January 29, 2024

DoD Impact Level 4: What It Is and How to Choose the Right Cloud Service Provider

Information Security


For federal and government agencies that handle sensitive data, the Defense Information Systems Agency (DISA), an agency of the US Department of Defense (DoD), develops and maintains security standards that outline how a government organization should protect its most sensitive information.

For agencies that contract Cloud Service Providers (CSP) for payroll, document generation, and other processes, the DoD Cloud Computing Security Requirements Guide (SRG) serves as the baseline security standard to assess the security posture for a cloud service offering (CSO), which supports the choice to grant a provisional authorization (PA) to host DoD missions. The SRG also details what to look for when selecting a CSP. This is where Impact Level 4 (IL4) comes into play. 

In this blog post, we will delve into the significance of DoD IL4, what to look for in an IL4-authorized Cloud Service Provider (CSP), and how it can help protect your organization's most sensitive information.

What is DoD Impact Level 4 (IL4)?

Superseding the previously published DoD Cloud Security Model (CSM), and mapped to the DoD Risk Management Framework (RMF), the DoD IL4 is a security standard for non-classified information that requires a higher level of protection than Impact Level 2 (IL2). 

According to Section 3.1.2 (Page 18) of the Cloud Computing SRG, IL4 accommodates Controlled Unclassified Information (CUI), as well as other mission-critical data, including military personnel information in HR forms, health records, and system access forms. The CUI Registry provides specific categories of information that are under protection by the Executive branch.

There are 20 category groupings in the CUI category list, such as:

  • Privacy (e.g., military personnel records, health information)
  • Financial (e.g., bank secrecy, budget)
  • Critical infrastructure (e.g., energy)
  • Defense (e.g., naval nuclear propulsion)
  • Export Control (e.g., Export Administration Regulations (EAR) restrictions for items on the Commerce Control List, or International Traffic in Arms Regulations (ITAR) restrictions for items on the US Munitions List)
  • Intelligence (e.g., Foreign Intelligence Surveillance Act)
  • Law enforcement (e.g., criminal history records, accident investigations)
  • And more

End-to-End Encryption
Get peace of mind with our zero-access security to safeguard your private information.

Key Differences between IL2, IL4, IL5, and FedRAMP

While both are essential for maintaining a good security posture, the primary differences between IL2 and IL4 concern the specific security controls in place and the sensitivity of the information. 

IL2 uses the FedRAMP Moderate Baseline (MBL) as its security control, which is ideal for low confidentiality, unclassified information, as well as public and non-critical mission data. The IL2 CSO can be accessed via the public internet. 

The IL4 includes all aspects of IL2 but with a CUI-Specific Tailored Set or FedRAMP High Baseline (HBL). IL4. Overall, IL4 has 369 controls, including all of those included in FedRAMP moderate.

For CUI and mission data that require a higher level of protection, such as non-public, unclassified National Security System (NSS) data, IL5 is the appropriate security framework. Due to the inclusion of NSS-specific requirements in the FedRAMP+ C/CEs, the NSS must be implemented at IL5.

Why is DoD IL4 Important?

The primary purpose of implementing IL4 is to ensure the protection of sensitive data and information. It is vital for government agencies and other organizations that handle CUI to have a secure cloud environment that meets the stringent security requirements set by the DoD.

In accordance with the DoD CC SRG, federal and government agencies must categorize mission information systems by DoDI 8510.01 and CNSSI 1253 regarding information sensitivity and then determine the impact level that most closely applies. 

As aforementioned, IL4 is required when processing information in one of the CUI categories, including military personnel information in HR forms, health records, system access forms, etc.

What to Include in RFP for an IL4-Authorized CSP

When choosing an IL4-authorized Cloud Service Provider (CSP), and through the Request for Proposal (RFP) process, there are several factors and questions to consider. These include:

  1. Compliant with DoD Security Controls: The CSP should be compliant with the security controls outlined in the DoD Cloud Computing Security Requirements Guide (SRG). This includes FedRAMP High Baseline (HBL) and CUI-Specific Tailored Set, which are essential for maintaining the security of sensitive information.

  1. Data Residency in the Continental United States: Essential for complying with the requirements for handling CUI, the CSP must maintain data residency in the Continental United States (CONUS).

  1. US Persons Requirement: A CSP with a DoD IL4 authorization must employ US citizens, US nationals, or US persons to handle IL4 and IL5 data. 

  1. Experience in Government Cloud: A CSP with experience in the government cloud environment can better understand the unique requirements and challenges of working with government agencies. This experience can be invaluable in ensuring the security and compliance of your organization's sensitive data.

  1. Commitment to Security: A CSP that is dedicated to maintaining the highest levels of security and regularly updates its security measures to stay ahead of evolving threats is essential. This commitment to security is critical for protecting sensitive information and maintaining compliance with DoD requirements.

  1. Transparency and Communication: A good IL4-authorized CSP should be transparent about its security practices and be willing to communicate openly with customers. This ensures that you are always aware of the measures being taken to protect your data and can address any concerns that may arise.

Final Thoughts

In conclusion, choosing the right IL4-authorized Cloud Service Provider (CSP) is essential for ensuring the protection of sensitive mission data. When selecting the CSP for document generation, Inkit has been certified to comply with all IL-4 security controls, including data residency, US persons requirements, experience with the government cloud, commitment to security, and transparency. When it comes to secure DocGen, trust Inkit to safeguard your organization's most sensitive information.

Find Inkit on AppExchange today, or email us at sales@inkit.com with any questions. Trusted by the US Air Force, DoD, and top institutions where privacy and security matter most. 

Trusted by Those Who Put Privacy First

See Inkit in Action
Startups now receive up to one year of complimentary access to Inkit.