A pattern keeps showing up in scoping calls with CSPs entering federal markets. The team has read enough to know that FedRAMP Rev 5 and DoD Impact Level 5 are related — both built on NIST SP 800-53 Rev 5, both formally administered with overlapping artifacts, both ultimately gating the same federal customer conversations. The team has also read enough to know they are not the same thing. What is harder to find written down is the practitioner answer to the obvious follow-up: how much of one satisfies the other, where exactly the gaps live, and whether the right move is to do them sequentially or in parallel.
DISA’s publication of CSP SRG v1r3 in July 2025 sharpened the question. v1r3 layers approximately 170 controls drawn from CNSSI 1253 on top of the FedRAMP High baseline to reach IL5 — a roughly 40% increase in control scope over the prior IL5 baseline. The control catalog is now meaningfully larger, the overlap with FedRAMP Rev 5 is now formally measurable against a stable Rev 5 baseline on both sides, and the parallel implementation question has a more defensible answer than it did eighteen months ago.
This article is the operational read on that overlap. It is written for CSPs who are either approaching FedRAMP Rev 5 with DoD on the medium-term horizon, already at Rev 5 and starting IL5 v1r3 work, or considering whether to design for both authorizations from the start. For context on the FedRAMP-to-IL5 upgrade path generally, see the upgrade path most CSPs underestimate; for the v1r3 control friction that consistently extends IL5 schedules, see the controls that burn CSPs first. This article focuses specifically on the overlap structure and on parallel implementation strategy.
The high-level overlap picture
FedRAMP Rev 5 publishes three baselines — Low, Moderate, and High — drawn from NIST SP 800-53 Rev 5 and NIST 800-53B. The Low baseline covers roughly 130 controls, Moderate roughly 320, High roughly 410. Each baseline includes a set of controls and a set of enhancements; enhancements add depth to existing controls. FedRAMP authorizations are granted at one of the three baselines, with the impact category determined by the sensitivity of the data and the criticality of the workload to the using agency.
DoD IL5 under CSP SRG v1r3 is the FedRAMP High baseline plus a National Security Systems overlay drawn from CNSSI 1253. The overlay adds approximately 170 controls and enhancements that address NSS-specific concerns — workforce vetting, supply chain integrity, cryptographic boundary depth, incident coordination with DoD components, and continuous monitoring rigor calibrated for mission-critical CUI. The total IL5 v1r3 control population sits at roughly 580 controls and enhancements, of which the FedRAMP High portion is approximately 410.
That arithmetic produces the high-level overlap claim: roughly 70-80% of Rev 5 High implementation satisfies IL5 v1r3 requirements directly, depending on how the boundary is scoped and how mature the CSP’s evidence production is. The remaining 20-30% — the v1r3 overlay and the depth additions to existing controls — is where the IL5-specific work concentrates.
The percentage is real but is also misleading if read alone. The 20-30% is not evenly distributed. It is heavily concentrated in specific control families, with several families showing near-complete overlap and a smaller number of families showing significant additions. A CSP that scopes the IL5 work as “another twenty percent on top of FedRAMP” without understanding the family-level distribution typically under-resources the families that absorb the delta.
Overlap by control family
The table below summarizes where the overlap is strongest and where the v1r3 overlay concentrates additional work. Percentages reflect our practitioner experience across recent engagements and should be read as planning estimates, not precise mappings.
