DoD Impact Levels. Cloud Security Forged for Mission Requirements.

The DoD Cloud Computing Security Requirements Guide (Cloud SRG) is published by the Defense Information Systems Agency (DISA) and establishes the security requirements for cloud service deployments across the Department of Defense. The Cloud SRG defines six Impact Levels (IL1 through IL6), though IL1 and IL3 are no longer used in practice. The four active levels form a progression of increasing data sensitivity and corresponding security rigor. Each level specifies the types of information that may be processed, the infrastructure isolation requirements that must be met, the personnel access restrictions that apply, and the additional security controls that extend beyond the FedRAMP baseline. The Cloud SRG is not a standalone framework. It functions as a set of overlays that compose with FedRAMP baselines, adding DoD-specific parameters, controls, and operational requirements on top of the NIST 800-53 controls that FedRAMP already mandates. Understanding the Cloud SRG requires understanding this layered architecture: FedRAMP provides the foundation, and each Impact Level adds requirements proportional to the sensitivity of the data being protected.

The four active Impact Levels address distinct categories of DoD data. IL2 covers publicly releasable information and non-controlled unclassified information hosted in commercial cloud environments. IL4 covers Controlled Unclassified Information (CUI) that does not involve national security systems, requiring dedicated government cloud infrastructure and additional access controls. IL5 covers CUI and mission-critical national security information, requiring the most stringent non-classified infrastructure isolation and personnel restrictions. IL6 covers classified information up to Secret, requiring air-gapped or dedicated classified cloud infrastructure with the full weight of classified information handling requirements. Each level builds on the previous: IL4 includes all IL2 requirements plus its own additions, IL5 includes all IL4 requirements plus further additions, and IL6 adds classified handling requirements on top of the entire non-classified stack. This cumulative structure means that achieving a higher Impact Level implicitly satisfies all lower levels for the same system.

The relationship between DoD Impact Levels and FedRAMP baselines is structural and deterministic. IL2 maps to FedRAMP Moderate as its baseline, meaning any cloud service provider with a FedRAMP Moderate Provisional Authorization (PA) or Agency Authority to Operate (ATO) satisfies the baseline requirements for IL2, though DoD-specific requirements still apply. IL4 and IL5 build on FedRAMP Moderate and FedRAMP High respectively, adding DoD-specific controls for network isolation, incident reporting to DoD channels, data sovereignty requirements, and personnel security clearance obligations. IL6 builds on FedRAMP High with additional controls derived from the Committee on National Security Systems (CNSS) requirements for classified information processing. Because each Impact Level traces back through FedRAMP to NIST 800-53, the entire control lineage is auditable from any DoD IL requirement back to its originating 800-53 control. This traceability is not approximate. It is published in the Cloud SRG control mapping tables and maintained by DISA as the authoritative cross-reference.

DoD Impact Levels are overlays, not standalone frameworks. An overlay modifies a base framework by adding controls, tightening parameters on existing controls, or imposing operational requirements that the base framework does not specify. The base framework for all DoD Impact Levels is FedRAMP, which itself derives from NIST 800-53. When DISA publishes IL4 requirements, those requirements do not restate every FedRAMP Moderate control. They specify the additional controls and parameter modifications that apply on top of the FedRAMP Moderate baseline. This layered architecture means that compliance with an Impact Level requires satisfying three layers simultaneously: the NIST 800-53 controls selected by the FedRAMP baseline, the FedRAMP-specific parameters and requirements applied to those controls, and the DoD-specific additions and modifications defined by the Impact Level overlay. Organizations that attempt to assess against a DoD Impact Level without first establishing their FedRAMP posture are building on an incomplete foundation.

Each Impact Level overlay specifies its modifications in several categories. Additional controls are NIST 800-53 controls not included in the FedRAMP baseline but required by the DoD for that sensitivity level. Parameter tightening modifies organization-defined parameters on existing controls: where FedRAMP Moderate might allow a 90-day password expiration, a DoD IL might require 60 days. Implementation guidance provides DoD-specific instructions for how a control must be implemented in a defense context, which may differ from commercial FedRAMP implementations. Operational requirements cover non-technical mandates such as incident reporting timelines to US-CERT and DoD CISA, personnel security investigation levels, and data residency constraints. These categories are distinct and must be tracked separately because they affect different aspects of the organization's security program. A control may be implemented correctly per FedRAMP standards but fail the DoD parameter requirement because the review frequency or retention period does not meet the tighter DoD threshold.

