What is the difference between DoD IL4 and IL5?

IL4 handles Controlled Unclassified Information and builds on FedRAMP Moderate or High with a DoD overlay. IL5 handles mission-critical CUI and unclassified National Security Systems, and after CSP SRG v1r3 (July 2025) it is FedRAMP High plus roughly 170 additional NSS controls from CNSSI 1253. The biggest practical differences are US-citizen operator verification, FIPS 140 cryptography at every internal boundary, and NSS classification handling — none of which IL4 imposes at the same depth.

Can I reuse my IL4 authorization for IL5?

The IL4 work is a strong foundation — most control content and architecture documentation carries over, and the 3PAO relationship transfers. What you add for IL5: the ~170 NSS overlay controls, US-citizen operator verification workflow, FIPS 140 at internal trust zones, expanded supply-chain provenance, NSS data classification, and DoD-specific continuous monitoring cadence. The document set grows substantially and the architecture may need material changes for internal cryptographic boundaries.

Is IL5 just IL4 with a few more controls?

No — that framing is the most common and most expensive mistake. After v1r3, IL5 is roughly 40% larger in control scope than the prior baseline, and the additions are concentrated in operational areas: a US-citizen workforce program, an internal FIPS 140 cryptographic architecture, and NSS classification handling. These are personnel and architecture problems that take quarters, not documentation tasks that take weeks.

Which workloads require IL5 instead of IL4?

Mission-critical CUI and unclassified National Security Systems require IL5. Standard CUI that is not mission-critical and not an NSS can use IL4. You do not choose freely — the data sensitivity and the mission criticality, as determined by the DoD customer and the workload's role, dictate which Impact Level applies.

Do both IL4 and IL5 require US-citizen operators?

IL5 requires verified US-citizen operators for privileged access, with an HR-integrated verification workflow reconciled monthly. IL4 does not impose US-citizen verification at the same depth. This is one of the largest practical divergences and, for CSPs with globally distributed engineering teams, often the single most expensive IL5 requirement to satisfy.

← Compare · DEFENSE CLOUD

DoD Impact Level 4 vs Impact Level 5: the delta that catches CSPs out

DoD Cloud Computing SRG Impact Levels sit on top of FedRAMP. IL4 covers Controlled Unclassified Information; IL5 covers mission-critical CUI and unclassified National Security Systems. The CSP SRG v1r3 update (July 2025) widened the gap between them substantially — roughly 170 NSS controls now separate IL5 from its FedRAMP High base.

The short answer

IL4 and IL5 are not a tier choice you make freely — the data sensitivity and mission criticality of the workload dictate which applies. The trap is assuming IL5 is 'IL4 plus a little': v1r3 made it FedRAMP High plus ~170 NSS controls, and the personnel and cryptographic requirements are a different operational world.

DoD IL4

Your DoD workload is CUI that is not mission-critical and not a National Security System. IL4 — FedRAMP Moderate or High plus a DoD overlay — is the right authorization, and the personnel and cryptographic bar is meaningfully lower than IL5.

DoD IL5

Your DoD workload is mission-critical CUI or an unclassified National Security System. IL5 adds US-citizen operator verification, FIPS 140 at every internal boundary, and ~170 NSS controls from CNSSI 1253 on top of FedRAMP High.

Side by side

Dimension

DoD IL4

DoD IL5

Data handled

Controlled Unclassified Information (CUI)

Mission-critical CUI + unclassified National Security Systems

FedRAMP base

FedRAMP Moderate or High + DoD overlay

FedRAMP High + ~170 NSS controls (CNSSI 1253)

Personnel

Standard DoD overlay requirements

US-citizen operator verification for privileged access; Tier 3 investigations

Cryptography

FIPS 140-validated at external boundaries

FIPS 140-validated at every internal trust zone, not just external

Control scope (post-v1r3)

Smaller delta over FedRAMP

~40% larger than the prior IL5 baseline after v1r3 (July 2025)

Incident response

DoD overlay coordination

DoD CC SRG sponsor + component security team + faster cadence

Typical deployment

GovCloud, Azure Government, AWS US Gov

Same regions, with stricter isolation and operator controls

Where CSPs stall

Boundary scoping, overlay documentation

US-citizen workforce, internal FIPS 140, NSS classification handling

What actually separates IL4 from IL5

Both IL4 and IL5 are DoD Cloud Computing SRG overlays on FedRAMP — neither is classified work. The separation is the sensitivity and mission criticality of the data, and after the v1r3 update it is wider than many CSPs assume.

IL4 handles Controlled Unclassified Information. It builds on FedRAMP Moderate or High with a DoD-specific overlay. The personnel, cryptographic, and supply-chain requirements are real but tractable for a CSP that has done FedRAMP.

IL5 handles mission-critical CUI and unclassified National Security Systems. After CSP SRG v1r3 (July 2025), IL5 is FedRAMP High plus approximately 170 additional controls drawn from CNSSI 1253 — the National Security Systems control catalog. That is roughly a 40% increase in control scope over the prior IL5 baseline.

