Updated June 2026 — DISA’s CSP SRG v1r3 (July 2025) added approximately 170 new controls to IL5 — a ~40% increase over the prior baseline — requiring implementation of National Security Systems controls drawn from CNSSI 1253 on top of the existing FedRAMP High foundation. The SRG also completed the transition from NIST 800-53 Rev 4 to Rev 5 (matching FedRAMP) and granted DoD the right to perform internal and external penetration testing on IL6 hosting environments. The five control-friction categories covered below still burn CSPs first, but the total control scope is now meaningfully larger. Two further June 2026 updates worth flagging: (a) FedRAMP renamed “Authorization” → “Certification” effective May 4, 2026 — IL5 terminology is unchanged, but stacked Rev 5 documentation may now use Certification language for the FedRAMP layer; (b) the June 2, 2026 AI Executive Order directs the Committee on National Security Systems to prioritize NSS cyber defense, which is the substrate IL5 v1r3 controls draw from — expect further IL5 expansion in subsequent SRG revisions. Our Q2 2026 compliance landscape briefing has the full v1r3 delta and June 5 mid-Q2 update. For the overlap between FedRAMP Rev 5 and IL5 v1r3, see our Rev 5 + IL5 overlap article.
Most Cloud Service Providers approaching DoD Impact Level 5 have already completed FedRAMP Moderate and have taken IL4 to a Provisional Authorization. The foundational muscle is there. The expectation going into IL5 is that the assessment will be a managed effort — a delta on top of an existing authorization, graded against a known control baseline.
The reality is that IL5 assessment surfaces problems that FedRAMP and IL4 do not catch. Not because the controls are categorically new — most of them are minor modifications of existing FedRAMP or IL4 controls — but because the evidence bar rises, the testing becomes more operational, and the assessor community focuses on a specific set of control families that most CSPs underestimate.
This article walks through the controls and evidence patterns that consistently extend IL5 assessment schedules. It is written for CSPs preparing for their first IL5 assessment, or in the middle of one and trying to understand why the assessor keeps flagging the same categories.
The context: what IL5 adds
IL5 sits above IL4 in the DoD Cloud Computing Security Requirements Guide. Both handle Controlled Unclassified Information. IL5 is distinguished by the sensitivity of the workloads — mission-critical CUI, unclassified National Security Systems, and CUI whose compromise could have “serious” impact on operations or personnel.
The control delta from IL4 to IL5 is narrower than the delta from FedRAMP Moderate to IL4, but the delta is concentrated in a few high-friction areas. The assessor’s expectation is not that you have additional controls — it is that your existing controls are implemented at a maturity that withstands more operational scrutiny. This framing is important because CSPs approaching IL5 with an “add a few controls” mindset often discover the problem is not the controls; it is the depth of evidence behind them.
Control friction point 1: US-citizen operator verification
The requirement: at IL5 and above, anyone with privileged access to the authorization boundary must be a US citizen. This includes infrastructure administrators, platform operators, on-call responders, deployment operators, security engineers with production access, and anyone whose role grants them privileged keys or administrative console access.
Where it burns CSPs during assessment: the policy is easy to write; the verification is hard. The assessor does not accept a list of names and job titles. They want to see the operational artifact: how do you verify citizenship at onboarding, how do you maintain that status in personnel records, how do you revoke access when somebody’s status changes, and how do you prove that at any given moment every person with privileged access is in fact a US citizen. For distributed engineering organizations, this often means implementing a citizenship verification workflow in HR, integrating that workflow with the identity provider, and producing monthly evidence that the integration works.
A typical finding during first-time IL5 assessment is that the policy exists but the evidence is stale — HR records are not systematically reconciled against access records, contractors have slipped through under looser verification, or the reconciliation runs but produces no documented artifact.
What prepared CSPs do: automated monthly reconciliation between HR status and active privileged access, with a documented artifact that each access-list entry has a documented citizenship verification. An exception workflow for the rare case where a non-citizen requires narrowly scoped access, with documentation of the exception rationale and mitigations. Orientation for every new privileged operator that explicitly covers the citizenship requirement.
Control friction point 2: FIPS 140 cryptographic module boundaries
The requirement: every cryptographic module in the authorization boundary must be FIPS 140-2 or 140-3 CMVP-validated, operating in FIPS mode, with the validation certificate documented.
Where it burns CSPs during assessment: “FIPS-compliant” is not the same as CMVP-validated. A library that implements FIPS-approved algorithms is not a validated cryptographic module unless the specific version has been certified by the Cryptographic Module Validation Program. CSPs who relied on general-purpose cryptographic libraries often discover during assessment that the version they are running does not appear on the CMVP certificate list, even though an earlier or later version does.
