What is the difference between FedRAMP and the DoD Cloud Computing SRG?

FedRAMP is the federal government's standardized cloud authorization, run by GSA, with Low/Moderate/High baselines — it lets any federal agency consume a cloud service. The DoD Cloud Computing SRG, run by DISA, is a Department of Defense overlay layered on top of FedRAMP, defining Impact Levels 2 through 6 for defense workloads. They're stacked, not parallel: the SRG builds on FedRAMP rather than replacing it.

Do I need FedRAMP before a DoD Impact Level authorization?

For anything above IL2, effectively yes. The DoD Impact Levels build on FedRAMP — IL4 and IL5 use FedRAMP High as their foundation and add DoD-specific overlay controls. A CSP can't reach IL4/IL5 without the FedRAMP High substance underneath. The efficient approach is to sequence them so the FedRAMP work directly feeds the DoD authorization rather than running two separate efforts.

How do FedRAMP baselines map to DoD Impact Levels?

Roughly: FedRAMP Moderate corresponds to IL2 (low-impact DoD data). FedRAMP High is the foundation for IL4 (CUI) and IL5 (mission-critical CUI and unclassified National Security Systems), each adding DoD overlay controls. IL6 covers Secret-classified workloads on isolated infrastructure and is a different operational world. The mapping is approximate — the Impact Levels add real DoD-specific requirements beyond the FedRAMP baseline.

If my customer is a DoD agency, is FedRAMP enough?

Usually not. FedRAMP alone covers up to FedRAMP High for unclassified federal workloads, which maps to roughly IL2 on the DoD side. If your DoD workload involves CUI (IL4) or mission-critical CUI / National Security Systems (IL5), you need the DoD CC SRG Impact Level overlay on top of FedRAMP. FedRAMP is necessary but not sufficient for most DoD cloud consumption.

Can one assessment cover both FedRAMP and a DoD Impact Level?

It can be coordinated. Because the SRG builds on FedRAMP, a single 3PAO with DoD assessment experience can assess both in coordinated phases — FedRAMP first, then the Impact Level overlay — using a single canonical SSP with a DoD overlay annex and a shared evidence pipeline. This avoids running two independent assessments and is how we structure engagements for CSPs needing both.

← Compare · FEDERAL CLOUD

FedRAMP vs DoD Cloud Computing SRG: the federal-vs-defense cloud authorization split

FedRAMP is the federal government's standardized cloud authorization. The DoD Cloud Computing Security Requirements Guide is the Department of Defense's overlay on top of FedRAMP, defining Impact Levels 2 through 6 for defense workloads. They are not alternatives — the SRG builds on FedRAMP, and many CSPs need both.

The short answer

FedRAMP and the DoD CC SRG are stacked, not parallel. FedRAMP is the federal-wide baseline; the SRG's Impact Levels are a DoD overlay on top of it. If your customer is a civilian agency, FedRAMP alone usually suffices. If your customer is DoD, you need FedRAMP plus the relevant Impact Level — and we sequence them so FedRAMP work directly accelerates the DoD authorization.

FedRAMP

Your customers are federal civilian agencies. FedRAMP — at Low, Moderate, or High — is the authorization those agencies require, and it's the standalone destination for the civilian federal market.

DoD CC SRG

Your customers are DoD components. The DoD CC SRG Impact Levels (IL2-IL6) layer on top of FedRAMP, adding DoD-specific controls. You'll typically need FedRAMP first and the relevant Impact Level on top.

Side by side

Dimension

FedRAMP

DoD CC SRG

Who runs it

GSA / FedRAMP PMO

DISA (Defense Information Systems Agency)

Customer base

Federal civilian agencies (and broadly, all of government)

Department of Defense components

Structure

Baselines: Low, Moderate, High

Impact Levels: IL2, IL4, IL5, IL6

Relationship

The federal-wide foundation

A DoD overlay layered on FedRAMP

Rough mapping

FedRAMP Moderate ≈ IL2; FedRAMP High is the base for IL4/IL5

IL4 = High + CUI overlay; IL5 = High + ~170 NSS controls; IL6 = Secret

Authorization output

Agency ATO or JAB P-ATO

DISA Provisional Authorization

Data ceiling

Up to FedRAMP High (unclassified)

Up to IL6 (Secret/classified)

Who needs both

CSPs serving civilian + DoD customers

Any CSP whose DoD workload exceeds IL2

Stacked, not parallel

The single most important thing to understand: FedRAMP and the DoD CC SRG are not competing authorizations you choose between. The SRG is built on top of FedRAMP.

FedRAMP is the federal government's standardized cloud security authorization — the baseline that lets any federal agency consume a cloud service. The DoD Cloud Computing Security Requirements Guide takes that FedRAMP foundation and adds DoD-specific requirements as Impact Levels for defense workloads.

Roughly: FedRAMP Moderate corresponds to IL2. FedRAMP High is the foundation that IL4 and IL5 build on, each adding DoD overlay controls (CUI handling at IL4; National Security Systems controls at IL5). IL6 reaches into Secret-classified workloads on isolated infrastructure. So the SRG is a defense-specific extension of the federal-wide FedRAMP framework, not a substitute for it.

