Department of Defense (DoD) Impact Level 5 (IL5)
DoD IL5 overview
The Defense Information Systems Agency (DISA) is an agency of the US Department of Defense (DoD) that is responsible for developing and maintaining the DoD Cloud Computing Security Requirements Guide (SRG). The SRG defines the baseline security requirements used by DoD to assess the security posture of a cloud service provider (CSP), supporting the decision to grant a DoD Provisional Authorization (PA) that allows a CSP to host DoD missions. It incorporates, supersedes, and rescinds the previously published DoD Cloud Security Model (CSM) and maps to the DoD Risk Management Framework (RMF).
DISA guides DoD agencies and departments in planning and authorizing the use of a CSP. It also evaluates CSP offerings for compliance with the SRG, an authorization process whereby CSPs can furnish documentation outlining their compliance with DoD standards. It issues DoD Provisional Authorizations (PAs) when appropriate, so DoD agencies and supporting organizations can use cloud services without having to go through a full approval process on their own, saving time and effort.
According to SRG Section 3.2 Information Impact Levels, IL5 information covers:
Controlled Unclassified Information (CUI) that requires higher level of protection than that afforded by IL4
- The CUI Registry provides specific categories of information that is under protection by the Executive branch, for example, more than 20 category groupings are included in the CUI category list.
- NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations is intended for use by federal agencies in contracts or other agreements established with non-federal organizations.
National Security Systems (NSS)
- NIST SP 800-59 Guideline for Identifying an Information System as a National Security System provides definitions of NSS.
- CNSSI 1253 Security Categorization and Control Selection for National Security Systems provides guidance on the security standards that federal agencies should apply to categorize national security information.
The 15 December 2014 DoD CIO memo regarding Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services states that 'FedRAMP will serve as the minimum security baseline for all DoD cloud services'. The SRG uses the FedRAMP Moderate baseline at all information impact levels (IL) and considers the High Baseline at some.
SRG Section 5.1.1 DoD use of FedRAMP Security Controls states that a FedRAMP High PA, supplemented with DoD FedRAMP+ controls and control enhancements (C/CEs) and requirements in the SRG, are used to assess CSPs toward awarding a DoD PA at IL5. No matter what C/CE baseline is used as the basis for a FedRAMP High PA, additional considerations and/or requirements will need to be assessed and approved before a DoD PA can be awarded at IL5. Specifically, SRG Section 5.1.2 DoD FedRAMP+ Security Controls/Enhancements states in Table 2 that 10 additional C/CEs beyond the FedRAMP High baseline are required for a DoD IL5 PA.
Moreover, according to SRG Section 22.214.171.124 IL5 Location and Separation Requirements, the following requirements (among others) must be in place for a Level 5 PA:
- Virtual/logical separation between DoD and Federal Government tenants / missions is sufficient. Virtual/logical separation between tenant/mission systems is required.
- Physical separation from non-DoD/non-Federal Government tenants (that is, public, local/state government tenants) is required.
- The CSP restricts potential access to DoD's and the community's information to CSP employees that are U.S. Citizens.
Microsoft in-scope cloud platforms & services
- Dynamics 365 Customer Service
- Microsoft Defender for Endpoint (formerly Microsoft Defender Advanced Threat Protection)
- Microsoft Graph
- Microsoft Stream
- Office 365 U.S. Government Defense
- Power Automate (formerly Microsoft Flow)
- Power BI
Azure, Dynamics 365, and DoD IL5
For more information about Azure, Dynamics 365, and other online services compliance, see the Azure DoD IL5 offering.
Office 365 and DoD IL5
Office 365 environments
Microsoft Office 365 is a multi-tenant hyperscale cloud platform and an integrated experience of apps and services available to customers in several regions worldwide. Most Office 365 services enable customers to specify the region where their customer data is located. Microsoft may replicate customer data to other regions within the same geographic area (for example, the United States) for data resiliency, but Microsoft will not replicate customer data outside the chosen geographic area.
This section covers the following Office 365 environments:
- Client software (Client): commercial client software running on customer devices.
- Office 365 (Commercial): the commercial public Office 365 cloud service available globally.
- Office 365 Government Community Cloud (GCC): the Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments, and contractors holding or processing data on behalf of the US Government.
- Office 365 Government Community Cloud - High (GCC High): the Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base (DIBs), and government contractors.
- Office 365 DoD (DoD): the Office 365 DoD cloud service is designed according to DoD Security Requirements Guidelines Level 5 controls and supports strict federal and defense regulations. This environment is for the exclusive use by the US Department of Defense.
Use this section to help meet your compliance obligations across regulated industries and global markets. To find out which services are available in which regions, see the International availability information and the Where your Microsoft 365 customer data is stored article. For more information about Office 365 Government cloud environment, see the Office 365 Government Cloud article.
Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations. Information provided in this section does not constitute legal advice and you should consult legal advisors for any questions regarding regulatory compliance for your organization.
Office 365 applicability and in-scope services
Use the following table to determine applicability for your Office 365 services and subscription:
|DoD||Activity Feed Service, Bing Services, Bookings, Exchange Online Protection, Exchange Online, Intelligent Services, Microsoft Teams, Office 365 Customer Portal, Office Online, Office Service Infrastructure, Office Usage Reports, OneDrive for Business, People Card, SharePoint Online, Skype for Business, Windows Ink|
US government customers can request Office 365 U.S. Government Defense FedRAMP documentation directly from the FedRAMP Marketplace by submitting a package access request form. You must have a .gov or .mil email address to access a FedRAMP security package directly from FedRAMP.
Select FedRAMP and DoD documentation, including System Security Plan (SSP), continuous monitoring reports, Plan of Action and Milestones (POA&M), etc., is available to customers under NDA and pending access authorization from the Service Trust Portal Audit Reports - FedRAMP Reports section. Contact your Microsoft account representative for assistance.
- Microsoft government solutions
- FedRAMP documents
- DoD Instruction 8510.01 DoD Risk Management Framework (RMF) for DoD Information Technology (IT)
- NIST SP 800-37 Risk Management Framework for Information Systems and Organizations: A System Life-Cycle Approach for Security and Privacy
- NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations
- NIST SP 800-59 Guideline for Identifying an Information System as a National Security System
- CNSSI 1253 Security Categorization and Control Selection for National Security Systems
- NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- Controlled Unclassified Information (CUI) Registry and CUI category list.