Department of Defense (DoD) Impact Level 5 (IL5)

DoD IL5 overview

The Defense Information Systems Agency (DISA) is an agency of the US Department of Defense (DoD) that is responsible for developing and maintaining the DoD Cloud Computing Security Requirements Guide (SRG). The SRG defines the baseline security requirements used by DoD to assess the security posture of a cloud service provider (CSP), supporting the decision to grant a DoD Provisional Authorization (PA) that allows a CSP to host DoD missions. It incorporates, supersedes, and rescinds the previously published DoD Cloud Security Model (CSM) and maps to the DoD Risk Management Framework (RMF).

DISA guides DoD agencies and departments in planning and authorizing the use of a CSP. It also evaluates CSP offerings for compliance with the SRG — an authorization process whereby CSPs can furnish documentation outlining their compliance with DoD standards. It issues DoD Provisional Authorizations (PAs) when appropriate, so DoD agencies and supporting organizations can use cloud services without having to go through a full approval process on their own, saving time and effort.

According to SRG Section 3.2 Information Impact Levels, IL5 information covers:

  • Controlled Unclassified Information (CUI) that requires higher level of protection than that afforded by IL4
    • The CUI Registry provides specific categories of information that is under protection by the Executive branch, e.g., more than 20 category groupings are included in the CUI category list.
    • NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations is intended for use by federal agencies in contracts or other agreements established with non-federal organizations.
  • National Security Systems (NSS)
    • NIST SP 800-59 Guideline for Identifying an Information System as a National Security System provides definitions of NSS.
    • CNSSI 1253 Security Categorization and Control Selection for National Security Systems provides guidance on the security standards that federal agencies should apply to categorize national security information.

The 15 December 2014 DoD CIO memo regarding Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services states that “FedRAMP will serve as the minimum security baseline for all DoD cloud services.” The SRG uses the FedRAMP Moderate baseline at all information impact levels (IL) and considers the High Baseline at some.

SRG Section 5.1.1 DoD use of FedRAMP Security Controls states that a FedRAMP High PA, supplemented with DoD FedRAMP+ controls and control enhancements (C/CEs) and requirements in the SRG, are used to assess CSPs toward awarding a DoD PA at IL5. No matter what C/CE baseline is used as the basis for a FedRAMP High PA, additional considerations and/or requirements will need to be assessed and approved before a DoD PA can be awarded at IL5. Specifically, SRG Section 5.1.2 DoD FedRAMP+ Security Controls/Enhancements states in Table 2 that 10 additional C/CEs beyond the FedRAMP High baseline are required for a DoD IL5 PA.

Moreover, according to SRG Section 5.2.2.3 IL5 Location and Separation Requirements, the following requirements (among others) must be in place for a Level 5 PA:

  • Virtual/logical separation between DoD and Federal Government tenants / missions is sufficient. Virtual/logical separation between tenant/mission systems is minimally required.
  • Physical separation from non-DoD/non-Federal Government tenants (i.e., public, local/state government tenants) is required.
  • The CSP restricts potential access to DoD’s and the community’s information to CSP employees that are U.S. Citizens.

Azure and DoD IL5

Azure Government maintains:

  • FedRAMP High Provisional Authorization to Operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB)
  • DoD Cloud Computing Security Requirements Guide (SRG) Impact Level 5 (IL5) Provisional Authorization (PA)

Azure Government has two regions (US DoD Central and US DoD East) that are reserved for exclusive use by the US Department of Defense. For more information, see Department of Defense (DoD) in Azure Government.

For additional customer assistance, Microsoft provides Azure Blueprints, which is a service that helps customers deploy and update cloud environments in a repeatable manner using composable artifacts such as Azure Resource Manager templates to provision resources, role-based access controls, and policies. Resources provisioned through Azure Blueprints adhere to an organization’s standards, patterns, and compliance requirements. The overarching goal of Azure Blueprints is to help automate compliance and cybersecurity risk management in cloud environments. To help customers deploy a core set of policies for any Azure-based architecture that requires compliance with the DoD IL5 requirements, Azure has released the Azure Blueprint for DoD IL5. When assigned to an architecture, resources are evaluated by Azure Policy for compliance with assigned policy definitions.

Applicability

  • Azure Government

Services in scope

For a list of Microsoft online services in scope for the DoD IL5 PA in Azure Government, see Azure Government services in audit scope:

  • Azure
  • Dynamics 365 Customer Service
  • Microsoft Defender for Endpoint (formerly Microsoft Defender Advanced Threat Protection)
  • Microsoft Graph
  • Microsoft Stream
  • Power Automate (formerly Microsoft Flow)
  • Power BI

Service availability varies across Azure Government regions. For an up-to-date list of service availability, see Products available by region.

Microsoft 365 DoD compliance offering

For more information about Microsoft 365 compliance, see Microsoft 365 DoD documentation.

Attestation documents

US government customers can request Azure and Azure Government FedRAMP documentation directly from the FedRAMP Marketplace by submitting a package access request form. You must have a .gov or .mil email address to access a FedRAMP security package directly from FedRAMP.

Select FedRAMP and DoD documentation, including System Security Plan (SSP), continuous monitoring reports, Plan of Action and Milestones (POA&M), etc., is available to customers under NDA and pending access authorization from the Service Trust Portal Audit Reports - FedRAMP Reports section. Contact your Microsoft account representative for assistance.

Frequently asked questions

What Azure services are covered by DoD IL5 PA and in what regions?
To find out what services are available in Azure Government, see Products available by region. For a list of services provisionally authorized at DoD IL5, see Azure Government services in audit scope.

Resources