Department of Defense (DoD) Impact Level 5 (IL5)
DoD IL5 overview
The Defense Information Systems Agency (DISA) is an agency of the US Department of Defense (DoD) that is responsible for developing and maintaining the DoD Cloud Computing Security Requirements Guide (SRG). The Cloud Computing SRG defines the baseline security requirements used by DoD to assess the security posture of a cloud service offering (CSO), supporting the decision to grant a DoD provisional authorization (PA) that allows a cloud service provider (CSP) to host DoD missions. It incorporates, supersedes, and rescinds the previously published DoD Cloud Security Model (CSM), and maps to the DoD Risk Management Framework (RMF).
DISA guides DoD agencies and departments in planning and authorizing the use of a CSO. It also evaluates CSOs for compliance with the SRG — an authorization process whereby CSPs can furnish documentation outlining their compliance with DoD standards. It issues DoD provisional authorizations (PAs) when appropriate, so DoD agencies and supporting organizations can use cloud services without having to go through a full approval process on their own, saving time and effort.
According to Section 3.1.3 (Page 19) of the Cloud Computing SRG, IL5 information covers:
Controlled unclassified information (CUI) that requires higher level of protection than that afforded by IL4
- The CUI Registry provides specific categories of information that is under protection by the Executive branch, for example, more than 20 category groupings are included in the CUI category list, such as:
- Critical infrastructure (for example, Critical Energy Infrastructure Information)
- Defense (for example, Naval Nuclear Propulsion Information, Unclassified Controlled Nuclear Information – Defense)
- Export Control (for example, Export Administration Regulations (EAR) restrictions for items on the Commerce Control List, or International Traffic in Arms Regulations (ITAR) restrictions for items on the US Munitions List)
- Financial (for example, bank secrecy, budget, and so on)
- Intelligence (for example, Foreign Intelligence Surveillance Act)
- Law enforcement (for example, criminal history records, accident investigations, and so on)
- Nuclear (for example, Unclassified Controlled Nuclear Information – Energy)
- Privacy (for example, military personnel records, health information, and so on)
- And more
- The National Institute of Standards and Technology (NIST) SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations is intended for use by federal agencies in contracts or other agreements established with non-federal organizations.
- The CUI Registry provides specific categories of information that is under protection by the Executive branch, for example, more than 20 category groupings are included in the CUI category list, such as:
National Security Systems (NSS)
NIST SP 800-59 Guideline for Identifying an Information System as a National Security System provides definitions of NSS. As stated on Page 3, NSS means any information system used by an agency which involves:
- Intelligence activities
- Cryptologic activities related to national security
- Command and control of military forces
- Equipment that is an integral part of weapons systems
- Functions critical to direct fulfillment of military or intelligence missions
These categories are explained in more detail in Appendix A.1 starting on Page 7. See also Appendix A.2 on Page 9 for examples of questions that an agency may employ to provide clarification of these categories.
The Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) Security Categorization and Control Selection for National Security Systems provides guidance on the security standards that federal agencies should apply to categorize national security information.
IL5 accommodates NSS and CUI categorizations based on CNSSI 1253 up to moderate confidentiality and moderate integrity (M-M-x). The determination of whether CUI and/or mission data fits the IL5 category is up to the authorizing official responsible for categorizing the information and choosing the cloud impact level.
The 15 December 2014 DoD CIO memo regarding Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services states that “FedRAMP will serve as the minimum security baseline for all DoD cloud services.” The SRG uses the FedRAMP Moderate baseline at all information impact levels (IL) and considers the High Baseline at some.
Section 5.1.1 DoD use of FedRAMP Security Controls (Page 37) of the Cloud Computing SRG states that a FedRAMP High provisional authorization, supplemented with DoD FedRAMP+ controls and control enhancements (C/CEs) and requirements in the Cloud Computing SRG, are used to assess CSOs toward awarding a DoD IL5 PA. No matter what C/CE baseline is used as the basis for a FedRAMP High provisional authorization, extra considerations and/or requirements will need to be assessed and approved before a DoD IL5 PA can be awarded. Moreover, according to Section 5.2.2.3 Impact Level 5 Location and Separation Requirements (Page 51), the following requirements (among others) must be in place for an IL5 PA:
- Virtual/logical separation between DoD and federal government tenants/missions is sufficient. Virtual/logical separation between tenant/mission systems is minimally required.
- Physical separation from non-DoD/non-federal government tenants (for example, public, local/state government tenants) is required.
Section 5.6.2 CSP Personnel Requirements (Page 76) additionally restricts CSP personnel having access to IL4 and IL5 data to US citizens, US nationals, or US persons. No foreign persons may have such access.
Azure and DoD IL5
Microsoft maintains the following authorizations for Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia:
- FedRAMP High provisional authorization to operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB)
- DoD IL2 PA
- DoD IL4 PA
- DoD IL5 PA
If you are deploying IL5 workloads in Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia, make sure you review Isolation guidelines for Impact Level 5 workloads for help with meeting DoD IL5 isolation requirements.
Azure Government has two additional regions, US DoD Central and US DoD East, that are reserved for exclusive use by the US Department of Defense. A separate DoD IL5 PA is in place for Azure Government DoD regions. For more information, see Department of Defense (DoD) in Azure Government.
For extra customer assistance, Microsoft provides the Azure Policy regulatory compliance built-in initiative for Azure Government, which maps to DoD IL5 compliance domains and controls:
Regulatory compliance in Azure Policy provides built-in initiative definitions to view a list of controls and compliance domains based on responsibility – customer, Microsoft, or shared. For Microsoft-responsible controls, we provide extra audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each DoD IL5 control is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, compliance in Azure Policy is only a partial view of your overall compliance status. Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to more granular status.
For more information about Azure support for NIST SP 800-171, see Azure NIST SP 800-171 documentation.
Applicability
- Azure Government
Services in scope
For a list of Azure Government cloud services in DoD IL5 PA scope, see Cloud services in audit scope.
Service availability varies across Azure Government regions. For an up-to-date list of service availability, see Products available by region.
Office 365 and DoD IL5
For more information about Office 365 compliance, see Office 365 DoD IL5 documentation.
Attestation documents
For access to Azure Government FedRAMP documentation, see FedRAMP attestation documents.
Contact DISA for access to the most recent Azure Government DoD IL5 PA letter.
Frequently asked questions
What Azure services are covered by DoD IL5 PA and in what regions?
To find out what services are available in Azure Government, see Products available by region. For a list of services provisionally authorized at DoD IL5, see Cloud services in audit scope.
Resources
- Azure compliance documentation
- Azure enables a world of compliance
- Microsoft 365 compliance offerings
- Compliance on the Microsoft Trust Center
- What is Azure Government?
- Explore Azure Government
- Microsoft for defense and intelligence
- DoD Cloud Computing Security Requirements Guide
- FedRAMP documents and templates
- DoD Instruction 8510.01 DoD Risk Management Framework (RMF) for DoD Information Technology (IT)
- NIST SP 800-37 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
- NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations
- NIST SP 800-59 Guideline for Identifying an Information System as a National Security System
- NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- CNSSI 1253 Security Categorization and Control Selection for National Security Systems
- Controlled unclassified information (CUI) Registry and CUI category list
- Isolation guidelines for Impact Level 5 workloads