Mission Landing Zone - SCCA

August 18, 2025 · View on GitHub

Home | Design | Add-Ons | Resources

Concepts

Mission LZ is intended to comply with the controls listed in the Secure Cloud Computing Architecture (SCCA) Functional Requirements Document (FRD).

The SCCA has four components:

Each component has a set of controls. The controls for each component are listed below, with a mapping to the technologies used in Mission LZ to implement each control.

  • Some of the controls are implemented using Azure technologies, but are not within the scope of Mission Landing Zone, e.g. multi-factor authentication and AAD Connect. These rows do not have a ✔️ in the Mission LZ column.
  • Some of the controls are not implemented with Azure technologies, e.g. BCAP 2.1.1.7. These rows have "N/A" under the Azure Technologies column.

NOTE: the mapping of controls to technologies and Mission Landing Zone implementation represents our opinion on how Mission Landing Zone implements SCCA controls. The mappings below are not defined by any DoD organization or Authorizing Official.

BCAP Controls

REQ IDBCAP Security RequirementsAzure TechnologiesMission LZ
2.1.1.1The BCAP shall provide the capability to detect and prevent malicious code injection into the DISN originating from the CSEMicrosoft Defender for Cloud✔️
2.1.1.2The BCAP shall provide the capability to detect and thwart single and multiple node DOS attacksAzure Firewall, Microsoft Defender for Cloud✔️
2.1.1.3The BCAP shall provide the ability to perform detection and prevention of traffic flow having unauthorized source and destination IP addresses, protocols, and Transmission Control Protocol (TCP)/User Datagram Protocol (UDP) portsAzure Firewall, Microsoft Defender for Cloud✔️
2.1.1.4The BCAP shall provide the capability to detect and prevent IP Address Spoofing and IP Route HijackingNetwork Security Groups✔️
2.1.1.5The BCAP shall provide the capability to prevent device identity policy infringement (prevent rogue device access)Microsoft Defender for Cloud and network route configuration✔️
2.1.1.6The BCAP shall provide the capability to detect and prevent passive and active network enumeration scanning originating from within the CSEMicrosoft Defender for Cloud✔️
2.1.1.7The BCAP shall provide the capability to detect and prevent unauthorized data exfiltration from the DISN to an end-point inside CSEN/AN/A
2.1.1.8The BCAP and/or BCAP Management System shall provide the capability to sense, correlate, and warn on advanced persistent threatsMicrosoft Defender for Cloud✔️
2.1.1.9The BCAP shall provide the capability to detect custom traffic and activity signaturesMicrosoft Defender for Cloud✔️
2.1.1.10The BCAP shall provide an interface to conduct ports, protocols, and service management (PPSM) activities in order to provide control for BCND providersAzure Firewall
Network Security Groups
Network Watcher
✔️
2.1.1.11The BCAP shall provide full packet capture (FPC) for traversing communicationsN/AN/A
2.1.1.12The BCAP shall provide network packet flow metrics and statistics for all traversing communicationsAzure Firewall
Log Analytics
Network Watcher
✔️
2.1.1.13The BCAP shall provide the capability to detect and prevent application session hijackingN/AN/A

