Compliance Government
Cloud

Understanding DoD Impact Levels for Cloud Security

Jake Dwares
by Jake Dwares
3 min read
January 15, 2025 at 12:59 PM

The security of information is a cornerstone of the Department of Defense's (DoD) operations. To safeguard sensitive data, the DoD has developed Impact Levels (ILs), a framework that categorizes information systems based on their sensitivity and the potential impact of a compromise. This system helps ensure that all information is appropriately protected, whether it involves public data or highly classified materials. Organizations partnering with the DoD must understand and adhere to these levels to maintain compliance and protect national security.

What Are DoD Impact Levels?

DoD Impact Levels (ILs) are a classification framework used by the Department of Defense (DoD) to categorize information systems and the data they handle. These levels are based on the potential impact on national security should the confidentiality, integrity, or availability (CIA) of the information be compromised. This system ensures that sensitive information is adequately protected and managed according to its importance and sensitivity.

The Defense Information Systems Agency (DISA) defines these levels within the DoD Cloud Computing Security Requirements Guide (CC SRG). This guide incorporates guidance from the Federal Information Systems Management Act (FISMA) and the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37. The CC SRG builds on the Federal Risk and Authorization Management Program (FedRAMP) by adding DoD-specific requirements and controls.

It is important to note that there are no Impact Levels 1 or 3. IL1 is not included because public data without security concerns does not require categorization, while IL3 has been consolidated into IL4 to streamline the framework.

The four DoD Impact Levels are:

  • Impact Level 2 (IL2): Public or non-critical mission information.
  • Impact Level 4 (IL4): Controlled Unclassified Information (CUI) and non-national security systems.
  • Impact Level 5 (IL5): Higher-sensitivity CUI, mission-critical information, and national security systems (NSS).
  • Impact Level 6 (IL6): Classified information up to SECRET.

DoD Impact Level Requirements

Each impact level has specific security requirements, ensuring that cloud service providers (CSPs) and system owners maintain the appropriate protections for the data they handle. Below, we break down the requirements for each of the DoD IL levels.

DoD Impact Level 2 (IL2)

IL2 encompasses public and non-critical mission information. This level includes data cleared for public release and some internal DoD information that does not qualify as Controlled Unclassified Information (CUI).

  • Examples of IL2 data: Administrative data, internal communications, and non-sensitive documentation.
  • Key requirements:
    • CSPs must meet FedRAMP Moderate requirements.
    • Data can reside in facilities outside the U.S. and its territories.
    • Basic security measures are sufficient as data sensitivity is low.

DoD Impact Level 4 (IL4)

IL4 is designed for Controlled Unclassified Information (CUI) that is not national security information. This includes export-controlled data, privacy information, and Protected Health Information (PHI).

  • Examples of IL4 data: For Official Use Only (FOUO) data, Personally Identifiable Information (PII), and mission-related non-national security data.
  • Key requirements:
    • CSPs must meet FedRAMP High requirements and additional DoD-specific controls.
    • Systems handling IL4 data must operate within the U.S. or its territories.
    • Connectivity to systems must occur through the Non-Classified Internet Protocol (NIPRNET).
    • Background checks and signed non-disclosure agreements (NDAs) are mandatory for personnel accessing this data.

DoD Impact Level 5 (IL5)

IL5 is designated for higher sensitivity CUI, mission-critical information, and some National Security Systems (NSS). This IL5 security level provides an additional layer of security compared to IL4.

  • Examples of IL5 data: Unclassified National Security Information and mission-critical data essential to operations.
  • Key requirements:
    • CSPs must comply with all IL4 controls and nine additional requirements specific to IL5.
    • Data must reside in U.S.-controlled facilities.
    • Only U.S. citizens can access the systems and data.
    • Physical and logical separation of government data from non-government entities is required.
    • Systems must support continuity of operations during crises.

DoD Impact Level 6 (IL6)

IL6 is reserved for classified information up to the SECRET level. It represents the highest security tier within the DoD Impact Levels.

  • Examples of IL6 data: Classified operational plans, military intelligence, and other SECRET-level data.
  • Key requirements:
    • CSPs must comply with stringent security controls beyond FedRAMP and DoD IL5 requirements.
    • Data must be stored in U.S.-based facilities with access limited to U.S. citizens holding SECRET clearances.
    • External connectivity is mediated through the Secret Internet Protocol Network (SIPRNET).
    • Specialized background checks and adjudication processes are mandatory for personnel.

Importance of DoD Impact Levels

The DoD Impact Levels serve as a critical tool for ensuring that information systems are appropriately categorized and protected. They help system owners and cloud service providers (CSPs):

  • Determine Security Requirements: Identify the minimum necessary protections for data and systems.
  • Mitigate Risks: Minimize the potential impact of security breaches on national security.
  • Streamline Compliance: Align security controls with established frameworks like FedRAMP, ensuring a cohesive approach to managing sensitive information.

Conclusion

Understanding DoD Impact Levels is essential for organizations working with or supporting the Department of Defense. By categorizing information systems based on their sensitivity and potential impact, these levels provide a robust framework for managing and protecting critical and classified data. Whether handling public information at IL2 or SECRET-level data at IL6, adherence to the DoD’s stringent security requirements is vital for maintaining national security and operational integrity.

Compass helps businesses navigate complex DoD and federal compliance requirements by providing tailored solutions to meet stringent security standards. Our expertise ensures that organizations can confidently handle sensitive data while staying aligned with regulatory demands. Contact us today to learn how we can support your compliance efforts.

Contact Us
Previous story
← SAS 145 and IT General Controls: What Organizations Need to Know
Next story
Why SOC 1 and SOC 2 Are Essential for Venture Capital (VC) Firms →
Updates to MA 201 CMR 17 Data Breach Law
boston-1099418_1920
Compliance

Updates to MA 201 CMR 17 Data Breach Law

February 1, 2019 at 1:00 PM 2 min read
Nest Cameras – Basic Defense In Depth
camera-1219748_1920
Security

Nest Cameras – Basic Defense In Depth

December 26, 2019 at 1:00 PM 2 min read
NIST Cybersecurity Framework 2.0 – Key Takeaways
United States Department of Commerce
Compliance

NIST Cybersecurity Framework 2.0 – Key Takeaways

March 7, 2024 at 1:30 PM 3 min read

Get Email Notifications

No Comments Yet

Let us know what you think