We’ve written extensively before about FedRAMP’s impact levels. As a brief refresher, there are four:

• Li-SaaS, the lowest of the low-security levels, is made for non-critical cloud applications that handle no tangible CUI.
• Low Impact, which can handle some CUI, but is largely focused solely on very basic and public information like the basic information necessary for authentication.
• Moderate Impact, the middle-tier security level that encompasses nearly 80% of government contractors and cloud services and ensures baseline security for most CUI.
• High Impact, which is the highest standard offered by FedRAMP for the control of CUI, and often leans into additional security for specialized industries such as law enforcement, finances, and healthcare.

You can read our full guide to these four impact levels, how they’re calculated, and what they mean in this post.

One important thing to know here is that FedRAMP is not the be-all and end-all security framework for the government. In fact, FedRAMP was designed primarily to be a set standard that contractors working with government agencies should follow, but there are other standards more specific to certain agencies that can supersede FedRAMP itself.

In particular, the Department of Defense comes to mind.

What is the DoD Security Framework?

The DoD security framework is its own version of cloud security standards, and rather than being administered by the JAB and PMO, it’s controlled by DISA, the Defense Information Systems Agency.

Much like FedRAMP standards, the DISA standards for DoD contractor security operate along three axes: confidentiality, integrity, and availability. So far, so good, right?

DISA lays out their information for the DoD security framework through the Department of Defense Cloud Computing Security Requirements Guide, and the guidance they use is based on the Federal Information Systems Management Act, or FISMA, which we are all generally familiar with. They also base their standards and security controls on NIST documentation, including NIST SP 800-37, the Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.

In a sense, you can think of the DoD security framework as similar to FedRAMP, except built out higher to stronger security levels. To understand that, though, you need to know what the DoD security framework impact levels are and what they mean.

What Are the DoD Impact Levels?

There are six DoD impact levels. Except, that’s a lie.

The DoD impact level scale runs from level 1 to level 6. However, two of those levels don’t exist: level 1 and level 3.

While you might think that this is a change designed to better align the DoD impact levels to the FedRAMP impact levels, that’s not actually correct, which you’ll see once we get into the specific impact levels.

DoD Impact Level 1

The Level 1 impact level was formerly the impact level roughly equivalent to FedRAMP Li-SaaS and Low Impact. It was the lowest the DoD would accept.

However, over time, it became clear that an agency with such a high impact as the DoD itself could not allow such low and open security for its contractors, even if those contractors are otherwise not accessing or managing anything other than public information. So, Level 1 impact was discontinued, and all CSPs using it were given a choice: lose DoD security authorization or upgrade to Level 2.

DoD Impact Level 2

Impact Level 2 is currently the lowest possible impact level that the DoD allows. It is designated for cloud service providers that manage non-controlled, non-classified information, which includes all data that the DoD has cleared for the public and even some DoD private information that has not been set at a control level.

When you compare the security controls and standards in place, DoD impact level 2 is more or less equivalent to the FedRAMP Moderate baseline, which is by far the most common and most widely-used baseline for FedRAMP-certified cloud service providers.

Much like how 80% of the FedRAMP-certified CSPs are certified at the Moderate impact level, the majority of the CSPs working with the DoD and achieving DoD impact level certification are certified at level 2.

DoD Impact Level 3

Impact Level 3 is the second of the discontinued impact levels.

DoD’s impact level 3 was formerly an impact level somewhere in between FedRAMP moderate and FedRAMP high. However, since there was no clear equivalent and because it wasn’t broadly useful, the DoD eventually decided to roll this impact level up to Impact Level 4. Again, like impact level 1, anyone certified at impact level 3 was given the option to improve by implementing additional security controls to reach level 4 or let their approval drop to level 2 instead.

Since the jump from level 3 to level 4 was comparatively minor, many CSPs formerly at level 3 have achieved level 4 instead.

DoD Impact Level 4

If Impact Level 1 and Impact Level 3 no longer exist, Impact Level 4 effectively becomes the second impact level. In terms of FedRAMP, it’s a higher than moderate impact level but not quite as high as High.

DoD Impact Level 4 is designed for the control and management of CUI that is not considered part of national security information. CSPs authorized at impact level 4 are able to handle export-controlled data, privacy information, and protected health information. Some examples of the kinds of CUI that can be controlled at impact level 4 include military personnel medical records, DoD employee personnel records, risk management plans, and similar information.

To put things into perspective, FedRAMP Moderate has around 325 security controls that must be implemented and maintained for an organization. FedRAMP high has 421 security controls, a jump of nearly 100. DoD impact level 4 has 369 controls, putting it above moderate but below high as a sort of FedRAMP Moderate Plus.

There are also a few additional requirements that come with impact level 4. One of the largest is that any cloud service provider operating at impact level 4 or above must operate within the United States or its territories. Off-premises communications need to use the NIPRNET system for non-classified internet communications.

DoD Impact Level 5

DoD Impact Level 5 is where things start to get serious for the DoD. It includes 431 controls, ten more than FedRAMP high, and it’s the security level designated for CUI that can include national security information. This is also the level required for CSPs that will handle mission-critical information and systems.

