intended to provide the cyberspace defense capabilities necessary to
support DoDIN operations in accordance with DoDI 8530.01. Accordingly, it establishes networks and
connectivity to support system administration, mission operations, and cyberspace defense. It provides
an extension of the Out-of-Band (OOB) network used for management and cyberspace defense and for
generation and collection of security event and information. Data flows to support authorized DoD
Internet and NIPRNet users are also supported.
The CAP provides secure connectivity between the CSP and the DISN. Although not illustrated in
Assessment Solutions
CSAAC: Cyber-Situational Awareness
Analytic Cloud
ESM: Enterprise Systems Management
FW: Firewall
HBSS: Host-Based Security Services
HSM: Hardware Security Module
IA: Information Assurance
IAP: Internet Access Point
IDS: Intrusion Detection System
IPS: Intrusion Protection System
IntTrl: Interface Translation
JIA: Joint Information Assurance
LDAP: Lightweight Directory Access Protocol
OCSP: Online Certificate Status Protocol
OOB: Out-of-Band network
RCVS: Robust Certificate Validation Service
SaaS: Software-as-a-Service WAF: SRX:
VDC: Virtual Data Center
Figure 7, the ICAP provides connectivity for on-premise CSPs while the BCAP provides connectivity for
Off-Premise CSPs. While an off-premise CSP will be allowed to connect directly to a BCAP, a CSP may
also connect to a BCAP through a MeetMe Point (MMP). MMPs are commercial facilities where CSP
connections may be aggregated for private transport to a BCAP. MMPs may be strategically placed
geographically to provide commercial carrier communication aggregation points. The BCAP and MMP
are generally referred to together as “CAP/MeetMe”. There may be many CAPs and many MMPs that
are sized and geographically distributed to optimize network performance. Further, BCAPs and MMPs
may not be physically collocated.