What's the difference between DoD Impact Level 4 and Impact Level 5?

IL4 covers Controlled Unclassified Information generally. IL5 covers mission-critical CUI, unclassified National Security Systems, and CUI whose compromise could have serious impact on operations or personnel. Control-baseline-wise the delta is narrow — IL5 adds US-citizen operator verification, FIPS 140-validated cryptography everywhere, deeper supply-chain evidence, and stricter continuous monitoring cadence. The harder part of the IL5 upgrade is not the controls themselves; it's the operational maturity the controls require.

Can we go straight from FedRAMP Moderate to IL5 without IL4?

Technically yes if your sponsor and mission require it — the DoD CC SRG does not mandate IL4 as a prerequisite. Practically, most CSPs step through IL4 first because the incremental controls are smaller and the operational muscle for monthly ConMon deliverables, US-citizen workflow, and boundary discipline is easier to build in stages. Skipping IL4 is usually a schedule decision driven by a specific DoD customer, not a strategic one.

How long does the FedRAMP Moderate → IL4 upgrade take?

Three to six months for a CSP with a clean FedRAMP Moderate ATO and a sponsor engaged on the IL4 path. The work is concentrated in DoD overlay control implementation, authorization-boundary documentation updates, US-GovCloud (or equivalent) migration if not already there, and the DISA provisional authorization review. IL4 → IL5 adds another four to six months, mostly driven by the US-citizen operator workflow and FIPS 140 boundary evidence.

What is the US-citizen operator requirement at IL5?

Anyone with privileged access to the authorization boundary — infrastructure admins, platform operators, on-call responders, security engineers with production access — must be a US citizen at IL5 and above. The requirement is easy to write into policy; what the assessor wants to see is the operational artifact: HR-to-IdP integration that verifies citizenship at onboarding, automated monthly reconciliation against access lists, and a documented exception workflow for the rare legitimate non-citizen access case.

Who issues the IL5 authorization?

DISA issues the Provisional Authorization for IL4 and IL5 after the 3PAO assessment and agency review. The Provisional Authorization is the gating document for DoD components to issue mission-specific ATOs on top. IL6 operates under a different model (SIPRNet, classified) with additional agency authorities and is out of scope for IL5 planning.

FedRAMP to IL4 / IL5: The Upgrade Path

A commercial Cloud Service Provider entering the federal market typically starts with FedRAMP Moderate. It is the right choice — roughly eighty percent of federal agency workloads classify as Moderate, a Moderate authorization opens a large addressable customer base, and the technical bar is aggressive but achievable in twelve to eighteen months.

Then the DoD opportunity arrives. An Agency sponsor mentions Impact Level 4. A prime asks whether the service is authorized at IL5. Somebody on the product team asks if the existing FedRAMP Moderate authorization “counts.” The answers are nuanced in ways that matter, and the most common CSP mistake is treating IL4/IL5 as a rubber stamp on top of a completed FedRAMP — when in practice, sequencing and scoping decisions made at FedRAMP time significantly affect whether the IL4/IL5 path takes six months or eighteen.

This article is for the CSP that is either already FedRAMP-Moderate-authorized, or approaching Moderate assessment, and wants to understand the DoD upgrade path before committing to a roadmap.

The stack: FedRAMP, DoD CC SRG, DISA PA

The easiest framing is to think of the authorization structure as three stacked layers.

FedRAMP is the federal-wide baseline. It authorizes a cloud service to process federal unclassified data at a chosen impact baseline (Low, Moderate, or High). The authorization is issued by an Agency (Agency ATO) or the Joint Authorization Board (JAB P-ATO) after a 3PAO-performed Security Assessment.

