What's the relationship between FedRAMP and DoD Impact Levels?

DoD Impact Levels are an overlay on top of FedRAMP. FedRAMP Moderate is roughly equivalent to IL2. IL4 adds DoD-specific controls and a DISA provisional authorization layer on top of FedRAMP Moderate or High. IL5 adds further requirements (US-citizen operators, FIPS 140). A CSP at IL4/IL5 maintains the underlying FedRAMP authorization — IL is additive, not a replacement.

Can we do IL4 without going through FedRAMP first?

In practice, no — IL4 requires the FedRAMP authorization as a prerequisite layer. IL2 is a lightweight overlay on FedRAMP Moderate used for public-facing DoD data. IL4 and above require the full FedRAMP baseline plus the DoD delta. The sequencing is always FedRAMP first, then IL4, then IL5, with IL6 reserved for classified regions.

What is the US-citizen operator requirement at IL5?

Anyone with privileged access to the IL5 authorization boundary must be a US citizen. Infrastructure admins, platform operators, on-call responders, security engineers — if they touch the privileged access plane, they must be verifiable US citizens. The requirement is policy-simple but operationally complex: the assessor wants to see the HR-to-IdP reconciliation workflow, not just the policy.

What does FIPS 140-validated actually mean at IL5?

Validated means the specific cryptographic module version has been certified by NIST's Cryptographic Module Validation Program and appears on the active validation list with a certificate number. 'FIPS-compliant' — using FIPS-approved algorithms — is not sufficient. At IL5 every crypto module in the authorization boundary must be CMVP-validated; this catches CSPs who run an older validated version and upgrade to a newer one that has not yet been validated.

Who issues the authorization at IL4 and above?

DISA issues the Provisional Authorization (PA) after the 3PAO assessment and internal review. Individual DoD components then issue mission-specific ATOs on top of the PA. IL6 has additional authorization layers driven by the classified program's security authority.

← Frameworks · DoD CLOUD · IL4 / IL5 / IL6

DoD Impact Level 4, 5, and 6 authorization — the CUI and classified tier.

FedRAMP is the federal baseline. DoD Cloud Computing SRG is the overlay that matters when your customer is DoD. IL4 covers CUI; IL5 covers mission-critical CUI and unclassified National Security Systems; IL6 covers SECRET. Each level adds specific DoD requirements — US-citizen operators, FIPS 140 boundaries, region isolation, stricter ConMon cadence — that trip up CSPs arriving directly from a FedRAMP authorization.

Book a scoping call →

IL2 → IL6

Full DoD SRG coverage

4–6 mo

FedRAMP → IL4 delta

DISA PA

Authorization authority

The DoD CC SRG in one paragraph

The DoD Cloud Computing Security Requirements Guide (CC SRG) is the DoD's overlay on top of FedRAMP. It defines Impact Levels 2 through 6 based on data sensitivity: IL2 for public-facing DoD data, IL4 for CUI, IL5 for mission-critical CUI and unclassified National Security Systems, and IL6 for SECRET-classified workloads. Each level adds DoD-specific requirements on top of the FedRAMP baseline — and the deltas are narrower technically than operationally. The assessment of intent is run by a DoD 3PAO; the authorization is issued by DISA as a Provisional Authorization that DoD components then adopt.

IL4 vs IL5 — what actually changes

The control-baseline delta from IL4 to IL5 is narrow. What changes is the evidence bar and the operational discipline behind the controls.

IL5 adds explicitly: - US-citizen operator verification — anyone with privileged access to the authorization boundary must be a US citizen. The HR-to-IdP integration evidence is the hard part, not the policy. - FIPS 140-validated cryptography at every boundary — not "FIPS-compliant," not "uses approved algorithms," but CMVP-validated modules on the active validation list. - Deeper supply-chain evidence — SBOMs, dependency provenance, update integrity, third-party assessment artifacts. - Stricter continuous monitoring — monthly cadence that withstands sustained assessor scrutiny over multiple review cycles.

IL5 assessments routinely extend by 30–60 days when any one of these is underestimated. We plan explicitly around each.

IL6 and the classified tier

IL6 sits above IL4 and IL5 on the CC SRG scale and covers SECRET-classified workloads. Running at IL6 requires classified-region infrastructure (AWS Secret Region, Azure Government Secret), personnel clearances, dedicated facility clearances, and a fundamentally different operational model from IL4/IL5.

Few commercial CSPs pursue IL6 directly; most get there through a progression from IL5 plus classified-customer pull. When IL6 is the target, the engagement is as much about the program security and classified-network integration as it is about cloud configuration — which is where our classified-networks practice and our cloud practice converge.

Who needs DoD CC SRG authorization?

Any cloud service provider with a DoD customer that handles DoD CUI (IL4), mission-critical CUI or unclassified NSS (IL5), or classified data (IL6). CSPs that start with a federal-civilian FedRAMP authorization often discover a DoD opportunity requires the CC SRG overlay — not a replacement for FedRAMP, an additional layer.