| Control Family | Rev 5 High → IL5 v1r3 Overlap | Where IL5 v1r3 Adds |
|---|---|---|
| Access Control (AC) | ~85% | US-citizen operator verification for privileged access; NSS-grade MFA enforcement on internal trust zones |
| Audit and Accountability (AU) | ~80% | Extended retention for NSS-categorized events; additional DoD-specific event types; integration with DoD incident reporting |
| Awareness and Training (AT) | ~90% | DoD-specific role-based training content; annual NSS awareness module |
| Configuration Management (CM) | ~75% | DoD-specific configuration baselines (DISA STIGs as the assessable artifact); tighter change approval for NSS components |
| Contingency Planning (CP) | ~85% | Recovery objectives calibrated for NSS mission criticality; coordination with DoD continuity authorities |
| Identification and Authentication (IA) | ~80% | NSS-grade authenticator strength; PIV/CAC integration for federal operators; tighter authenticator lifecycle |
| Incident Response (IR) | ~70% | DoD-specific incident categorization; 72-hour DFARS reporting; coordination with DoD CC SRG sponsor and US Cyber Command |
| Maintenance (MA) | ~85% | US-citizen verification for maintenance personnel with logical or physical access |
| Media Protection (MP) | ~85% | NSS media handling and sanitization to DoD-specific standards |
| Physical and Environmental Protection (PE) | ~90% | Largely overlapping; data center facility requirements align between Rev 5 High and IL5 |
| Planning (PL) | ~85% | Stacked SSP structure with IL5 overlay artifacts; explicit NSS classification handling |
| Personnel Security (PS) | ~60% | US-citizen verification at privileged-access roles; Tier 3 investigations for IL5 operators; tightened personnel security recurring review |
| Risk Assessment (RA) | ~85% | DoD-specific threat modeling inputs; FOCI considerations in vendor risk assessment |
| Security Assessment and Authorization (CA) | ~80% | DISA Provisional Authorization workflow; DoD-specific assessment artifact expectations |
| System and Communications Protection (SC) | ~70% | FIPS 140-validated cryptography at every internal trust zone, not just external; expanded boundary protection for DoD egress |
| System and Information Integrity (SI) | ~80% | DoD-specific malicious code protection and signature sources; tighter monitoring for NSS components |
| Supply Chain Risk Management (SR) | ~65% | Hardware provenance for NSS components; SBOM with NSS-categorized component flagging; FOCI mitigation documentation |
| Privacy (PT) | ~90% | Largely overlapping; PII handling for federal personnel records integrated with NSS classification |
Several patterns stand out.
Personnel Security (PS) and System and Communications Protection (SC) are the two families with the largest delta and consequently the most concentrated implementation work. PS absorbs the US-citizen operator verification workflow, the Tier 3 investigation tracking, and the access reconciliation that the FedRAMP High baseline does not require at the same depth. SC absorbs the FIPS 140 boundary enforcement at every internal trust zone — a substantive architectural commitment that is harder to retrofit than to design in.
Supply Chain Risk Management (SR) and Incident Response (IR) form a second tier. SR expands meaningfully to address FOCI and NSS hardware provenance; IR requires DoD-specific cadence and coordination that civilian FedRAMP authorizations do not exercise.
Configuration Management (CM) carries an overlooked delta. The IL5 v1r3 baseline expects DISA Security Technical Implementation Guides (STIGs) as the assessable configuration artifact for in-boundary systems, with documented STIG compliance evidence per system class. CSPs operating CIS-based baselines for FedRAMP find that the STIG transition is mechanical but evidence-heavy, and frequently underestimate the work required to produce STIG compliance reports across the boundary.
Audit and Accountability (AU) and Identification and Authentication (IA) carry smaller deltas but real ones. AU extends retention windows for NSS-categorized events beyond FedRAMP’s baseline and adds DoD-specific event types tied to incident reporting workflows. IA pushes authenticator strength higher for NSS operators and integrates PIV/CAC for federal operators with privileged access.
The remaining families — Awareness and Training, Contingency Planning, Physical and Environmental Protection, Planning, Privacy — show overlap in the 85-90% range and absorb relatively modest v1r3-specific additions. They are not zero work, but they are not the families that drive IL5 schedules.
Where IL5 v1r3 substantially diverges from Rev 5 High
The family-level table understates the impact of a handful of specific divergences that consistently drive the bulk of v1r3-specific implementation work. These are worth calling out individually.
US-citizen operator verification for privileged access
The single most expensive divergence. The control language exists in FedRAMP at a different depth; what v1r3 adds is the verification workflow expectation. Every individual with privileged access to the IL5 authorization boundary must be a verified US citizen, with the verification produced by an HR-integrated workflow, reconciled monthly against the active access list, and supported by an exception workflow for narrowly scoped non-citizen access. For CSPs with globally distributed engineering teams, this is a personnel and HR program before it is a control implementation. We have covered the operational pattern in depth in the IL5 controls that burn CSPs first.
