Business is booming in the cloud services market, and the federal government is leading the charge. According to Deltek, federal agencies awarded over $23 billion in cloud contracts in 2021 — a figure that’s likely to rise in the coming years.
Here’s the problem: While federal cloud spending is reaching an all-time high, the volume and velocity of cloud security incidents are rising in equal measure. In fact, cybercrime will grow at an annual rate of 15% through 2025, at which point it’ll be more profitable than the global trade of all illegal drugs combined.
Thus, cloud security is essential, especially for the independent software vendors (ISVs) that process, store and transmit U.S. Department of Defense (DoD) data. In this brief guide, we’ll explain the DoD’s impact levels, what they are and why they’re important for any ISV hoping to operate at the federal level.
Breaking down DoD impact levels
ISVs that wish to sell their cloud service offerings (CSO) to DoD agencies must first meet a set of baseline security requirements. This baseline is defined by the Defense Information Systems Agency (DISA) in its Cloud Computing Security Requirements Guide (SRG). This document provides a standardized assessment and authorization process for ISVs to host DoD Missions.
However, not all requirements apply to all CSOs. The DISA determines which security requirements an ISV must meet based on their impact level, as outlined in the SRG. Think of an impact level as a measure of two factors:
- The sensitivity of the information stored and/or processed in the cloud.
- The potential impact of unauthorized disclosure or loss of sensitive data.
The SRG defines four authorization levels, which include:
- DoD IL2: Accommodates DoD information that’s been approved for public release or non-critical mission information.
- DoD IL4: Includes DoD Controlled Unclassified Information (CUI), non-Controlled Unclassified Information, non-critical mission information and non-National Security Systems (NSS) data.
- DoD IL5: Involves higher sensitivity data, such as DoD CUI and NSS information.
- DoD IL6: Reserved for the storage and processing of data classified up to the SECRET level. This is information that, if obtained, could threaten national security interests.
The applicable security controls and requirements are stricter at each impact level. In turn, implementing and maintaining these processes becomes a burdensome and difficult task for both the DoD agency and ISV alike. Yet, it’s a necessary evil that must be completed to achieve DoD compliance.
Fortunately, Project Hosts offers a simpler way to implement, maintain and update the SRG’s stringent cloud security requirements. ISVs who connect their applications to the Project Hosts General Support System — a platform-as-a-service solution — automatically offload 80% of DoD controls.
The GSS is authorized at IL2 and IL4. Better yet, it’s one of only a handful of offerings that have been granted a DISA Provisional Authorization at IL5.
Learn more about how Project Hosts can help you navigate cloud compliance by contacting our team today.