A second common issue is that the module is validated but is not operating in FIPS mode. Many cryptographic libraries have a FIPS mode that must be explicitly enabled; the default mode allows non-approved algorithms. The assessor will ask for evidence that FIPS mode is enabled and that non-approved algorithms are disabled — not just the configuration file, but runtime evidence from a representative system.
A third issue is boundary scope. Every place cryptography happens in the system — TLS termination, disk encryption, database encryption, key management, password hashing, session tokens, backup encryption — needs a documented cryptographic module. Gaps in inventory are common; an encrypted backup that flows through an unvalidated library, a service-to-service communication that uses an old TLS implementation, a password hashing function that was selected for performance rather than FIPS validation.
What prepared CSPs do: a complete cryptographic module inventory at assessment time, with each module tied to a CMVP certificate and a version evidence pointer. Active monitoring that the deployed version matches the validated version (configuration drift detection). Explicit documentation of FIPS mode enablement and verification that it is active in production.
Control friction point 3: continuous monitoring maturity
The requirement: after authorization, the CSP must produce continuous monitoring deliverables — vulnerability scan results, POA&M updates, system change notifications, incident reports — on a defined cadence.
Where it burns CSPs during assessment: IL5 assessors are more operational than FedRAMP Moderate assessors. They do not just verify that the continuous monitoring plan exists; they verify that the plan has been operating for long enough to produce a track record, and they look at the artifacts the plan produces. A vulnerability scanner that has been generating monthly reports for six months is credible. A vulnerability scanner that was configured the week before assessment, producing its first report during assessment, is not.
This is particularly painful for CSPs who completed FedRAMP Moderate and immediately began IL4/IL5 work. The continuous monitoring program from FedRAMP needs to be running, producing artifacts, feeding into the POA&M, and demonstrating that the CSP responds to findings. A CSP that is still building its ConMon operational muscle during IL5 assessment often fails on this dimension even if the technical control is in place.
A specific item assessors frequently flag: POA&M discipline. The POA&M is not a static document; it is an operational register that should show open items being worked, closed items being verified, and new items being added. An assessor reviewing the POA&M at IL5 time expects to see six months of POA&M activity. A POA&M with a date of “last updated” two weeks before assessment is a signal that the program is immature.
What prepared CSPs do: run continuous monitoring at FedRAMP and IL4, generate monthly deliverables, demonstrate an operational cadence. Arrive at IL5 assessment with six to twelve months of artifacts. Treat the POA&M as a working register, not an assessment-time document.
Control friction point 4: insider threat program integration
The requirement: IL5 implementations require an insider threat program with specific capabilities — user activity monitoring for privileged operators, behavioral analysis, incident response workflows for suspected insider activity, and reporting integration with the CSP’s security operations.
Where it burns CSPs during assessment: the insider threat control family sits at an intersection of HR, security, legal, and operations. Most CSPs have components of the program but not a coherent integrated workflow. An assessor will ask: when an insider threat indicator fires, what happens? Who investigates? Who is notified? What evidence is preserved? How is the subject’s access modified? What legal and HR workflows are triggered? A CSP without documented answers to these questions — and without a track record of using the workflow — is typically found deficient.
A second common issue is that user activity monitoring is implemented for end users but not for privileged operators. The IL5 threat model explicitly includes malicious or compromised privileged operators; user activity monitoring that does not cover this population fails the intent of the control.
What prepared CSPs do: a documented insider threat program with a named program owner. Integrated user activity monitoring for privileged operators with specific detection use cases (abnormal access, unusual data movement, privileged session anomalies). Tabletop exercises for insider threat scenarios with documented results. Legal and HR procedures pre-coordinated for the investigation and response workflow.
Control friction point 5: supply chain risk management
The requirement: the CSP must document the supply chain risks for its authorization boundary — hardware vendors, software vendors, service providers — and implement controls for identified risks.
Where it burns CSPs during assessment: supply chain risk management has become a focal area for DoD assessors. The assessor does not expect the CSP to have eliminated supply chain risk; they expect the CSP to have inventoried it and to have made informed decisions. A documented inventory that acknowledges the use of a foreign-owned vendor with documented risk mitigations is acceptable; an inventory that omits the vendor entirely or that treats the risk as “low” without justification is not.
Specific attention: FOCI (Foreign Ownership, Control, or Influence) considerations for vendors who process in-scope data. Provenance of hardware components used in the authorization boundary. Software Bill of Materials (SBOM) for major software components. Update and patching provenance for operating systems and critical libraries.
A common failure pattern is that the CSP has an internal supply chain review process but does not document its outputs in a form the assessor can evaluate. The assessor asks “how did you assess the risk of using vendor X?” and the CSP has no artifact to point at. The underlying analysis was done; the documentation was not.
What prepared CSPs do: an explicit supply chain inventory with each vendor categorized by role, classification of data the vendor processes, known FOCI status, and mitigation posture. Documented decision records for vendor selection at the boundary. SBOM for software components with update discipline.