FIPS 140-validated cryptography at every cryptographic boundary
FedRAMP Rev 5 expects FIPS 140-2 or 140-3 CMVP-validated cryptography at external trust boundaries and at the protection of data at rest. IL5 v1r3 expects validated cryptography at every cryptographic boundary, including internal trust zones — service-to-service communication within the boundary, internal data flows between availability zones, internal API authentication tokens, internal queue and message bus encryption. CSPs running a single CMVP-validated module at the edge with non-validated TLS for internal traffic pass FedRAMP and fail IL5 v1r3 on this dimension. The fix is architectural and is harder to retrofit than to design in.
Specific incident response coordination with DoD CC SRG sponsor
Incident response under FedRAMP coordinates with the sponsoring Agency and FedRAMP PMO. Incident response under IL5 v1r3 adds coordination with the DoD CC SRG sponsor, with the affected DoD component’s security team, and with US Cyber Command for specific incident categories. The coordination is on a faster cadence — DFARS 7012’s 72-hour notification window applies, and DoD customers typically expect same-day notification for incidents touching their workloads. Building the operational workflow for DoD-cadence incident response is a quarter or two of work past what FedRAMP exercises.
National Security Systems classification handling
IL5 v1r3 explicitly handles National Security Systems categorization for in-scope workloads. The CSP’s data classification scheme has to accommodate NSS designation, the SSP has to document NSS data flows, and the data handling workflows (storage, transit, deletion, sanitization) have to address NSS-specific requirements. FedRAMP High does not exercise this dimension.
Additional supply chain provenance for hardware
The Supply Chain Risk Management family in FedRAMP Rev 5 expanded meaningfully from Rev 4 — SBOM, provenance documentation, criticality analysis. IL5 v1r3 adds NSS-specific provenance expectations for hardware components in the authorization boundary, including documentation of country-of-origin and FOCI status for hardware vendors. For CSPs built on AWS, Azure, or Oracle US Government Cloud, this is mostly inherited from the underlying provider’s authorization — but the CSP has to document the inheritance, not assume it.
DoD-specific continuous monitoring cadence
FedRAMP continuous monitoring runs on a defined cadence — monthly vulnerability scans, quarterly POA&M updates, annual assessment. IL5 v1r3 cadence varies in specific dimensions, with some monitoring categories at tighter cadences and DoD-specific reporting deliverables added to the monthly package. The operational program has to be tuned to the IL5 cadence; running the FedRAMP cadence and treating IL5 as identical produces continuous monitoring findings at assessment time.
Right-to-pentest grants for IL6 environments
v1r3 grants DoD the right to perform internal and external penetration testing on IL6 hosting environments — a notable expansion of government testing authority that does not directly apply at IL5 but signals the direction of DoD assessor expectations. CSPs planning IL6 should design for the right-to-pentest reality from the start; CSPs at IL5 should expect the same expansion to be considered for future SRG revisions.
Parallel implementation strategy
For a CSP starting from scratch with both authorizations in scope, parallel implementation is usually the right call. The economics, the documentation overhead, and the evidence pipeline all favor a single integrated program over two sequential ones.
Documentation pattern: stacked SSPs with a single source of truth
The pattern that works in practice is a single canonical System Security Plan that documents the FedRAMP High implementation in full, with a v1r3 overlay annex that documents the IL5-specific controls and enhancements. The canonical SSP is the source of truth; the overlay annex inherits from it and adds NSS-specific content. The 3PAO assesses against the canonical SSP for FedRAMP and against the canonical SSP plus the overlay for IL5.
This pattern avoids the most common failure mode of running parallel authorizations — two SSPs that drift out of sync, requiring duplicate maintenance and producing contradictory descriptions of the same control. A single canonical SSP with an overlay annex is also what assessors and authorization sponsors increasingly expect, given that the underlying control catalog (NIST 800-53 Rev 5) is shared.
Evidence pipeline: produce once, serve both
The continuous monitoring program produces vulnerability scan results, configuration assessment reports, change records, POA&M updates, and incident reports on a defined cadence. For a parallel implementation, the cadence is calibrated to the more aggressive of the two authorizations (IL5 v1r3) and the artifacts are tagged for both FedRAMP and IL5 consumption. The same monthly vulnerability scan satisfies both authorizations; the same POA&M serves both authorization packages; the same incident report goes into both notification workflows with the IL5-required additional content.
