Ryan Gutwein

Cybersecurity Leader & Visionary

3 minute read

Originally published on GoOptimal.io

Overview

This comprehensive guide addresses Department of Defense (DoD) Impact Level certification for cloud-native products. The framework encompasses 622 controls across 20 families spanning four impact levels, with 11 steps required to achieve Provisional Authorization.

Key Statistics

  • 622 total controls across the framework
  • 20 control families
  • 4 impact levels (IL2, IL4, IL5, IL6)
  • 11 steps to Provisional Authorization

The Four Impact Levels

IL2 (FedRAMP Moderate)

  • 345 controls
  • Handles public/non-CUI data
  • Multi-tenant environments acceptable
  • No citizenship requirements

IL4 (Two variants)

  • IL4 Moderate: 345 controls (FedRAMP Moderate baseline)
  • IL4 High: 429 controls (FedRAMP High + DoD additions)
  • Processes CUI, non-NSS data
  • Requires logical separation
  • U.S. citizen personnel mandatory
  • NIPRNet access via Cloud Access Point (CAP)

IL5 (NSS)

  • 588 controls
  • Implements CNSSI 1253 NSS overlay
  • Handles higher CUI/NSS data
  • Requires physical infrastructure separation
  • 37% increase over IL4 High
  • Tier 3/Secret personnel clearance required
  • CONUS data residency mandatory

IL6 (Classified)

  • 618 controls
  • Processes classified/SECRET data
  • CNSSI 1253 + TEMPEST requirements
  • SIPRNet connectivity
  • Tier 5/TS/SCI clearance requirement
  • Physical security with continuous guards

Control Family Distribution

The largest jumps occur at IL5:

  • System & Services Acquisition: +138% (29 to 69 controls)
  • System & Communications Protection: +55% (38 to 59 controls)
  • System & Information Integrity: +49% (35 to 52 controls)

Other significant families include Access Control (65 controls across all levels) and Audit & Accountability (37 controls at IL6).

Architecture Requirements

SCCA Framework Components

CSP DevSecOps Environment:

  • Separate IL-authorized cloud account
  • Continuous Authority to Operate (cATO)
  • FIPS 140-2/3 compliance
  • STIG-hardened CI/CD runners

Agency-Owned Infrastructure:

  • IL-authorized region within CONUS
  • DoD IP space allocation
  • VDSS (Virtual Datacenter Security Stack) with firewall, WAF, IDS/IPS
  • Reverse proxy with TLS termination

Your Product (Cloud Service Offering):

  • Compute via VMs/containers
  • FIPS-validated endpoints
  • DoD PKI/CAC authentication
  • Message bus and secrets management via KMS/HSM
  • Internal load balancing with TLS 1.2+

Cross-Infrastructure Security:

  • VPN/Transit Gateway with IPSec
  • AES-256 encryption at rest
  • CONUS-only data routing
  • VPC flow logs and packet capture

Continuous Monitoring:

  • CSSP (Cybersecurity Service Provider) log replication
  • ACAS vulnerability scanning
  • HBSS host-based security
  • SIEM with real-time correlation
  • 24/7 SOC coordination with JFHQ-DoDIN

The 11-Step Authorization Journey

CSP/CSO Phase (Steps 1-9)

  1. Submit initial contact form via DCAS portal
  2. Participate in Technical Exchange Meeting (TEM) with stakeholders
  3. JVT reviews System Security Plan, Security Assessment Report, and architecture documentation
  4. Initial risk review generates Interim Authorization to Test and Cloud Authority to Connect credentials
  5. JVT validates artifacts (concurrent with Step 6)
  6. SCCA establishes network connectivity to CAP
  7. DSAWG (Defense Security Authorizing Working Group) cross-service review
  8. DISA Authorization Official issues Provisional Authorization to the Cloud Service Offering
  9. Continuous monitoring and USCYBERCOM OPORD compliance begins

Mission Owner Phase (Steps 10-11)

  1. Mission Owner registers Cloud IT Project via SNAP
  2. Authority to Operate granted; mission system deployment

General Readiness Gates

Ten binary pass/fail requirements evaluated before formal control assessment:

  1. DoD PKI/CAC authentication capability
  2. DoD IP addressing (DISA Network Information Center allocation)
  3. U.S. data residency (CONUS requirement)
  4. Management plane segregation from tenant infrastructure
  5. Personnel clearance requirements met
  6. CAP private network connections established
  7. Internet dependencies documented
  8. NIPRNet portal access provisioned
  9. Backdoor prevention mechanisms validated
  10. Defense-in-depth architecture confirmed

Personnel & Clearance Requirements

Requirement IL2 IL4 IL5 IL6
Privileged Access Tier 1/NACI Tier 3/MBI Tier 3/Secret Tier 5/TS/SCI
Non-Privileged N/A Tier 1 Tier 3/Secret Tier 5/TS/SCI
Citizenship Not required U.S. Citizens U.S. Citizens U.S. Citizens
Data Location Any CONUS CONUS CONUS

Data Type Overlays

Beyond baseline controls, systems handling specific data types face additional overlay requirements:

  • NSS Overlay: 303 controls
  • CUI Overlay: 249 controls
  • Classified Overlay: 212 controls
  • PHI/HIPAA: 138 controls
  • Export Control: 108 controls
  • PII/Privacy: 58 controls

An IL5 system processing combined CUI and PHI could require 588 baseline controls plus overlay additions.

Implementation Guidance

For IL4 Targets

  • Begin with FedRAMP High baseline (429 controls)
  • Architect for CAP and DoD PKI integration immediately
  • Budget for CSSP engagement
  • Initiate circuit provisioning early (months-long lead times)

For IL5 Targets

  • Implement everything required for IL4
  • Design physically separated infrastructure
  • Implement full CNSSI 1253 NSS control overlay
  • Establish 24/7 SOC with CSSP coordination
  • Integrate supply chain risk management across vendor ecosystem

For IL6 Targets

  • Establish SIPRNet classified enclave
  • Implement TEMPEST/EMSEC protections
  • Deploy continuous physical security
  • Expect DISA penetration testing rights
  • Manage 618-control framework with classified data protocols

Key Takeaway

DoD cloud authorization represents a foundational product architecture decision rather than a post-development compliance exercise. The IL4-to-IL5 transition particularly marks a discontinuous jump in requirements, infrastructure complexity, and operational overhead. Successful authorization demands early planning, sustained stakeholder coordination, and architecture decisions embedded from inception.

Updated:

You May Also Enjoy