First OCI IL5 SCCA-Complaint Landing Zone

by | Dec 16, 2025 | Data Integration & Workflows, OCI Automation & Security

Oracle Cloud Infrastructure just became the first cloud provider outside AWS and Azure to demonstrate a Secure Cloud Computing Architecture (SCCA)-complaint landing zone under a contract with a major operational command in the DoD regions.

To get the full inside story, we sat down with Earl Pemberton, the 2i Cloud Engineer who led the build from day one.

Interviewer: Earl, let’s start with the basics — can you tell us about your role at 2i and what you’ve been focused on this year?

Earl: Good morning. My day-to-day is almost entirely in the SCCA space. I design, build, and operate the networking and security components that make up the SCCA-compliant Landing Zone.

In plain terms, this landing zone gives DoD customers a compliant, controlled on-ramp and off-ramp into OCI — including ports and protocols that are extremely difficult or impossible to open in the other clouds that flow through our client’s security broker. I also work directly with customer teams and the DISA/CAO assessors to make sure everything lines up.

Overview of the SCCA Project

Interviewer: You and the team just wrapped Phase One. For readers who aren’t steeped in the process, what exactly does Phase One cover?

Earl: Phase One was all about proving the concept end-to-end in a real DoD environment.

We are authorized to flow actual mission traffic from customer NIPR enclaves, through the SCCA boundary protection stack we built, into OCI Government regions, and down to the customer tenancy — and back out again.

Until we get the full IL5 ATO, everything runs under controlled test conditions with real workloads, but the architecture and controls are already production-grade.

Interviewer: Can you briefly walk us through what was involved in the process?

Earl:  Within a short period of time, we wrote, hardened, documented, and defended every layer of the stack — down to keeping legacy Oracle ports alive; real customer traffic flowed across the boundary without a hiccu.

  • Wrote and hardened all the Terraform Infrastructure-as-Code
  • Stood up the full networking and security stack (BCAP, VDSS, inspection points, etc.)
  • Produced every required diagram, data-flow document, and control response
  • Opened and supported legacy ports like Oracle 1521/1522 that customers actually need today
  • Coordinated multiple rounds of reviews with DISA and the Cloud Assessment Office

Getting real customer traffic across the boundary upon completion of Phase 1 was the ultimate validation.

Why IL4/IL5 Workloads Require SCCA

Interviewer: Before we dive into the architecture, a lot of program managers still ask the basic question: why does an IL4 or IL5 workload in the cloud actually have to go through SCCA at all?

Earl: Short answer – any system that touches the DISN (NIPRNet or SIPRNet) and handles CUI or above has to prove it meets DISA’s boundary protection standards.

SCCA is the reference architecture DISA created so cloud doesn’t become the weak link in the DoD enterprise. Skip it or half-implement it, and your ATO will be non-viable.

How OCI Maps to the Four SCCA Pillars

Interviewer: Can you walk us through how OCI’s SCCA landing zone maps to the four SCCA pillars (BCAP, VDSS, VDMS, TCCM)?

Earl: Sure. The pillars are functional requirements, not product names, which is why OCI can meet them just as well as AWS or Azure — sometimes with less headache.

SCCA PillarFunctional RequirementOCI Native Service(s) Used Notes
VDSSBoundary protection & inspectionOCI Network Firewall + Security Lists/NSGsSNAT added mid-2025
VDMSManagement-plane protectionOCI Bastion, Private Endpoints, NSGs 
BCAPDoD-approved connectivityPrivate FastConnect to DISA BCAPNo public internet path ever
TCCMIdentity & Access governanceOCI IAM with Dynamic Groups + OCI VaultSeamless DoD identity integration

Interviewer: A lot of our readers have to turn around and brief their AO or prime next week — what’s the one-liner you use for each pillar that instantly makes sense to them?

Earl: Here’s how I explain it in every meeting:

• BCAP → DISA can physically pull the plug if we get compromised.

• VDSS → Every packet of CUI gets the same inspection rigor you’d get from an on-prem DISA firewall.

• VDMS → Stops the #1 cloud breach vector: stolen admin credentials.

• TCCM → Gives the Authorizing Official continuous, automated evidence instead of a 400-page Word doc every three years.

