The ability to deliver capability “at the speed of relevance” requires an innovative approach to providing secure access to cloud environments. As highlighted in a recent report by the Defense Innovation Board, “...the threats that the United States faces are changing at an ever-increasing pace, and the Department of Defense’s (DoD’s) ability to adapt and respond is now determined by its ability to develop and deploy software to the field rapidly.” To effectively and efficiently achieve the objective, access to cloud environments must be flexible, ubiquitous, and at the same time, provide the requisite level of security and monitoring to protect from, detect, respond to, and recover from cyber-attacks. The purpose of a Cloud Native Access Point (CNAP) is to provide secure authorized access to DoD resources in a commercial cloud environment, leveraging zero trust architecture (ZTA), by authorized DoD users and endpoints from anywhere, at any time, from any device.

更多

The purpose of this CNAP Reference Design (RD) is to describe and define the set of capabilities, fundamental components, and data flows within a CNAP. It presents logical design patterns and derived reference implementations for deploying, connecting to, and operating a CNAP. It is a future state design to guide the development of next generation connectivity and cybersecurity capabilities to improve internet-based machine and user access into DoD cloud (in particular, commercial cloud-hosted) resources and services. A CNAP provides person entities (PE) (i.e., end users and privileged users) and non-person entities (NPE) access to cloud enclaves using a combination of cloud native and cloud ready security mechanisms. Further, a CNAP allows authorized outbound access to the internet, for example, to enable software repository synchronization of COTS patches or new versions of Free and Open-Source Software (FOSS) projects and system-to-system interfaces with mission partners such as other Federal Departments.

The CNAP RD is intended for the Combatant Commanders, Military Departments, Defense Information Systems Agency (DISA), other Defense Agencies, and mission partners who require access to DoD resources in the commercial cloud and government cloud. It serves as DoD enterprise-level guidance for establishing secure internet ingress and egress to cloud-hosted development, test, and production environments.

收起