FedRAMP and DoD Impact Levels

As the Department of Defense (DoD) increasingly leverages cloud services, the need to classify and secure sensitive data has never been more important. To address that need, the DoD’s Cloud Computing Security Requirements Guide (SRG) provides a comprehensive framework for this, establishing different Impact Levels to classify the appropriateness of a system to handle specific kinds of data. 

If you’re familiar with federal regulations and cloud services, you might already notice that another framework applies to cloud service providers–FedRAMP. That’s why the DoD has guidelines for implementing specific DoD impact level requirements alongside FedRAMP. 

This article discusses the DoD Impact Levels, covering what type of data they encompass and how they interact with FedRAMP.


What Is the Relationship Between the DoD’s Cloud Requirements and FedRAMP?

The Department of Defense Impact Levels system categorizes and secures particularly sensitive information in cloud environments. Likewise, FedRAMP is a set of standards cloud providers must follow to gain authorization to work with federal agencies. 

Both frameworks contain several “Impact Levels” that define the types of security that a CSP must implement to be compliant:

  • FedRAMP authorizations are divided into Low, Moderate, and High impact levels, each with increasing security controls from NIST Special Publication 800-53.
  • DoD Impact Levels range from Level 1 to Level 6, and are similarly based on NIST standards but are specifically tailored to the type of data handled within DoD systems.

The overlap between FedRAMP and DoD Impact Levels becomes particularly important for CSPs seeking to provide services to DoD. While FedRAMP authorization is a prerequisite for any CSP to work with the federal government, additional requirements must be met for a CSP to handle DoD data at various Impact Levels.


What Are the DoD Impact Levels?

Each standard uses Impact Levels to define the extent and complexity of required compliance. 

The short description of these levels is that the DoD has mapped FedRAMP Moderate to DoD Impact Level 2 and FedRAMP High to DoD Impact Level 4 and 5 (note that there is no DoD IL 3). 

A CSP with FedRAMP High authorization can generally handle data up to DoD Impact Level 4/5, assuming they also comply with additional DoD-specific controls. To handle DoD Impact Level 6 (classified information), a CSP needs to comply with additional, more stringent requirements.

A more in-depth description of DoD Impact Levels includes:


Impact Level 2

DoD Impact Level 2, as defined in the DoD SRG, is designated for non-controlled unclassified information. This includes all data cleared for the public and some DoD private information not set as controlled unclassified (CUI) or higher.

Impact Level 2 data might include information that, while not explicitly sensitive or classified, still requires a measure of protection and should not be disclosed without authorization. Examples potentially include certain administrative data, internal communications, and other information not intended for public release.

To handle Level 2 data, a CSP can generally meet requirements for FedRAMP Moderate. These CSPs may still be in U.S. or U.S. outlying areas outside of this designation. 


Impact Level 4

The DoD Impact Level 4 is designed for Controlled Unclassified Information (CUI) that is not considered national security information. This includes export-controlled data, privacy information, and protected health information (PHI).

To provide services at Impact Level 4, a CSP must meet a range of security controls and requirements outlined by the DoD’s SRG. CSPs that meet FedRAMP High requirements may also meet those of DoD IL 4, depending on the context. 

Furthermore, systems handling Impact Level 4 data must be operated within the United States or its territories. Still, off-premises connectivity must be done via the Non-Classified Internet Protocol (NIPRNET) system. Individuals accessing this information must undergo SSBI background checks and NACLC credit checks and sign a non-disclosure agreement (NDA).


Impact Level 5

DoD Impact Level 5, as per the SRG, is designated for CUI that requires a higher level of protection, including National Security Information–that is, information that could cause damage to national security if disclosed. This level also applies to mission-critical information and systems that are crucial for the continuity of operations.

Furthermore, systems handling Impact Level 5 data must be operated from facilities located within the United States or its territories, under the control of U.S. citizens. The CSP must also have technology and systems in place to support the availability of critical missions during times of crisis.

As a reference, the FedRAMP High baseline is approximately equivalent to DoD Impact Levels 4 and 5. A CSP with FedRAMP High authorization is generally prepared to handle data at DoD Impact Level 5, so long as they comply with additional DoD-specific requirements.

Finally, individuals accessing this information must undergo all the same background checks and NDA requirements of Level 4.


Impact Level 6

DoD Impact Level 6, as defined by the Department of Defense’s (DoD) Cloud Computing Security Requirements Guide (SRG), is designated for classified information, up to and including information classified as SECRET.

The security requirements for cloud services handling Level 6 data are the most stringent, given the sensitivity of this classification level. It’s important to note that the FedRAMP program does not cover Level 6 data. A CSP wishing to handle Level 6 data must go through a separate process to meet the additional requirements specified by the DoD.

Furthermore, systems handling Impact Level 6 data must be operated from facilities in the United States or its territories, controlled by U.S. citizens with external connectivity mediated by the Secret Internet Protocol Network (SIPRNET) and SIPRNET enclaves. 

Finally, anyone accessing such information must undergo specially adjudicated background checks and receive SECRET clearance. 

It’s important to note that while there is a significant overlap in the security controls, the processes for achieving FedRAMP authorization and DoD Impact Level approval are separate and may have different documentation and procedural requirements.


Ensure Your Compliance with DoD IL With Continuum GRC

Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

  • FedRAMP
  • StateRAMP
  • NIST 800-53
  • FARS NIST 800-171
  • CMMC
  • SOC 1, SOC 2
  • PCI DSS 4.0
  • IRS 1075
  • ISO 27000 Series
  • ISO 9000 Series

And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

Continuum GRC