The Breakthrough Everyone Has Been Waiting For: Legacy Ports Actually Work

Interviewer: DoD’s single-port mandate forces everything through TCP 443 at the BCAP, yet most real mission systems — especially Oracle-heavy ones — still need 1521, 1522, RDP, SSH, etc. How did the SCCA LZ solve that?

Earl: That was the #1 customer pain point.

The existing paths only allow 443, so Oracle EBS, PeopleSoft, Primavera, and a dozen other legacy apps simply couldn’t move. Because we have a private, direct connection to DISA BCAP and went through the full PPSM approval process, which falls under the DISN connection process, we can open the ports customers actually need.

Approved Ports Now Flowing Today (PPSM-approved)

  • TCP/1521 & 1522 – Oracle Database (game-changer for any Oracle-centric program)
  • TCP/22 – SSH (strict IP allow-list)
  • Additional ports/protocols added via standard PPSM change-request process

If your mission workload is Oracle-heavy, this is currently the fastest known path to IL5.

The Three OCI-Native Services That Let You Eliminate Physical Appliances

Interviewer: Which OCI services made it possible to stay 100 % cloud-native and still get DISA comfortable?

Earl: Three stood above the rest:

  1. OCI Network Firewall – our VDSS boundary firewall; full stateful inspection, logging, and now SNAT
  2. Security Lists + Network Security Groups – granular permit/deny inside the VCN
  3. OCI IAM with Dynamic Groups & Vault – handles the entire TCCM pillar

These replace rack-and-stack appliances while giving validators exactly the controls they expect.

What Finally Made DISA Validators say “Yes”

Interviewer: Between the single-port rule and general unfamiliarity with OCI, what tipped the scales?

Earl: Three things:

  • Extremely detailed diagrams that translated OCI icons into the exact same shapes DISA sees in AWS/Azure diagrams
  • A complete PPSM package justifying every non-443 port
  • Multiple live walkthroughs showing packet-by-packet flows end-to-end

They weren’t used to OCI terminology, so we basically became translators until everything clicked.

The Hairiest Hurdles

Interviewer: What almost derailed the project? 

Earl: Two categories:

Technical

  • OCI Network Firewall was missing SNAT in the Gov regions when we started. We temporarily bridged the gap with a router instance, then swapped to native SNAT the day the feature dropped.

Administrative

  • A key lesson learned: the IP approval authority sits higher/with a different organization than most published org charts show—discovering that halfway through can be painful
  • Multiple restarts on paperwork until we mapped every required signature.

Both were steep learning curves, but now we know the exact playbook.

Top Three “Must-Do” Items for SCCA Landing Zone Success

Earl: If you only remember three things, remember these:

  1. Decide Day 1: native OCI firewall vs. third-party NVA (flexibility vs. licensing cost)
  2. Nail the end-to-end network flow diagram before you write a single line of Terraform
  3. Verify every required service is generally available in your chosen Gov region — or have a Plan B region ready

Getting these right on the front end is what separates landing zones that sail through IL5 assessment from the ones that get stuck in review cycles for months. 

The good news? We’ve already made these decisions, pressure-tested them with real mission owners, and packaged everything up.

Where We Are Today: Real Customers, Real Traffic

Interviewer: Bottom line — what’s actually working right now?

Earl: Our government customers are actively testing mission traffic through the SCCA boundary I described.

  • End-to-end connectivity validated (on-prem – OCI)
  • Oracle 1521/1522 flowing
  • Up to 10 Gbps inspected throughput available
  • Bi-weekly syncs with the government team — all feedback positive so far

The next milestone is full IL5 ATO, and we are on that path right now.  That means the reference architecture, the Terraform, the policies, the runbooks – everything is battle-tested and ready for deployment in weeks.

Ready to Move Your IL4/IL5 Workload to OCI

This is no longer theoretical — it’s built, customer-tested, and DISA-blessed.

Drop us a note at https://ikedainnovations.com/contact-us

We’ll show you exactly how to make your legacy mission system cloud-ready — faster and cheaper than you thought possible.

More 2i Insights

When a major AWS outage took down multiple services a couple of months ago, it reminded everyone that even the most trusted cloud platforms are not immune to regional failure. The incident also highlighted a broader assumption across the cloud community — that features like auto-scaling and redundant instances automatically translate to true resilience. See how an OCI multi-region active-active architecture withstands regional disruptions. Read More.

Contact Federal OCI Expert