Department of Defense (DoD) Impact Level 2 (IL2)
DoD IL2 overview
The Defense Information Systems Agency (DISA) is an agency of the US Department of Defense (DoD) that is responsible for developing and maintaining the DoD Cloud Computing Security Requirements Guide (SRG). The Cloud Computing SRG defines the baseline security requirements used by DoD to assess the security posture of a cloud service offering (CSO), supporting the decision to grant a DoD provisional authorization (PA) that allows a cloud service provider (CSP) to host DoD missions. It incorporates, supersedes, and rescinds the previously published DoD Cloud Security Model (CSM), and maps to the DoD Risk Management Framework (RMF).
DISA guides DoD agencies and departments in planning and authorizing the use of a CSO. It also evaluates CSOs for compliance with the SRG — an authorization process whereby CSPs can furnish documentation outlining their compliance with DoD standards. It issues DoD provisional authorizations (PAs) when appropriate, so DoD agencies and supporting organizations can use cloud services without having to go through a full approval process on their own, saving time and effort.
IL2 data includes non-controlled unclassified information, which is all data cleared for public release and some low confidentiality unclassified information that is not designated as controlled unclassified information (CUI). This impact level accommodates non-CUI categorization based on CNSSI 1253 Security Categorization and Control Selection for National Security Systems up to low confidentiality and moderate integrity (L-M-x).
The 15 December 2014 DoD CIO memo regarding Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services states that “FedRAMP will serve as the minimum security baseline for all DoD cloud services.” The SRG uses the FedRAMP Moderate baseline at all information impact levels (IL) and considers the High Baseline at some.
Section 5.1.1 DoD use of FedRAMP Security Controls (Page 37) of the Cloud Computing SRG states that IL2 information may be hosted in a CSO that minimally holds a FedRAMP Moderate or High provisional authorization, subject to compliance with the personnel security requirements outlined in Section 5.6.2. Only FedRAMP Moderate or High baseline controls will be assessed for DoD IL2 PAs. For an IL2 PA, DoD allows full reciprocity with FedRAMP Moderate or High provisional authorization to operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB). However, this approach does not relieve the CSP from meeting other security and integration requirements as required by the mission owner. According to Section 220.127.116.11 Impact Level 2 Location and Separation Requirements of the Cloud Computing SRG, DoD IL2 PA is adequately covered by a FedRAMP Moderate provisional authorization such that the requirements will not be extra assessed for an IL2 PA.
Azure and DoD IL2
Both Azure and Azure Government maintain a FedRAMP High provisional authorization to operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB). According to the FedRAMP Security Controls Baseline (available from FedRAMP documents), the FedRAMP High baseline encompasses all controls in the FedRAMP Moderate baseline. Both Azure and Azure Government maintain a DoD IL2 PA, which covers non-controlled unclassified information including all data cleared for public release, for the in-scope services.
- Azure Government
Services in scope
- Azure services in scope for DoD IL2 PA reflect the Azure FedRAMP High P-ATO scope.
- Azure Government services in scope for DoD IL2 PA reflect the Azure Government FedRAMP High P-ATO scope.
For more information, see Cloud services in audit scope.
Office 365 and DoD IL2
For more information about Office 365 compliance, see Office 365 DoD IL2 documentation.
For access to Azure and Azure Government FedRAMP documentation, see FedRAMP attestation documents.
Frequently asked questions
What Azure services are covered by DoD IL2 PA and in what regions? To find out what services are available in Azure and Azure Government, see Products available by region. For a list of services provisionally authorized at DoD IL2, see Cloud services in audit scope.
- Azure compliance documentation
- Azure enables a world of compliance
- Microsoft 365 compliance offerings
- Compliance on the Microsoft Trust Center
- What is Azure Government?
- Explore Azure Government
- Microsoft for defense and intelligence
- DoD Cloud Computing Security Requirements Guide
- FedRAMP documents and templates
- NIST SP 800-37 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
- NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations
- DoD Instruction 8510.01 DoD Risk Management Framework (RMF) for DoD Information Technology (IT)
- NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- CNSSI 1253 Security Categorization and Control Selection for National Security Systems
- Controlled Unclassified Information (CUI) Registry and CUI category list