VDSS Controls

REQ IDVDSS Security RequirementsAzure TechnologiesMission LZ
2.1.2.1The VDSS shall maintain virtual separation of all management, user, and data traffic.Azure Virtual Network
Azure Firewall
Network Security Groups
✔️
2.1.2.2The VDSS shall allow the use of encryption for segmentation of management traffic.Azure Virtual Network (default)✔️
2.1.2.3The VDSS shall provide a reverse proxy capability to handle access requests from client systemsN/AN/A
2.1.2.4The VDSS shall provide a capability to inspect and filter application layer conversations based on a predefined set of rules (including HTTP) to identify and block malicious contentN/AN/A
2.1.2.5The VDSS shall provide a capability that can distinguish and block unauthorized application layer trafficN/AN/A
2.1.2.6The VDSS shall provide a capability that monitors network and system activities to detect and report malicious activities for traffic entering and exiting Mission Owner virtual private networks/enclavesAzure Monitor
Microsoft Defender for Cloud
Network Watcher
✔️
2.1.2.7The VDSS shall provide a capability that monitors network and system activities to stop or block detected malicious activityMicrosoft Defender for Cloud✔️
2.1.2.8The VDSS shall inspect and filter traffic traversing between mission owner virtual private networks/enclaves.Azure Firewall
Log Analytics
✔️
2.1.2.9The VDSS shall perform break and inspection of SSL/TLS communication traffic supporting single and dual authentication for traffic destined to systems hosted within the CSE.Azure Firewall✔️
2.1.2.10The VDSS shall provide an interface to conduct ports, protocols, and service management (PPSM) activities in order to provide control for MCD operatorsAzure Firewall
Network Security Groups Network Watcher
✔️
2.1.2.11The VDSS shall provide a monitoring capability that captures log files and event data for cybersecurity analysisAzure Monitor
Azure Log Analytics
Azure Activity Logs
✔️
2.1.2.12The VDSS shall provide or feed security information and event data to an allocated archiving system for common collection, storage, and access to event logs by privileged users performing Boundary and Mission CND activitiesMicrosoft Defender for Cloud
Azure Log Analytics
✔️
2.1.2.13The VDSS shall provide a FIPS-140-2 compliant encryption key management system for storage of DoD generated and assigned server private encryption key credentials for access and use by the Web Application Firewall (WAF) in the execution of SSL/TLS break and inspection of encrypted communication sessions.Azure Key Vault✔️
2.1.2.14The VDSS shall provide the capability to detect and identify application session hijackingN/AN/A
2.1.2.15The VDSS shall provide a DoD DMZ Extension to support to support Internet Facing Applications (IFAs)N/AN/A
2.1.2.16The VDSS shall provide full packet capture (FPC) or cloud service equivalent FPC capability for recording and interpreting traversing communicationsAzure Firewall✔️
2.1.2.17The VDSS shall provide network packet flow metrics and statistics for all traversing communicationsAzure Firewall
Network Watcher
✔️
2.1.2.18The VDSS shall provide for the inspection of traffic entering and exiting each mission owner virtual private network.Azure Firewall
Network Watcher
✔️

VDMS Controls

REQ IDVDMS Security RequirementsAzure TechnologiesMission LZ
2.1.3.1The VDMS shall provide Assured Compliance Assessment Solution (ACAS), or approved equivalent, to conduct continuous monitoring for all enclaves within the CSEAzure Policy
Azure Blueprints
N/A
2.1.3.2The VDMS shall provide Host Based Security System (HBSS), or approved equivalent, to manage endpoint security for all enclaves within the CSEMicrosoft Defender for Cloud✔️
2.1.3.3The VDMS shall provide identity services to include an Online Certificate Status Protocol (OCloud Workload Security) responder for remote system DoD Common Access Card (CAC) two-factor authentication of DoD privileged users to systems instantiated within the CSEMulti-Factor AuthenticationN/A
2.1.3.4The VDMS shall provide a configuration and update management system to serve systems and applications for all enclaves within the CSEN/AN/A
2.1.3.5The VDMS shall provide logical domain services to include directory access, directory federation, Dynamic Host Configuration Protocol (DHCP), and Domain Name System (DNS) for all enclaves within the CSEMicrosoft Entra ID (AAD)
Azure DNS
✔️
2.1.3.6The VDMS shall provide a network for managing systems and applications within the CSE that is logically separate from the user and data networks.Virtual Network
Azure Subnets
✔️
2.1.3.7The VDMS shall provide a system, security, application, and user activity event logging and archiving system for common collection, storage, and access to event logs by privileged users performing BCP and MCP activities.Azure Log Analytics
Microsoft Defender for Cloud
✔️
2.1.3.8The VDMS shall provide for the exchange of DoD privileged user authentication and authorization attributes with the CSP's Identity and access management system to enable cloud system provisioning, deployment, and configurationMicrosoft Entra ID ConnectN/A
2.1.3.9The VDMS shall implement the technical capabilities necessary to execute the mission and objectives of the TCCM role.Microsoft Entra ID✔️

TCCM Controls

REQ IDTCCM Security RequirementsAzure TechnologiesMission LZ
2.1.4.1The TCCM shall develop and maintain a Cloud Credential Management Plan (CCMP)to address the implementation of policies, plans, and procedures that will be applied to mission owner customer portal account credential managementN/AN/A
2.1.4.2The TCCM shall collect, audit, and archive all Customer Portal activity logs and alertsAzure Log Analytics✔️
2.1.4.3The TCCM shall ensure activity log alerts are shared with, forwarded to, or retrievable by DoD privileged users engaged in MCP and BCP activitiesAzure Log Analytics✔️
2.1.4.4The TCCM shall, as necessary for information sharing, create log repository access accounts for access to activity log data by privileged users performing both MCP and BCP activitiesAzure Log Analytics✔️
2.1.4.5The TCCM shall recover and securely control customer portal account credentials prior to mission application connectivity to the DISNMicrosoft Entra ID✔️
2.1.4.6The TCCM shall create,issue, and revoke, as necessary,role based access least privileged customer portal credentials to mission owner application and system administrators (i.e., DoD privileged users).Microsoft Entra ID/Role-Based Authorization✔️