Who needs which — and who needs both

The customer determines the requirement.

Civilian agency customers → FedRAMP, usually standalone. A CSP whose federal customers are civilian agencies (GSA, HHS, Treasury, and the like) needs FedRAMP at the appropriate baseline. The DoD CC SRG is not relevant to that market.

DoD component customers → FedRAMP plus an Impact Level. A CSP whose customer is a DoD component needs the relevant Impact Level. For anything above IL2, that means FedRAMP (typically High) as the foundation, with the DoD overlay on top. FedRAMP alone is insufficient for DoD CUI or mission-critical workloads.

Both markets → both authorizations. Commercial CSPs entering the federal market broadly often pursue FedRAMP first for civilian reach, then add DoD Impact Levels for defense customers. The work compounds — see the sequencing point below.

Sequencing — FedRAMP work accelerates the DoD authorization

Because the SRG builds on FedRAMP, the two authorizations share most of their substance. A CSP that has done FedRAMP High has already implemented the foundation that IL4 and IL5 extend.

We sequence engagements so the FedRAMP work directly accelerates the DoD CC SRG authorization rather than duplicating effort. A single canonical System Security Plan documents the FedRAMP implementation, with a DoD overlay annex capturing the Impact Level-specific controls. The evidence pipeline serves both. The 3PAO assessment can be coordinated to cover both in phases.

The economics resemble the broader multi-framework pattern: running FedRAMP and a DoD Impact Level together is meaningfully less than the sum of running them separately. For the FedRAMP-to-IL4/IL5 upgrade path specifically, see our [upgrade path article](/insights/fedramp-to-il4-il5-upgrade/); for the Rev 5 and IL5 v1r3 overlap, the [overlap analysis](/insights/fedramp-rev-5-il5-overlap/).

Frequently asked

FedRAMP vs DoD CC SRG — common questions.

What is the difference between FedRAMP and the DoD Cloud Computing SRG?: FedRAMP is the federal government's standardized cloud authorization, run by GSA, with Low/Moderate/High baselines — it lets any federal agency consume a cloud service. The DoD Cloud Computing SRG, run by DISA, is a Department of Defense overlay layered on top of FedRAMP, defining Impact Levels 2 through 6 for defense workloads. They're stacked, not parallel: the SRG builds on FedRAMP rather than replacing it.
Do I need FedRAMP before a DoD Impact Level authorization?: For anything above IL2, effectively yes. The DoD Impact Levels build on FedRAMP — IL4 and IL5 use FedRAMP High as their foundation and add DoD-specific overlay controls. A CSP can't reach IL4/IL5 without the FedRAMP High substance underneath. The efficient approach is to sequence them so the FedRAMP work directly feeds the DoD authorization rather than running two separate efforts.
How do FedRAMP baselines map to DoD Impact Levels?: Roughly: FedRAMP Moderate corresponds to IL2 (low-impact DoD data). FedRAMP High is the foundation for IL4 (CUI) and IL5 (mission-critical CUI and unclassified National Security Systems), each adding DoD overlay controls. IL6 covers Secret-classified workloads on isolated infrastructure and is a different operational world. The mapping is approximate — the Impact Levels add real DoD-specific requirements beyond the FedRAMP baseline.
If my customer is a DoD agency, is FedRAMP enough?: Usually not. FedRAMP alone covers up to FedRAMP High for unclassified federal workloads, which maps to roughly IL2 on the DoD side. If your DoD workload involves CUI (IL4) or mission-critical CUI / National Security Systems (IL5), you need the DoD CC SRG Impact Level overlay on top of FedRAMP. FedRAMP is necessary but not sufficient for most DoD cloud consumption.
Can one assessment cover both FedRAMP and a DoD Impact Level?: It can be coordinated. Because the SRG builds on FedRAMP, a single 3PAO with DoD assessment experience can assess both in coordinated phases — FedRAMP first, then the Impact Level overlay — using a single canonical SSP with a DoD overlay annex and a shared evidence pipeline. This avoids running two independent assessments and is how we structure engagements for CSPs needing both.

Go deeper

FedRAMP · 8 min read

FedRAMP to DoD CC SRG IL4 and IL5: the upgrade path most CSPs underestimate

FedRAMP · 14 min read

FedRAMP Rev 5 and DoD IL5 CSP SRG v1r3: the overlap, the delta, and parallel implementation

DoDCCSRG · 12 min read

Inside an IL5 assessment: the controls that burn CSPs first

FedRAMP · 10 min read

FedRAMP Moderate realistic timeline: what 12 to 18 months actually looks like

Framework pages

FEDERAL CLOUD

FedRAMP

DoD CLOUD · IL4 / IL5 / IL6

DoD Cloud Computing SRG · Impact Levels 4, 5, 6

Not sure which fits your situation?

Book a scoping call.

Thirty minutes. We'll walk through your target, your current posture, and which path — or which combination — actually fits. If the answer is "neither yet," we'll say so.

Book a scoping call →