Like impact level 4, a CSP achieving impact level 5 needs to be operated within the United States or its territories. It must also be operated by US citizens. There are also additional requirements to ensure that the CSP is capable of continuing operations during times of crisis.

As serious as we make it sound, impact level 5 and FedRAMP high are roughly equivalent. The DoD standard is a little higher, and the requirements – and scrutiny – increase to match, but the jump is relatively small.

DoD Impact Level 6

The highest impact level that DISA and the DoD administer is impact level 6. This level actually does not have a significantly larger number of controls than impact level 5; however, it takes things more seriously. The number of controls is similar, but the severity, strictness, and nature of those controls is much higher.

The biggest reason for this is that DoD impact level 6 certification allows a CSP to engage not just with CUI but also with classified materials up to the SECRET designation. This is effectively the strongest level of security – and the highest level of information – that can be handled by a third-party business rather than a direct agency or sub-agency of the government.

As such, there are a lot of stringent additional rules that a CSP attempting to achieve impact level 6 certification must adhere to. Unlike levels 5 and below, level 6 communications must go through SIPRNET, the Secret Internet Protocol Network. Anyone accessing information on these systems needs to undergo a background check and have at least SECRET security clearance.

Additionally, while lower impact levels can be certified by agencies like the JAB, impact level 6 is entirely certified by DISA itself.

Can You Move from FedRAMP to DoD Security?

Yes, of course. Any cloud service provider that wants to work with the Department of Defense is able to pursue higher-level clearance than they currently have and make any adjustments necessary to obtain it. DoD works on a process of reciprocity with FedRAMP; in particular, FedRAMP Moderate and Impact Level 2 are about the same, and FedRAMP High and Impact Level 4 are quite similar. So, it’s entirely possible to achieve the ability to work with the DoD and with DoD information.

The difficulty of doing so, however, depends on two things: your starting point and your endpoint.

If you are currently authorized to operate at FedRAMP Li-SaaS or Low impact level, you will effectively need to pursue FedRAMP moderate impact level, which is more or less equivalent to DoD impact level 2. Either way, the process will be significant, especially if you’re starting at Li-SaaS, because of the much less stringent rules for security that come with those lower impact levels. If you have looked at but decided not to pursue FedRAMP moderate, then achieving any DoD impact level certification is likely outside of your realm of possibility as well.

If you are currently operating at FedRAMP moderate, it’s fairly easy to achieve DoD impact level 2. It will require some small enhancements here and there, and you may need to adjust a few processes, tighten a little security, and adjust your workforce, but the changes are minimal.

If you are currently FedRAMP moderate and you want to achieve DoD impact level 4, you will have a bunch of work to do. This is very similar to the process of achieving FedRAMP High baseline, though the exact specifications are somewhat different. You will require some enhancements to your security, and may need to adjust things like which internet protocols you use and where certain facilities are located.

If you are currently FedRAMP high and you want to achieve DoD impact level 4, you essentially get it right away. There are a few small, specific additions you need to consider, but they aren’t huge system-changing lists of requirements.

Achieving DoD impact level 5 will require a considerable amount of work if you’re at FedRAMP moderate and a moderate amount of work if you’re at FedRAMP high. For many CSPs, especially those who use non-US offices and outside contractors, it’s effectively impossible without a rebuild of your operations.

Achieving DoD impact level 6 is, of course, the pinnacle. CSPs need to adhere to a variety of very high standards, and the adjustment from a framework meant to handle CUI to one meant to handle SECRET information is significant.

Does Your Cloud Service Provider Need DoD Security?

For this, the answer is up to you.

Being able to work with the DoD is a significant boon, and being able to boast that you have authorization to be part of the DoD Currently Authorized CSPs list is significant. However, it’s also somewhat limiting, especially if you’re seeking to achieve impact levels 5 or 6. These are generally only viable for large companies. For example, companies operating products at impact level 6 include Amazon Web Services, Microsoft Azure, Palantir Federal Cloud Services, and a small handful of others. As of this writing, only 10 services are authorized at level 6. Only around another 30 are authorized at level 5.

Moreover, this is slightly misleading. If you look at the list of services at impact level 6, you see:

• Amazon Web Services Secret Region IL6
• Microsoft Isolated Secret Region
• Palantir Federal Cloud Services IL6
• Casepoint IL6
• Google Distributed Cloud Hosted IL6
• Microsoft Azure IL6
• Microsoft O365 Secret
• MS-SWIFTECLIPSE
• Oracle National Security Regions IL6 Cloud
• Appian Government Cloud

In other words, of ten services, nearly half of them are Microsoft. The same holds true with various brands across other impact levels as well. While there are only 86 services on the list of CSPs, there are far fewer companies involved.

If your ambition is to join them, then by all means, feel free to reach out. At Ignyte, we’re well-versed in government security frameworks, and we can help by answering questions, providing the Ignyte Platform to assist with compliance, and more.

*** This is a Security Bloggers Network syndicated blog from Ignyte authored by Max Aulakh. Read the original post at: https://www.ignyteplatform.com/blog/fedramp/fedramp-dod-impact-level/