DoD Cloud Computing Security Requirements Guide (CC SRG) is the DoD’s overlay. It layers DoD-specific controls on top of a FedRAMP authorization. It does not replace FedRAMP — it extends it. The CC SRG defines six Impact Levels:

IL2 covers low-impact, non-controlled unclassified DoD information. IL2 authorization is effectively FedRAMP Moderate equivalent with very minor DoD differences.
IL4 covers Controlled Unclassified Information (CUI) for DoD workloads. FedRAMP Moderate is the foundation; IL4 adds DoD-specific controls.
IL5 covers mission-critical CUI and unclassified National Security Systems. FedRAMP Moderate (sometimes Moderate+) or High is the foundation; IL5 adds more DoD-specific controls, including US-citizen operator requirements for certain components.
IL6 covers classified Secret workloads and requires SIPRNet-connected infrastructure.

DISA Provisional Authorization (PA) is the artifact you receive. The Defense Information Systems Agency issues the PA after reviewing your IL4 or IL5 package. DoD customers then issue their own DoD ATOs on top of your DISA PA, for their specific workloads.

The sequencing that works is FedRAMP first, then DISA PA at your target Impact Level, then DoD customer ATOs on top. Attempting IL4/IL5 without FedRAMP completed first is possible in specific cases but typically extends timeline significantly.

Where most CSPs under-scope the delta

The seductive story is that IL4 is “FedRAMP Moderate plus a few DoD controls.” That is technically true. In practice, the “few” DoD controls include obligations that require real architectural decisions, and three of them consistently surprise first-time CSPs.

Data residency and sovereignty. DoD requires all in-scope data, processing, and administrative access to reside within US borders. “We use AWS US-East-1” is not sufficient — the auditor wants to see every dependency, every integration, every piece of operational tooling, documented as US-resident. Third-party SaaS tools in your operations stack (ticketing, monitoring, collaboration) that route through non-US infrastructure become explicit findings. A common fix is provisioning US-only instances of those tools, or replacing them with US-only alternatives.

US-citizen-only administrative access (for IL5). At IL5 and above, anyone with privileged access to the authorization boundary must be a US citizen. Non-citizen engineers on your team cannot hold production admin. This is not a policy you add at assessment time — it is a personnel and HR decision that takes months to execute cleanly. CSPs with globally distributed SRE teams discover this requirement mid-program and spend quarters restructuring on-call and deployment workflows.

Deployment location. IL4 permits standard commercial GovCloud regions (AWS GovCloud, Azure Government, sometimes Oracle US Government Cloud). IL5 typically requires more restricted environments — AWS GovCloud with additional isolation, Azure Government DoD/GCC High, or specific AWS Secret Region for cleared workloads. The CSP has to decide which cloud regions to support for each Impact Level, and those decisions drive service-catalog and pricing decisions for the commercial product.

Sequencing that saves six months

The biggest time saver is designing the authorization boundary with the IL5 endpoint in mind, even during FedRAMP Moderate planning. Specifically:

Design the System Security Plan for the harder case, not the easier one. If there is a plausible chance you will pursue IL4 or IL5 within eighteen months, write the FedRAMP SSP with boundary definitions and data-flow documentation that would hold up under DoD scrutiny. This means being explicit about US-only processing paths, clearly documenting which components handle CUI, and using DoD-compatible cryptographic modules (FIPS 140-2 or 140-3 CMVP-validated) from day one.

Select GovCloud from day one. Deploying FedRAMP Moderate to commercial cloud and then re-deploying to GovCloud for IL4 is a significant architectural rework. Deploying to GovCloud for FedRAMP Moderate adds marginal cost at the time but eliminates a migration project later.

Source US-citizen operators for the boundary during FedRAMP preparation. If you can staff the authorization boundary with US citizens during FedRAMP, the transition to IL5 (if pursued) does not require a personnel restructure. CSPs that grow their federal operations team with IL5 in mind find this easier than those who discover the requirement later.

Pre-coordinate the DISA PA timeline with your Agency sponsor. Agency ATO and DISA PA processes are independent. Many CSPs discover that completing FedRAMP Moderate does not automatically trigger DISA review — it requires a separate submission to DISA, a distinct review cycle (typically 3-6 months), and acceptance by your first DoD customer. Start that conversation with the Agency sponsor during FedRAMP so the DISA path is active when Moderate wraps.

