top of page

Department of Defense

DoD Impact Level (IL) Implementation for Cloud Applications

PH Blue Tagline
What are Impact Levels?

What are DoD IL2, IL4,IL5, and IL6?

The US Department of Defense (DoD) has issued a Cloud Computing Security Requirements Guide (SRG) that specifies the required levels of cybersecurity compliance for four different types of cloud service offerings (CSOs) used by the DOD.  For CSOs handling secret classified information, Impact Level 6 (IL6) security is required.  For those handling confidential unclassified information (CUI), IL4 or IL5 is required, depending on the sensitivity of the information.  Other CSOs (e.g. public facing websites) require IL2 security, which is equivalent to FedRAMP Moderate.


Before a DOD mission owner can use a CSO, the mission owner’s cybersecurity assessment team must first ensure that the offering is compliant with the required Impact Level controls by going through a thorough Risk Management Framework (RMF) process.  After the RMF process is completed and fully documented in the DOD’s eMASS system, the mission owner’s Chief Information Officer (CIO) may grant an Authority to Operate (ATO).  After the ATO is granted, the Defense Information System Agency (DISA) or another DoD agency needs to grant an authority to connect the cloud application to DoD networks NIPRNet (for IL4/5) or SIPRNet (for IL6) through a DISA-approved Boundary Cloud Access Point (BCAP).  The RMF, eMASS, BCAP process can take 1-2 years or more if starting from scratch.


It is much easier for a DOD mission owner to use a CSO that has been granted a Provisional Authorization (PA) by DISA.  Those systems have already been assessed by a 3rd Party Assessment Organization (3PAO), have navigated the RMF process, have had their controls documented in eMASS, and have established a connection to a DOD network through a BCAP.


The Project Hosts PJHFPC PaaS has DISA PAs at IL2, IL4 and IL5, and has a BCAP connection to the DOD NIPRNet.  That means that CSOs that deploy using this PaaS and Project Hosts services get a FasTrack to their own IL2, IL4 or IL5 compliance.


“IL5 compliant” means that all of the IL5 security controls specified in the SRG have been implemented for a particular cloud application (other Impact Levels are analogous).  Some of the controls are implemented by the Cloud Service Provider (CSP) who provides the CSO, and the remainder are implemented by the DoD mission owner.  If the mission owner procures a Software-as-a-Service (SaaS) solution with a DISA Provisional Authorization (PA), then typically 80-95% of the controls are implemented by the CSP, making it easier for the mission owner. If the mission owner procures an Infrastructure- or Platform-as-a-Service offering (IaaS or PaaS) and deploys an application on it, the mission owner is typically responsible for implementing and maintaining the 60-90% of the controls that are above the IaaS or PaaS level.

Can use a cloud application in production, the agency must first grant it an Authority to Operate (ATO). Before granting an ATO, the agency’s security team needs to make sure that the cloud application is compliant with the security controls at Impact Level (IL) 2, 4, 5, or 6 specified in the DoD Cloud Computing Security Requirements Guide (SRG). After the ATO is granted, the Defense Information System Agency (DISA) or another DoD agency needs to grant an authority to connect the cloud application to DoD networks NIPRNet (for IL4/5) or SIPRNet (for IL6) through a DISA-approved Boundary Cloud Access Point (BCAP).

DoD Solutions

DoD IL5 Solutions

Project Hosts is one of seven companies to have an IL5 authorization from DISA, and the only one that will manage the IL5 controls for your application.

We ensure all IL5 controls are in place

If you deploy on Azure or AWS, 15% of the IL5 controls are fully covered. You are responsible for the rest. If you deploy on the Project Hosts PJHFPC PaaS, the majority are fully covered by our DISA IL5 PA. We also implement the remaining app-specific controls for you.


We include built-in VDSS and VDMS

To connect your cloud environment through a CAP to a DoD network, you must have VDSS and VDMS services in place. Project Hosts is the only CSP with a DISA IL5 PA that offers these services for your application.

We manage the 7 steps to connect to a BCAP

Once all the IL5 controls and VDSS and VDMS are in place, there are seven steps to enable the connection through a Boundary Cloud Access Point (BCAP) from the DoD network to your cloud workloads. We help you through these.

Government Building Columns
Achieving DISA

Achieving a DISA PA

Project Hosts has developed a turnkey process for CSPs that allows them to get a DISA Provisional Authorization (PA) for their SaaS offering in about a year.  The first step is to tie the SaaS offering into Project Hosts PJHFPC PaaS. 


This step allows the SaaS to immediately inherit a majority of the compliance required for an IL5 PA.  More importantly, since the PaaS already has a DISA PA and has already navigated the RMF, eMASS, and BCAP connection processes, the remaining processes for the SaaS are much simpler and shorter. 


Project Hosts takes a lead on these, implementing and documenting the SaaS controls above the PaaS and managing the Third Party Assessment Organization (3PAO) audit and DISA authorization processes. Working with Project Hosts to obtain a DISA PA can take years off of the process for a CSP doing it themselves or with the aid of a consultant.

Project Hosts' ISV DoD Cloud Process

For Independent Software Vendors (ISVs), getting a cloud-based application DoD compliant is costly and time-consuming, especially for vendors new to serving the Department of Defense.


Want to learn more about DoD IL5 Solutions?

Contact Project Hosts Today!

Thanks for submitting!

WhiteMark Project Hosts
bottom of page