Rampart composes DoD Impact Level overlays with FedRAMP baselines automatically. When you activate a DoD IL assessment, Rampart resolves the complete control set: every FedRAMP baseline control, every FedRAMP parameter assignment, and every DoD overlay modification. The result is a unified assessment that shows each control with its effective requirement after overlay composition. If FedRAMP Moderate requires AC-2 with a 90-day review cycle and the IL4 overlay tightens that to 60 days, Rampart displays the effective requirement as 60 days and evaluates your evidence against that threshold. Controls added by the overlay that do not exist in the FedRAMP baseline appear as new assessment items with their DoD-specific implementation guidance. Sentinel monitors all overlay-specific parameters alongside the base framework requirements, detecting drift against the tighter DoD thresholds rather than the more permissive FedRAMP defaults. This composition is not a manual mapping exercise. The overlay relationships are encoded in the platform's control catalog and resolved programmatically every time the assessment state is evaluated.

Impact Level 2 covers DoD information that is approved for public release and non-controlled unclassified information that does not require the protections mandated for CUI. This is the lowest active Impact Level and serves as the entry point for cloud service providers seeking to host DoD workloads. The baseline requirement for IL2 is FedRAMP Moderate authorization, which means the cloud service offering must have undergone a FedRAMP assessment against the Moderate baseline (approximately 325 NIST 800-53 controls) and received either a Provisional Authorization from the Joint Authorization Board or an Agency ATO from a sponsoring federal agency. IL2 adds a small number of DoD-specific requirements on top of that FedRAMP Moderate foundation, primarily around incident notification to DoD channels and data handling procedures for DoD-originated content. The infrastructure may reside in commercial cloud regions accessible to the general public, provided the FedRAMP authorization is current and the DoD-specific overlay requirements are satisfied.

IL2 workloads run in standard commercial cloud regions. There is no requirement for government-only infrastructure, dedicated tenancy, or geographic restriction beyond what FedRAMP Moderate already mandates. This makes IL2 the most accessible Impact Level for organizations entering the defense market. The commercial cloud regions operated by major providers have achieved FedRAMP Moderate or High authorizations, meaning the underlying infrastructure baseline is already satisfied at the provider level. The organization's responsibility centers on its own application, configuration, and operational controls within that commercial infrastructure. Personnel access does not require security clearances or background investigations beyond standard federal requirements. Network connectivity does not require dedicated circuits or government-only peering points. These characteristics make IL2 significantly less burdensome than higher Impact Levels, but the FedRAMP Moderate baseline itself remains substantial. Organizations should not conflate "lowest DoD Impact Level" with "minimal security requirements." FedRAMP Moderate represents a rigorous security posture that many commercial organizations have not achieved.

Rampart maps IL2 requirements directly from your existing FedRAMP Moderate posture. If your organization already maintains a FedRAMP Moderate assessment in Rampart, activating the IL2 overlay composes the DoD-specific additions on top of that existing work. The platform identifies which FedRAMP controls are already satisfied, which DoD-specific additions require new evidence or implementation, and which parameter modifications tighten existing requirements. For organizations that do not yet have a FedRAMP assessment, Rampart builds the complete IL2 control set from the ground up: the full FedRAMP Moderate baseline plus the IL2 overlay requirements, presented as a unified assessment. Sentinel collects evidence from your commercial cloud infrastructure and evaluates it against both the FedRAMP baseline parameters and the DoD overlay parameters simultaneously. The assessment tracks your readiness percentage against the complete IL2 requirement set, not just the overlay additions. When IL2 assessment work is complete, the underlying FedRAMP Moderate posture is also fully assessed, providing immediate leverage for any other compliance effort that traces to FedRAMP or NIST 800-53.

Impact Level 4 protects Controlled Unclassified Information (CUI) that does not involve national security systems. CUI encompasses a broad category of government-originated or government-controlled information that requires safeguarding under federal regulation but does not meet the threshold for classification. Examples include export-controlled technical data, privacy-protected records, law enforcement sensitive information, procurement-sensitive acquisition data, and For Official Use Only (FOUO) content. The IL4 overlay adds significant requirements beyond the FedRAMP Moderate baseline. Access to IL4 systems must be restricted to US persons (citizens and lawful permanent residents). All personnel with logical or physical access to IL4 infrastructure must have completed a National Agency Check with Inquiries (NACI) or equivalent background investigation. Data must not leave the geographic boundaries of the United States, including its territories. These are not optional guidance items. They are mandatory overlay requirements that the DoD enforces as conditions of authorization.

