Moving past DoD Impact Level 2 (IL2), the logical next step should be IL3; however, IL3 is no longer used by the Department of Defense (DoD) and has been consolidated into IL4. DoD IL4 is designed to store, process, and transmit up to controlled unclassified information (CUI) related to military or contingency operations. Classified information (i.e., secret or top secret) is not permitted within either an IL4 or IL5 Cloud Service Offering (CSO). DoD Mission Owners must appropriately categorize their information to include only CUI suitable for an IL4 or IL5 hosting environment. CUI types are defined within the CUI Registry, which is hosted by the U.S. National Archives and Records Administration (NARA).
Another significant difference in IL4 and IL5 comes from how risk assessments are conducted. Risk assessments of a Cloud Service Provider’s (CSP’s) CSO include an assessment of the appropriate Federal Risk and Authorization Management Program (FedRAMP) baseline (minimally moderate) and the appropriate Committee on National Security Systems Instructions (CNSSI) 1253 baselines. DoD Mission Owners also define Service Level Agreement (SLA) requirements in the DoD Cloud Computing (CC) Security Requirements Guide (SRG), or applicable Privacy Overlay requirements defined in Appendix F of CNSSI 1253F.
There are more stringent control parameter requirements for existing FedRAMP Moderate controls that are evaluated at the IL2 baseline and 38 new security controls and enhancements a CSP must comply with at IL4. In addition to the elevated FedRAMP Moderate control requirements, all CSPs must comply with the security requirements defined in Section “5 Security Requirements” of the CC SRG. For General Readiness (GR) requirements, there are 19 controls also evaluated at the time of the CSO assessment. Some key requirements that may get overlooked are only allowing access to the environment and customer data to US Persons and ensuring there is a capability to provide connectivity to the CSO via Non-classified Internet Protocol Router Network (NIPRNet) after receiving a Provisional Authorization (PA). The CSO must also meet the Jurisdiction/Location Requirements by ensuring all data stored and processed, for or by the DoD, resides in a facility under the exclusive legal jurisdiction of the United States.
DoD IL5 allows CSPs to host unclassified National Security Systems (NSSs) supporting DoD missions. There are nine additional controls added to this baseline on top of the 38 IL4 controls incorporated into the FedRAMP Moderate baseline. Tenants residing in IL5 CSOs must be Federal Government Customers that can include civilian or DoD-based federal agencies. Civilian federal agencies must also have a legitimate need to operate within an unclassified NSS. Commercial or non-federal tenants are not permitted to reside in an IL5 CSO. Some critical requirements that may get overlooked for DoD IL5 are only allowing access to the environment and customer data to US citizens and ensuring there is physical separation of all US federal government and DoD agencies from non-federal government organizations. In addition to requiring physical data separation from commercial organizations, this also includes separation of data from state and local governments.
For more information on our FedRAMP advisory solutions you can visit https://www.coalfire.com/Solutions/Audit-and-Assessment/FedRAMP/Consulting-Advisory or please contact 3PAO@coalfire.com for more information on how we can help.