This produces a roughly 10-15% increase in evidence production cost over the FedRAMP-alone baseline, against the 80-100% increase that two separately maintained pipelines would impose. The savings compound annually as the continuous monitoring program runs.
Cost economics
Our practice experience for CSPs starting both authorizations together: parallel implementation runs roughly 1.3x to 1.5x the cost of FedRAMP Rev 5 High alone. Sequential implementation — FedRAMP first, IL5 added later — typically runs 1.8x to 2.2x because evidence and documentation produced for FedRAMP has to be retrofitted to IL5 expectations and the operational program has to be re-tuned for DoD cadence. The parallel approach pays its incremental cost upfront and avoids the retrofit work; the sequential approach defers cost but pays a multiplier later.
The constraint on parallel implementation is engineering depth. Running both tracks simultaneously requires a federal operations team capable of producing IL5-grade evidence from the start, an architectural commitment to FIPS 140 at every cryptographic boundary, and a personnel security workflow that handles US-citizen verification cleanly. CSPs without that depth typically run sequentially even when the economics would favor parallel.
Sequence recommendations
Three sequencing paths cover most situations. The right choice depends on customer pipeline timing, engineering depth, and capital position.
Path A: Rev 5 Moderate, then High, then IL5
The longest-runway path. Rev 5 Moderate first opens the broader federal civilian market (roughly 80% of federal agency workloads classify as Moderate), Rev 5 High expands the addressable customer base, and IL5 follows when the DoD opportunity materializes. Typical timeline: 18 months for Moderate, 6-9 months for the High uplift, 9-12 months for the IL5 overlay. Total 33-39 months end-to-end.
This path fits CSPs with broad federal civilian pipeline who may not need DoD for 18-24 months. It is the most capital-efficient option for organizations whose first federal customers are civilian agencies. The risk: if the DoD opportunity arrives early, the CSP either has to compress the schedule or pass on the opportunity. CSPs on this path typically design for IL5 endpoint from the FedRAMP Moderate stage — boundary in GovCloud, FIPS 140 selection, US-citizen workforce planning — even though IL5 is years out.
Path B: Rev 5 High first, then IL5 in parallel
The DoD-aware path. The CSP pursues Rev 5 High as the foundation, with IL5 v1r3 work scoped from the start and the FedRAMP High SSP designed to accept the IL5 overlay annex. The High authorization typically lands 6-9 months ahead of the IL5 authorization; the overlapping work in the final stretch overlays cleanly. Typical timeline: 18-24 months for High, 6-9 additional months for IL5 overlay completion. Total 24-33 months end-to-end.
This path fits CSPs with a known DoD opportunity that requires IL5 but also appreciates broader federal applicability. It is the most common parallel pattern we see in practice. The risk: starting High when Moderate would have served opens additional control implementation work upfront; CSPs whose immediate revenue pipeline does not require High should consider whether the upfront cost is justified by the IL5 timeline savings.
Path C: IL5-ready architecture from day one, certify Rev 5 along the way
The DoD-primary path. The architecture, personnel program, supply chain documentation, and continuous monitoring program are designed for IL5 v1r3 from the start. FedRAMP Rev 5 authorizations (Moderate or High, depending on customer demand) are certified along the way as side effects of the underlying IL5 work. Typical timeline: 24-30 months to IL5 with Rev 5 High landing approximately 6 months ahead.
This path fits CSPs whose primary customer is DoD and where FedRAMP is a downstream benefit. The risk: the upfront architectural commitment is the most expensive of the three paths and locks in a number of decisions (US-only personnel boundary, FIPS 140 everywhere, GovCloud-only deployment) that constrain commercial product flexibility. CSPs without committed DoD revenue should not select this path on speculation.
Common mistakes when stacking authorizations
Four patterns we see consistently in CSPs running both authorizations.
Treating the IL5 overlay as documentation work. The single biggest error. The v1r3 overlay is operational work — personnel security workflow, internal FIPS 140 architecture, DoD-cadence continuous monitoring, supply chain provenance evidence. Producing the documentation without producing the underlying operational implementation is the fastest path to assessment failure.
Running two independent SSPs. Two SSPs drift out of sync within a quarter. Maintenance becomes a duplicate effort, and assessors lose confidence in the documentation when the FedRAMP SSP and the IL5 SSP describe the same control differently. A single canonical SSP with an overlay annex is the only pattern we recommend.