IL4 workloads typically require dedicated government cloud infrastructure. The major cloud providers operate government-specific regions (commonly referred to as GovCloud) that satisfy the isolation, personnel, and geographic requirements inherent to IL4. These government regions are physically separated from commercial regions, staffed exclusively by US persons who have undergone appropriate background investigations, and located within the continental United States. Network connectivity between IL4 systems and external networks must traverse controlled boundary protection devices with traffic inspection capabilities. Interconnections with commercial cloud services or public internet endpoints require explicit authorization and boundary protection documentation. The infrastructure isolation requirement means that organizations cannot simply deploy IL4 workloads in commercial cloud regions with additional access controls. The underlying infrastructure must meet the IL4 isolation standard, which in practice means government cloud regions or dedicated on-premises infrastructure that satisfies equivalent requirements.

Rampart presents the IL4 assessment as a composed view: FedRAMP Moderate baseline controls with IL4 overlay modifications applied. Each control displays its effective requirement after overlay composition, so your team sees the actual threshold they must meet rather than needing to mentally merge two separate documents. Sentinel connects to your government cloud accounts and collects evidence specific to IL4 requirements: network boundary configurations, access control policies restricting non-US-person access, geographic data residency verification, and personnel investigation status integration. Garrison tracks the complete inventory of resources deployed within your government cloud environment and flags any resources that fall outside the IL4 authorization boundary. When Sentinel detects a configuration that satisfies the FedRAMP Moderate parameter but violates the tighter IL4 parameter, Rampart surfaces the delta clearly: the control shows as compliant at FedRAMP Moderate but non-compliant at IL4, with the specific parameter difference highlighted. This prevents false confidence from organizations that assume their FedRAMP posture automatically satisfies DoD requirements.

Impact Level 5 covers the most sensitive categories of Controlled Unclassified Information and mission-critical information associated with National Security Systems (NSS). IL5 represents the highest non-classified Impact Level in the DoD Cloud SRG and carries the most stringent security requirements short of classified information handling. The data categories protected at IL5 include CUI that, if disclosed, could reasonably be expected to cause serious harm to national security; mission data from combat support and combat service support systems; information from national security systems as defined by FISMA and CNSSI 1253; and controlled technical information related to military operations, intelligence activities, or weapons systems. The distinction between IL4 and IL5 is not simply "more controls." It reflects a fundamentally higher sensitivity threshold where the consequences of compromise extend beyond organizational damage to national security impact. IL5 builds on FedRAMP High rather than FedRAMP Moderate, adding approximately 100 additional controls to the baseline and tightening parameters across dozens more.

IL5 infrastructure requirements exceed those of IL4 in several dimensions. The cloud infrastructure must provide logical or physical separation from all non-DoD tenants, not just separation from commercial workloads. Network connectivity requires dedicated interconnections with DoD networks such as NIPRNet, with traffic encryption meeting NSA-approved cryptographic standards. Personnel access requires a minimum of a favorably adjudicated Tier 3 (formerly NACLC) background investigation, and many IL5 environments require Secret-level clearances for administrative access to the infrastructure. Geographic restrictions are absolute: all data processing, storage, and transmission must occur within facilities located in the United States, with no exceptions for disaster recovery or failover to international regions. Incident response timelines are compressed compared to IL4, with mandatory notification to DoD CISA within one hour of confirmed compromise rather than the longer windows permitted at lower levels. These requirements collectively restrict IL5 deployments to a small number of cloud environments that have been specifically designed, assessed, and authorized for this sensitivity level.