Typical customer-driven triggers: a DoD program office expressing interest, a prime contractor flowing down a cloud-hosted CUI requirement, or a DoD component mandate to move a workload from an on-premise system to a cloud service.

Why Fortinetics for DoD IL authorizations

We understand the delta from FedRAMP. We have run CSPs from clean FedRAMP Moderate ATO to IL4 PA and from IL4 to IL5 repeatedly. The delta — US-citizen operators, FIPS 140 boundary discipline, DISA PA review cycle management — is where engagements slip. We plan around each specifically, not generically.

We work where commercial clouds end. Our classified-networks practice handles the IL5/IL6 boundary — the transition from commercial cloud infrastructure to the classified tier. Few compliance firms operate credibly at both ends of this spectrum.

Parallel framework execution. Many CSPs targeting IL4/IL5 also need CMMC Level 2 (as the contractor), FedRAMP Moderate or High (as the cloud service), and sometimes SOC 2 for commercial customers. Running these in parallel with shared controls and a shared evidence pipeline is the only way to keep the program costs manageable.

Recent regulatory changes

What changed in DoD IL4/IL5/IL6, recently.

July 2025

CSP SRG v1r3 adds ~170 new controls to IL5 (40% increase)

DISA's July 2025 SRG update requires IL5 Cloud Service Offerings to implement National Security Systems controls drawn from CNSSI 1253 on top of FedRAMP High. Existing IL5 authorizations face meaningfully expanded assessment scope at next renewal. The SRG also completed the transition from NIST 800-53 Rev 4 to Rev 5.
Read more →
July 2025

DoD granted pen-testing rights on IL6 hosting environments

The v1r3 SRG added language granting the government the right to perform internal and external penetration testing on CSP IL6 environments. Prior guidance allowed government-led assessments but did not explicitly extend offensive-testing rights to production. Material change for CSPs planning IL6 authorization.
Read more →
June 2024

DoD Cloud Computing SRG transitioning to NIST 800-53 Rev 5

DISA issued guidance in mid-2024 beginning the Rev 4 → Rev 5 transition across all DoD Impact Levels. Cloud providers should plan for updated supply-chain risk management, incident response, and configuration-management control evidence at next assessment cycle.

Frequently asked

Questions we get about DoD IL4/IL5/IL6.

What's the relationship between FedRAMP and DoD Impact Levels?: DoD Impact Levels are an overlay on top of FedRAMP. FedRAMP Moderate is roughly equivalent to IL2. IL4 adds DoD-specific controls and a DISA provisional authorization layer on top of FedRAMP Moderate or High. IL5 adds further requirements (US-citizen operators, FIPS 140). A CSP at IL4/IL5 maintains the underlying FedRAMP authorization — IL is additive, not a replacement.
Can we do IL4 without going through FedRAMP first?: In practice, no — IL4 requires the FedRAMP authorization as a prerequisite layer. IL2 is a lightweight overlay on FedRAMP Moderate used for public-facing DoD data. IL4 and above require the full FedRAMP baseline plus the DoD delta. The sequencing is always FedRAMP first, then IL4, then IL5, with IL6 reserved for classified regions.
What is the US-citizen operator requirement at IL5?: Anyone with privileged access to the IL5 authorization boundary must be a US citizen. Infrastructure admins, platform operators, on-call responders, security engineers — if they touch the privileged access plane, they must be verifiable US citizens. The requirement is policy-simple but operationally complex: the assessor wants to see the HR-to-IdP reconciliation workflow, not just the policy.
What does FIPS 140-validated actually mean at IL5?: Validated means the specific cryptographic module version has been certified by NIST's Cryptographic Module Validation Program and appears on the active validation list with a certificate number. 'FIPS-compliant' — using FIPS-approved algorithms — is not sufficient. At IL5 every crypto module in the authorization boundary must be CMVP-validated; this catches CSPs who run an older validated version and upgrade to a newer one that has not yet been validated.
Who issues the authorization at IL4 and above?: DISA issues the Provisional Authorization (PA) after the 3PAO assessment and internal review. Individual DoD components then issue mission-specific ATOs on top of the PA. IL6 has additional authorization layers driven by the classified program's security authority.

DoD IL4/IL5/IL6 insights

DoDCCSRG · 12 min read

Inside an IL5 assessment: the controls that burn CSPs first

FedRAMP · 8 min read

FedRAMP to DoD CC SRG IL4 and IL5: the upgrade path most CSPs underestimate

CMMC · 10 min read

AWS GovCloud vs Azure GCC High: choosing the right cloud for a CMMC-ready defense startup

FedRAMP · 9 min read

FedRAMP Rev 5 transition: the delta from Rev 4 and what breaks if you delay

Next step

Book a scoping call.

Thirty minutes. We'll walk through your specific DoD IL4/IL5/IL6 target, current posture, and what a realistic engagement shape looks like. NDA-first when the scoping needs sensitive detail.

Book a scoping call →