Underestimating the personnel program. US-citizen verification, Tier 3 investigation tracking, contractor onboarding workflow — these are HR and operations problems that take months to execute. CSPs who discover the workforce dimension during IL5 assessment, rather than during FedRAMP boundary design, consistently lose quarters to personnel restructuring.
Letting continuous monitoring lag the IL5 cadence. The FedRAMP cadence is not the IL5 cadence. CSPs who run a FedRAMP-cadence ConMon program and then accelerate at IL5 assessment time produce findings on continuous monitoring maturity. The cadence has to be set at IL5 from the start, with the FedRAMP authorization inheriting the tighter cadence as a positive side effect.
When a single 3PAO covers both versus needing separate
A single 3PAO can cover both authorizations if they are accredited for FedRAMP and have substantive DoD CC SRG assessment experience. Most of the major 3PAOs hold both credentials. The practical question is whether the same audit team can carry the IL5 v1r3 overlay work.
We see two patterns. The cleaner pattern is a single 3PAO with an integrated audit team that runs both assessments in coordinated phases — FedRAMP assessment completes first, IL5 overlay assessment follows immediately with the same team retaining context. This minimizes the boundary inconsistency risk and produces faster IL5 completion because the assessor does not have to re-orient to the environment.
The less clean pattern is a single 3PAO firm with internally separated FedRAMP and DoD assessment teams. The firm holds both credentials, but the teams that perform the assessments are different. This works but adds coordination overhead — the IL5 team has to ingest the FedRAMP team’s findings and re-confirm control implementations they did not assess directly. CSPs choosing a single 3PAO should confirm team continuity early, ideally during 3PAO selection.
Separate 3PAOs for each authorization is occasionally appropriate when the FedRAMP 3PAO does not have DoD experience or vice versa. The coordination cost is real but manageable if the SSP is canonical and the evidence pipeline is shared.
Operational reality post-authorization
Maintaining both authorizations is more work than maintaining FedRAMP Rev 5 alone. The continuous monitoring cadence runs at the IL5 tempo, the POA&M serves both authorizations with NSS-tagged items handled with IL5 priority, the personnel security workflow runs continuously rather than at hiring events, and the incident response workflow has to handle both FedRAMP and DoD notification paths.
In rough numbers: a steady-state FedRAMP Rev 5 High program with a mature ConMon function runs at roughly 1.0x its baseline operational cost. Adding IL5 maintenance on top runs the program at roughly 1.4x to 1.6x — substantially less than running two separate programs (which would approach 2.0x) but meaningfully more than FedRAMP alone. The incremental cost is concentrated in personnel security workflow, FIPS 140 inventory maintenance, and DoD-cadence reporting.
The operational reality matters because the cost case for IL5 has to clear this hurdle, not just the initial authorization cost. CSPs who underestimate the steady-state cost of maintaining both authorizations sometimes pursue IL5 prematurely and then discover the ongoing program is too expensive to sustain without the DoD revenue justifying it. The right framing: IL5 is a multi-year program commitment, not a project.
When to engage
For CSPs considering parallel Rev 5 and IL5 v1r3 implementation, the highest-value engagement window is during initial boundary and architecture design — before the first SSP draft is written, before GovCloud region selection is finalized, before the federal operations team is sized. Decisions made at that stage drive the parallel-versus-sequential economics and the steady-state operational cost more than any later optimization.
For CSPs already at Rev 5 High and starting IL5 v1r3 work, the most useful engagement is on the overlay structure — designing the v1r3 annex to inherit cleanly from the canonical SSP, scoping the FIPS 140 internal boundary work, and sequencing the personnel security workflow. This is where most CSPs spend more time than they need to, and where outside experience compresses the path.
Our FedRAMP and DoD CC SRG practice runs both tracks — FedRAMP Rev 5 across all baselines, DoD CC SRG IL2 through IL6 — with a focus on parallel implementation where the customer pipeline supports it. A scoping call usually surfaces the right sequencing path in about thirty minutes.
Related reading: FedRAMP Rev 5 transition · FedRAMP to IL4/IL5 upgrade path · Inside an IL5 assessment: controls that burn CSPs first · FedRAMP Moderate realistic timeline · FedRAMP framework overview · DoD CC SRG framework overview