Rampart composes the IL5 overlay on the FedRAMP High baseline, producing the complete control set with all DoD-specific additions and parameter modifications resolved. The assessment scope at IL5 is substantially larger than IL4: FedRAMP High includes approximately 421 NIST 800-53 controls compared to FedRAMP Moderate's 325, and the IL5 overlay adds further controls and tightened parameters on top of that expanded baseline. Sentinel monitors IL5-specific requirements including cryptographic standard compliance, network isolation verification, and incident response timer enforcement. Vanguard scans infrastructure configurations against the DoD Cloud SRG checks applicable at IL5, including STIG compliance for operating systems, databases, and application platforms deployed within the IL5 boundary. The platform tracks the delta between your current IL4 posture (if you have one) and the IL5 target, showing exactly which additional controls, parameter tightenings, and infrastructure changes are required to advance from IL4 to IL5. This incremental view prevents organizations from treating IL5 as a separate compliance effort when it shares substantial control overlap with their existing IL4 work.

Impact Level 6 covers classified information up to and including Secret. This is the highest Impact Level defined in the current DoD Cloud SRG and imposes the full weight of classified information handling requirements on cloud deployments. IL6 systems process, store, and transmit National Security Information that has been formally classified under Executive Order 13526 (or its successors) at the Confidential or Secret level. Compromise of this information could reasonably be expected to cause serious damage to national security. The security controls at IL6 extend beyond the NIST 800-53 catalog into requirements derived from CNSSI 1253 for National Security Systems, Intelligence Community directives for certain data categories, and DoD-specific classified information handling procedures. IL6 is not simply "IL5 with more controls." It represents a qualitative shift from protecting sensitive-but-unclassified information to protecting formally classified national security information, with correspondingly different legal authorities, oversight mechanisms, and consequence structures.

IL6 infrastructure operates in air-gapped or dedicated classified cloud environments that are physically and logically isolated from all unclassified networks. These environments connect to classified DoD networks such as SIPRNet and are operated by personnel holding active Secret (or higher) security clearances. The number of cloud providers authorized to operate at IL6 is extremely limited. These environments undergo continuous assessment by DISA and are subject to inspection by DoD oversight authorities at any time. Physical security requirements include SCIF-equivalent protections for data center facilities, guard force or electronic monitoring of all access points, and destruction procedures for storage media that meet DoD 5220.22-M or NSA-approved sanitization standards. Cryptographic requirements mandate NSA Type 1 encryption for data in transit across any network boundary and FIPS 140-2 Level 3 or higher for data at rest. The operational overhead of maintaining an IL6 environment is an order of magnitude greater than IL5, reflecting the severity of the information being protected.

Redoubt Forge supports IL6 evidence collection in environments where the platform can be deployed within the classified boundary. Because IL6 environments are air-gapped from unclassified networks, the platform operates as a self-contained deployment within the classified enclave. Sentinel discovers and monitors resources within the classified boundary using local connectivity only, with no requirement for external network access. Rampart composes the IL6 overlay on the FedRAMP High baseline with CNSSI 1253 classified overlay additions, producing the complete control set for classified cloud operations. Evidence collection, assessment scoring, and compliance proof generation all occur within the classified environment. Armory provides hardened IaC modules pre-configured for classified deployment parameters, including NSA-approved cryptographic configurations and classified network boundary protections. Export of assessment data from the classified environment follows the organization's cross-domain transfer procedures. The platform does not attempt to bridge classified and unclassified boundaries. It operates entirely within the classification level of the environment it is deployed in, respecting the air gap as an absolute boundary.

Monitoring DoD Impact Level requirements demands continuous evaluation across every connected environment, with awareness of which Impact Level applies to each workload. For IL2 and IL4 workloads in commercial or government cloud regions, evidence collection covers configuration state, access logs, network flow data, encryption status, and resource inventory information. Each evidence collection event must be evaluated against the effective control requirements for the active Impact Level, including both the FedRAMP baseline parameters and the DoD overlay modifications. The critical nuance is that a configuration may satisfy FedRAMP Moderate but violate the tighter IL4 parameter. Without Impact Level-aware evaluation, this violation goes undetected because the configuration passes the base framework check. Granular evaluation at each Impact Level prevents both false positives (alerting on configurations that meet the effective requirement) and false negatives (missing violations that only manifest at the DoD overlay level). Organizations operating across multiple Impact Levels must maintain distinct evaluation thresholds for each level while collecting evidence from shared infrastructure that spans those boundaries.

