Department of Defense (DoD) Impact Level 4 (IL4)

DoD IL4 overview

The Defense Information Systems Agency (DISA) is an agency of the US Department of Defense (DoD) that is responsible for developing and maintaining the DoD Cloud Computing Security Requirements Guide (SRG). The Cloud Computing SRG defines the baseline security requirements used by DoD to assess the security posture of a cloud service offering (CSO), supporting the decision to grant a DoD provisional authorization (PA) that allows a cloud service provider (CSP) to host DoD missions. It incorporates, supersedes, and rescinds the previously published DoD Cloud Security Model (CSM), and maps to the DoD Risk Management Framework (RMF).

DISA guides DoD agencies and departments in planning and authorizing the use of a CSO. It also evaluates CSOs for compliance with the SRG — an authorization process whereby CSPs can furnish documentation outlining their compliance with DoD standards. It issues DoD provisional authorizations (PAs) when appropriate, so DoD agencies and supporting organizations can use cloud services without having to go through a full approval process on their own, saving time and effort.

According to Section 3.1.2 (Page 18) of the Cloud Computing SRG, IL4 information covers controlled unclassified information (CUI), non-CUI information, non-critical mission information, and non-national security systems. The CUI Registry provides specific categories of information that is under protection by the Executive branch. For example, more than 20 category groupings are included in the CUI category list, such as:

IL4 accommodates CUI categorizations based on the Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) Security Categorization and Control Selection for National Security Systems up to moderate confidentiality and moderate integrity (M-M-x). The National Institute of Standards and Technology (NIST) SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations is intended for use by federal agencies in contracts or other agreements established with non-federal organizations.

The 15 December 2014 DoD CIO memo regarding Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services states that “FedRAMP will serve as the minimum security baseline for all DoD cloud services.” The SRG uses the FedRAMP Moderate baseline at all information impact levels (IL) and considers the High Baseline at some.

Section 5.1.1 DoD use of FedRAMP Security Controls (Page 37) of the Cloud Computing SRG states that a FedRAMP High provisional authorization will be accepted for a DoD IL4 PA without an assessment of extra controls and control enhancements (C/CE); however, assessment of non-C/CE based requirements in the Cloud Computing SRG is needed.

Section 5.6.2 CSP Personnel Requirements (Page 76) additionally restricts CSP personnel having access to IL4 and IL5 data to US citizens, US nationals, or US persons. No foreign persons may have such access.

Azure and DoD IL4

Microsoft maintains the following authorizations for Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia:

  • FedRAMP High provisional authorization to operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB)
  • DoD IL2 PA
  • DoD IL4 PA
  • DoD IL5 PA

For extra customer assistance, Microsoft provides the Azure Policy regulatory compliance built-in initiative for Azure Government, which maps to DoD IL4 compliance domains and controls:

Regulatory compliance in Azure Policy provides built-in initiative definitions to view a list of controls and compliance domains based on responsibility – customer, Microsoft, or shared. For Microsoft-responsible controls, we provide extra audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each DoD IL4 control is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, compliance in Azure Policy is only a partial view of your overall compliance status. Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to more granular status.

For more information about Azure support for NIST SP 800-171, see Azure NIST SP 800-171 documentation.

Applicability

  • Azure Government

Services in scope

For a list of Azure Government cloud services in DoD IL4 PA scope, see Cloud services in audit scope.

Service availability varies across Azure Government regions. For an up-to-date list of service availability, see Products available by region.

Attestation documents

For access to Azure Government FedRAMP documentation, see FedRAMP attestation documents.

Contact DISA for access to the most recent Azure Government DoD IL4 PA letter.

Frequently asked questions

What Azure services are covered by DoD IL4 PA and in what regions?
To find out what services are available in Azure Government, see Products available by region. For a list of services provisionally authorized at DoD IL4, see Cloud services in audit scope.

Resources