Department of Defense (DoD) Impact Level 4 (IL4)
DoD IL4 overview
The Defense Information Systems Agency (DISA) is an agency of the US Department of Defense (DoD) that is responsible for developing and maintaining the DoD Cloud Computing Security Requirements Guide (SRG). The Cloud Computing SRG defines the baseline security requirements used by DoD to assess the security posture of a cloud service offering (CSO), supporting the decision to grant a DoD provisional authorization (PA) that allows a cloud service provider (CSP) to host DoD missions. It incorporates, supersedes, and rescinds the previously published DoD Cloud Security Model (CSM), and maps to the DoD Risk Management Framework (RMF).
DISA guides DoD agencies and departments in planning and authorizing the use of a CSO. It also evaluates CSOs for compliance with the SRG — an authorization process whereby CSPs can furnish documentation outlining their compliance with DoD standards. It issues DoD provisional authorizations (PAs) when appropriate, so DoD agencies and supporting organizations can use cloud services without having to go through a full approval process on their own, saving time and effort.
According to Section 3.1.2 (Page 18) of the Cloud Computing SRG, IL4 information covers controlled unclassified information (CUI), non-CUI information, non-critical mission information, and non-national security systems. The CUI Registry provides specific categories of information that is under protection by the Executive branch. For example, more than 20 category groupings are included in the CUI category list, such as:
- Critical infrastructure (for example, Critical Energy Infrastructure Information)
- Defense (for example, Naval Nuclear Propulsion Information, Unclassified Controlled Nuclear Information – Defense)
- Export Control (for example, Export Administration Regulations (EAR) restrictions for items on the Commerce Control List, or International Traffic in Arms Regulations (ITAR) restrictions for items on the US Munitions List)
- Financial (for example, bank secrecy, budget, and so on)
- Intelligence (for example, Foreign Intelligence Surveillance Act)
- Law enforcement (for example, criminal history records, accident investigations, and so on)
- Nuclear (for example, Unclassified Controlled Nuclear Information – Energy)
- Privacy (for example, military personnel records, health information, and so on)
- And more
IL4 accommodates CUI categorizations based on the Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) Security Categorization and Control Selection for National Security Systems up to moderate confidentiality and moderate integrity (M-M-x). The National Institute of Standards and Technology (NIST) SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations is intended for use by federal agencies in contracts or other agreements established with non-federal organizations.
The 15 December 2014 DoD CIO memo regarding Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services states that “FedRAMP will serve as the minimum security baseline for all DoD cloud services.” The SRG uses the FedRAMP Moderate baseline at all information impact levels (IL) and considers the High Baseline at some.
Section 5.1.1 DoD use of FedRAMP Security Controls (Page 37) of the Cloud Computing SRG states that a FedRAMP High provisional authorization will be accepted for a DoD IL4 PA without an assessment of extra controls and control enhancements (C/CE); however, assessment of non-C/CE based requirements in the Cloud Computing SRG is needed.
Azure and DoD IL4
Microsoft maintains the following authorizations for Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia:
- FedRAMP High provisional authorization to operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB)
- DoD IL2 PA
- DoD IL4 PA
- DoD IL5 PA
For extra customer assistance, Microsoft provides the Azure Policy regulatory compliance built-in initiative for Azure Government, which maps to DoD IL4 compliance domains and controls:
Regulatory compliance in Azure Policy provides built-in initiative definitions to view a list of controls and compliance domains based on responsibility – customer, Microsoft, or shared. For Microsoft-responsible controls, we provide extra audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each DoD IL4 control is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, compliance in Azure Policy is only a partial view of your overall compliance status. Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to more granular status.
For more information about Azure support for NIST SP 800-171, see Azure NIST SP 800-171 documentation.
- Azure Government
Services in scope
For a list of Azure Government online services in DoD IL4 PA scope, see Azure Government services in audit scope.
Service availability varies across Azure Government regions. For an up-to-date list of service availability, see Products available by region.
You can request Azure and Azure Government FedRAMP documentation directly from the FedRAMP Marketplace by submitting a package access request form. You must have a .gov or .mil email address to access a FedRAMP security package directly from FedRAMP.
Select FedRAMP documentation, including the System Security Plan (SSP), continuous monitoring reports, Plan of Action and Milestones (POA&M), and so on, are available under NDA and pending access authorization from the Service Trust Portal Audit Reports – FedRAMP Reports section. Contact your Microsoft account representative for assistance.
Contact DISA for access to the most recent Azure Government DoD IL4 PA letter.
Frequently asked questions
What Azure services are covered by DoD IL4 PA and in what regions? To find out what services are available in Azure Government, see Products available by region. For a list of services provisionally authorized at DoD IL4, see Azure Government services in audit scope.
- Azure compliance documentation
- Azure enables a world of compliance
- Microsoft 365 compliance offerings
- Compliance on the Microsoft Trust Center
- What is Azure Government?
- Explore Azure Government
- Microsoft for defense and intelligence
- DoD Cloud Computing Security Requirements Guide
- FedRAMP documents and templates
- DoD Instruction 8510.01 DoD Risk Management Framework (RMF) for DoD Information Technology (IT)
- NIST SP 800-37 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
- NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations
- NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- CNSSI 1253 Security Categorization and Control Selection for National Security Systems
- Controlled unclassified information (CUI) Registry and CUI category list