The three divergences that cost the most

The control count understates the impact. Three specific IL5 requirements drive most of the additional work over IL4.

US-citizen operator verification. Every individual with privileged access to the IL5 boundary must be a verified US citizen, with an HR-integrated verification workflow reconciled monthly against the active access list. For CSPs with globally distributed engineering teams, this is a personnel and HR program before it is a control. IL4 does not impose this at the same depth.

FIPS 140 at every internal boundary. IL4 expects validated cryptography at external trust boundaries. IL5 expects it at every cryptographic boundary including internal trust zones — service-to-service traffic, internal data flows, internal API tokens. A CSP running a validated module at the edge with non-validated internal TLS passes the FIPS expectation at IL4 and fails it at IL5. This is architectural and hard to retrofit.

NSS classification handling. IL5 explicitly handles National Security Systems categorization for in-scope workloads — data classification scheme, NSS data-flow documentation, NSS-specific handling. IL4 does not exercise this dimension.

Our [IL5 assessment article](/insights/il5-assessment-controls-that-burn-csps/) covers the control-friction categories that consistently extend IL5 schedules.

Sequencing — most CSPs go IL4 then IL5

The common path is FedRAMP → IL4 → IL5, because each step reuses most of the prior step's work. A CSP that has FedRAMP High and IL4 has the foundational muscle; IL5 is the NSS overlay on top.

But the IL5 overlay is operational work, not just documentation. CSPs that treat it as "another set of controls to write up" rather than a personnel program plus an internal cryptographic architecture plus DoD-cadence continuous monitoring consistently lose quarters. The personnel dimension in particular — US-citizen verification, Tier 3 investigation tracking — takes months to execute and cannot be retrofitted under assessment deadline.

For the relationship between FedRAMP Rev 5 and the IL5 v1r3 overlay specifically, see our [Rev 5 + IL5 overlap analysis](/insights/fedramp-rev-5-il5-overlap/).

Frequently asked

IL4 vs IL5 — common questions.

What is the difference between DoD IL4 and IL5?: IL4 handles Controlled Unclassified Information and builds on FedRAMP Moderate or High with a DoD overlay. IL5 handles mission-critical CUI and unclassified National Security Systems, and after CSP SRG v1r3 (July 2025) it is FedRAMP High plus roughly 170 additional NSS controls from CNSSI 1253. The biggest practical differences are US-citizen operator verification, FIPS 140 cryptography at every internal boundary, and NSS classification handling — none of which IL4 imposes at the same depth.
Can I reuse my IL4 authorization for IL5?: The IL4 work is a strong foundation — most control content and architecture documentation carries over, and the 3PAO relationship transfers. What you add for IL5: the ~170 NSS overlay controls, US-citizen operator verification workflow, FIPS 140 at internal trust zones, expanded supply-chain provenance, NSS data classification, and DoD-specific continuous monitoring cadence. The document set grows substantially and the architecture may need material changes for internal cryptographic boundaries.
Is IL5 just IL4 with a few more controls?: No — that framing is the most common and most expensive mistake. After v1r3, IL5 is roughly 40% larger in control scope than the prior baseline, and the additions are concentrated in operational areas: a US-citizen workforce program, an internal FIPS 140 cryptographic architecture, and NSS classification handling. These are personnel and architecture problems that take quarters, not documentation tasks that take weeks.
Which workloads require IL5 instead of IL4?: Mission-critical CUI and unclassified National Security Systems require IL5. Standard CUI that is not mission-critical and not an NSS can use IL4. You do not choose freely — the data sensitivity and the mission criticality, as determined by the DoD customer and the workload's role, dictate which Impact Level applies.
Do both IL4 and IL5 require US-citizen operators?: IL5 requires verified US-citizen operators for privileged access, with an HR-integrated verification workflow reconciled monthly. IL4 does not impose US-citizen verification at the same depth. This is one of the largest practical divergences and, for CSPs with globally distributed engineering teams, often the single most expensive IL5 requirement to satisfy.

Go deeper

DoDCCSRG · 12 min read

Inside an IL5 assessment: the controls that burn CSPs first

FedRAMP · 8 min read

FedRAMP to DoD CC SRG IL4 and IL5: the upgrade path most CSPs underestimate

FedRAMP · 14 min read

FedRAMP Rev 5 and DoD IL5 CSP SRG v1r3: the overlap, the delta, and parallel implementation

CMMC · 10 min read

AWS GovCloud vs Azure GCC High: choosing the right cloud for a CMMC-ready defense startup

Framework pages

DoD CLOUD · IL4 / IL5 / IL6

DoD Cloud Computing SRG · Impact Levels 4, 5, 6

FEDERAL CLOUD

FedRAMP

Not sure which fits your situation?

Book a scoping call.

Thirty minutes. We'll walk through your target, your current posture, and which path — or which combination — actually fits. If the answer is "neither yet," we'll say so.

Book a scoping call →