Scanning infrastructure and application configurations against DoD Cloud SRG checks requires Impact Level-specific scan profiles. STIG compliance scanning must cover operating systems, databases, application servers, container platforms, and network devices deployed within each IL boundary. Each STIG finding maps to NIST 800-53 controls, which map to FedRAMP baseline and DoD overlay requirements. A Category I STIG finding on a database server within an IL5 boundary should trigger re-evaluation of every control that the affected STIG check supports. The challenge is correlating scan results with the correct Impact Level parameters and recalculating compliance scores across the full derivation chain. Scan scheduling must also adapt to the Impact Level: IL5 and IL6 environments may require more frequent scanning intervals than IL2 environments based on the monitoring requirements specified in the Cloud SRG for each level. Organizations that apply uniform scan schedules across all Impact Levels risk under-scanning high-sensitivity environments and over-scanning low-sensitivity ones, wasting resources while leaving gaps in the environments that matter most.

Government cloud and air-gapped deployment considerations shape how evidence collection operates at higher Impact Levels. For IL4 and IL5 environments in government cloud regions, Sentinel connects through government cloud API endpoints that may have different authentication requirements, network routing constraints, and API availability than their commercial equivalents. The platform's evidence collection adapts to these differences transparently. For IL6 air-gapped environments, the entire platform operates within the classified boundary with no external connectivity. Evidence collection occurs through local network discovery and API access within the enclave. Assessment updates, control catalog changes, and platform updates are delivered through approved cross-domain transfer mechanisms rather than network-based updates. Citadel provides a unified dashboard across all Impact Levels when operating in environments that span multiple levels, showing posture status for each IL alongside the base FedRAMP assessment. The action queue prioritizes findings by their Impact Level significance, ensuring that IL5 and IL6 violations receive attention before lower-level issues.

Every DoD Impact Level requirement traces back through a deterministic lineage. The Cloud SRG overlay requirements map to FedRAMP baselines, which select controls from NIST 800-53 rev5. This means that every IL2 requirement, every IL4 parameter tightening, every IL5 additional control, and every IL6 classified handling requirement has a traceable path back to a specific NIST 800-53 control. That traceability is not a convenience feature. It is the mechanism by which organizations avoid redundant compliance work. When you satisfy an IL4 requirement for access control review frequency, you are simultaneously satisfying the underlying FedRAMP Moderate requirement for AC-2, the NIST 800-53 control AC-2, and any other framework that derives from the same control. The derivation chain runs in both directions: work done at the DoD overlay level satisfies requirements at every lower layer, and work done at the NIST 800-53 base level provides the foundation that every overlay and derived framework builds upon.

For defense contractors pursuing CMMC certification alongside DoD Impact Level compliance, the control overlap is extensive and consequential. CMMC Level 2 maps to NIST 800-171 rev2, which derives from the NIST 800-53 Moderate baseline. FedRAMP Moderate also derives from the NIST 800-53 Moderate baseline. DoD IL2 and IL4 build on FedRAMP Moderate. This means that a significant percentage of the controls required for CMMC Level 2, FedRAMP Moderate, and DoD IL2/IL4 are the same underlying NIST 800-53 controls expressed through different organizational structures and with potentially different parameter assignments. An organization that has achieved CMMC Level 2 has already implemented the core controls required for FedRAMP Moderate and IL2. The incremental effort to achieve IL4 focuses on the DoD-specific additions: personnel restrictions, infrastructure isolation, geographic data residency, and parameter tightenings. This cross-framework leverage is not theoretical. It is the structural consequence of the NIST derivation chain.

Rampart resolves these cross-framework relationships through its derivation chain engine. When you satisfy a DoD IL4 control, Rampart traces the lineage back through FedRAMP Moderate to NIST 800-53 and forward to every other framework that shares that lineage: CMMC Level 2, NIST 800-171, SOC 2, ISO 27001, and any other active assessment in your portfolio. The cross-framework leverage is computed continuously and displayed as a readiness percentage for each framework based on work already completed for other frameworks. For defense contractors managing multiple compliance obligations simultaneously, this cross-framework computation eliminates the redundant assessment work that consumes most of the effort in traditional compliance programs. One security posture, assessed once, satisfying controls across every derived framework. Artificer identifies which remediation actions deliver the greatest cross-framework benefit: closing a gap in access control review frequency might simultaneously advance your IL4 compliance, FedRAMP Moderate posture, CMMC Level 2 readiness, and NIST 800-53 baseline coverage. Citadel ranks these high-leverage actions at the top of the action queue, maximizing the return on every hour your team invests in remediation.