Agency ATO versus JAB P-ATO for the foundation

The FedRAMP foundation that supports IL4/IL5 can come from either path — Agency ATO issued by a sponsoring agency, or JAB P-ATO issued by the Joint Authorization Board. Both work. The tradeoffs matter.

Agency ATO is typically faster for a first authorization (6-12 months vs. 18-24 for JAB). An Agency sponsor is a specific federal customer that commits to using your service and sponsors your authorization. The ATO is technically portable to other agencies but each new agency reviews the package on its own timeline. For a CSP with a specific DoD opportunity, an Agency ATO from the DoD agency you are selling into is the fastest path to revenue.

JAB P-ATO is slower but more broadly portable. It does not require a specific Agency sponsor, and once issued, the authorization is recognized across all federal agencies with minimal per-agency review. For CSPs targeting broad federal market presence, JAB is the stronger strategic choice — but the JAB prioritization list is competitive, and recently JAB has been selective about what gets sponsored. Budget for a twelve-to-twenty-four-month process with no guarantee.

For DoD-specifically, Agency ATO from a DoD customer combined with DISA PA at your target Impact Level is usually the right sequence. JAB is not required for DoD work; DISA PA plus an Agency ATO covers most DoD procurement scenarios.

What CSPs wish they had known six months earlier

Five recurring themes in our engagements with CSPs who entered FedRAMP, then began IL4/IL5 work six to eighteen months later:

First, the boundary definition is load-bearing for the entire authorization lifecycle. Rework at assessment time is expensive. Design conservatively and explicitly.

Second, continuous monitoring is not an afterthought. DoD has specific expectations about monthly deliverables — vulnerability scan results, POA&M updates, system change notifications. Building the operational muscle for ConMon during FedRAMP is substantially easier than retrofitting it during IL4.

Third, FIPS 140-2 or 140-3 CMVP validation is real, and “FIPS-compliant” is not the same thing. Every cryptographic module in the authorization boundary must have a documented CMVP certificate. CSPs using third-party libraries (TLS implementations, disk encryption, key management) need to verify each one; the audit team will request certificates during assessment.

Fourth, sponsor relationships matter more than the technical package. A strong Agency sponsor advocating for your authorization moves schedules; a weak sponsor relationship produces delays. Treat sponsor communication as a program deliverable.

Fifth, US-citizen operator requirements at IL5 are a people problem before they are a technical one. Start it early.

The practical sequence

For a CSP planning to reach IL5 within three years:

Year 1: Plan FedRAMP Moderate with IL4/IL5 in mind (boundary, cloud selection, ConMon architecture). Secure an Agency sponsor with clear DoD connection. Begin FedRAMP Moderate assessment.
Year 1.5: Complete FedRAMP Moderate; receive Agency ATO. Begin DISA PA engagement for IL4.
Year 2: IL4 DISA PA; begin onboarding DoD customers under the PA. Begin IL5 gap analysis.
Year 2.5: Complete personnel/boundary adjustments required for IL5. Submit IL5 package to DISA.
Year 3: IL5 DISA PA; onboard mission-critical DoD workloads.

Compressed timelines are possible but require more concurrent work and a well-funded federal operations team. The sequence above is defensible without heroics.

When to engage

The sooner, the better. The decisions that most affect your IL4/IL5 timeline are made during FedRAMP boundary design — sometimes twelve months before the question of DoD even comes up. A scoping call during FedRAMP planning can prevent the most expensive form of rework.

Our FedRAMP and DoD CC SRG practice covers the full ladder from FedRAMP Low through IL6. For CSPs specifically preparing for IL5 assessment, the eight controls that burn CSPs first in IL5 assessment breaks down the operational gaps that extend timelines.

FedRAMP to DoD CC SRG IL4 and IL5: the upgrade path most CSPs underestimate