Control friction point 6: incident response at DoD cadence
The requirement: the CSP’s incident response must meet DoD reporting cadence, which is more aggressive than FedRAMP’s. DFARS 7012 sets a 72-hour notification window for certain incidents; DoD customers typically expect same-day notification for incidents affecting their workloads; cyber incident reporting to US Cyber Command for specific categories.
Where it burns CSPs during assessment: the policy is easy to write; the operational workflow is harder. The assessor will ask the incident response team to walk through a simulated incident and produce evidence that the team can meet the timeline. CSPs with mature SOC operations but without DoD-specific incident categorization often find themselves unable to demonstrate that the 72-hour notification workflow is operationally reliable.
A specific pain point: the integration between the CSP’s SOC and the DoD customer’s security team. The SOC is staffed by CSP employees; the DoD customer’s security team sits in a different organization with different communication channels. Getting the escalation path correct — right contact, right classification level, right format, right timeline — requires pre-coordination that many CSPs leave until the first real incident.
What prepared CSPs do: DoD-specific incident classifications added to the incident response runbook. Tabletop exercises with the actual escalation paths exercised, including notification to DoD customer points of contact. Documented post-incident reports for historical incidents demonstrating the DoD notification workflow was used.
Control friction point 7: boundary protection for DoD traffic
The requirement: the IL5 authorization boundary must implement boundary protection (firewalling, data loss prevention, traffic inspection) at a depth appropriate for DoD traffic. For IL5, this includes specific requirements about encrypted channels, allowed protocols, and allowed destinations.
Where it burns CSPs during assessment: the boundary protection in the CSP’s existing FedRAMP authorization is often calibrated for commercial customer expectations. IL5 raises the bar. Specific concerns: outbound traffic from the boundary is often underspecified; third-party dependencies (log forwarding, metrics, monitoring SaaS tools) that egress to non-DoD-aligned infrastructure are often overlooked; split-tunnel configurations for administrative access are often too permissive.
A recurring assessor finding is that the CSP has documented allowed inbound flows exhaustively but has not equally documented outbound flows. The assessor wants to see that every egress destination has a documented business purpose, an assessment of whether the destination is appropriate for DoD data, and controls that prevent unauthorized egress.
What prepared CSPs do: symmetric inbound and outbound flow documentation. Egress restriction to a documented allowlist of destinations. Explicit handling of third-party SaaS dependencies in the operations stack — either removed, replaced with US-resident alternatives, or moved outside the authorization boundary with appropriate data segregation.
Control friction point 8: personnel security for the full operator population
The requirement: every person with access to the IL5 authorization boundary must meet personnel security requirements, including background investigations appropriate to their role. For IL5, this is typically a Tier 3 investigation for privileged operators, with renewal on a defined cadence.
Where it burns CSPs during assessment: background investigations take months. CSPs who grow their federal operations team in advance of IL5 readiness have a clean personnel roster; CSPs who discover the requirement mid-program find themselves unable to staff operations because investigations are in progress.
A specific pain point: contractors and consultants with privileged access. Their investigations are handled through a different process (the contractor’s employer submits the investigation) and are often less visible to the CSP. The assessor will expect documentation for every individual, contractor or employee.
What prepared CSPs do: centralized tracking of every person with privileged access and their current investigation status. Investigation renewal calendared ahead of expiration. Contractor onboarding workflow that verifies investigation status before granting access.
What this looks like in the assessment timeline
For a CSP well-prepared on these eight areas, IL5 assessment runs six to eight months from kickoff to DISA PA issuance. For a CSP unprepared on two or more of these areas, the timeline extends to ten to fourteen months, with the majority of the delay spent remediating findings from the initial assessment pass.
The practical difference between a six-month and a twelve-month IL5 is not the technical architecture — most CSPs approaching IL5 have adequate architecture. The difference is operational maturity: continuous monitoring discipline, evidence production cadence, incident response operational muscle, personnel security tracking, and documentation of the decisions that were made. These are not glamorous investments. They are the ones that compound the authorization timeline.
When to engage
The most valuable time to bring in outside advisory for IL5 is between six and nine months before your target DISA submission date. That window gives time to identify gaps in the eight areas above, remediate the operational ones (which often take three to six months), and enter assessment with a package that survives first-pass review.
Engaging advisory during the assessment itself is useful for specific technical questions and for managing assessor communications, but it does not have time to fix the underlying operational deficits. CSPs who engage advisory during assessment typically end up with a scope focused on findings remediation and schedule recovery rather than the broader operational maturity work that would have accelerated the whole program.
The earlier the conversation, the shorter the IL5 timeline tends to be.
Our FedRAMP and DoD CC SRG practice runs both tracks — FedRAMP Moderate/High as the foundation and DoD IL4/IL5/IL6 on top. If you are still upstream of IL5 and evaluating the full sequencing, see the upgrade path most CSPs underestimate.