TL;DR
- The DoD Cloud Computing Security Requirements Guide (SRG) defines six Impact Levels (IL) for cloud workloads, currently using IL2, IL4, IL5 and IL6 in practice.
- IL5 covers Controlled Unclassified Information (CUI) and National Security Systems below the classified threshold.
- IL6 covers SECRET-classified information and requires hosting on the classified SIPRNet network.
- Both require FedRAMP High as a starting point, with DoD-specific overlays for personnel, physical, and network controls.
The Impact-Level System
The Defense Information Systems Agency (DISA) publishes the DoD Cloud Computing Security Requirements Guide — universally referred to as the SRG. The current version defines impact levels that map data sensitivity to required cloud-control intensity:
| Level | Data | Network |
|---|---|---|
| IL2 | Public or non-critical mission data. | Internet. |
| IL4 | CUI, non-CUI requiring greater protection, mission-support data. | Internet (with controls) or NIPRNet. |
| IL5 | CUI requiring higher confidentiality / mission-critical data / National Security Systems data. | NIPRNet only; restricted physical / personnel controls. |
| IL6 | Classified information up to SECRET. | SIPRNet (classified network); accredited classified facilities. |
IL5 in Detail
IL5 is the level where US DoD cloud requirements diverge sharply from civilian FedRAMP. The data category is broadly CUI plus mission-critical and National Security Systems below SECRET, and the controls go beyond FedRAMP High in several areas:
- US-citizens-only operations — personnel with privileged access must be US citizens.
- Dedicated cloud infrastructure — typically physically separated from commercial customers, at minimum logically separated with DoD-only personnel touching the underlying systems.
- CAC / PIV-based authentication for privileged access.
- Mandatory boundary on NIPRNet, not the public internet.
- Cleared cyber-defence operations centre with DoD reporting integration.
IL6 in Detail
IL6 is for SECRET-classified workloads. It requires the cloud service to operate on SIPRNet, the US DoD classified network, from inside accredited classified facilities with cleared personnel.
There are only a handful of IL6 cloud offerings globally. Hyperscaler IL6 regions are physically separate facilities, isolated from commercial cloud regions and from IL5 environments.
Warning: IL6 is materially different from IL5. The personnel-clearance, facility-accreditation and network-connection requirements are very specific to US DoD classified operations. A provider authorised for IL5 cannot host IL6 workloads without separate authorisation and infrastructure.
The Authorisation Process
DoD impact-level authorisations build on FedRAMP. The typical path:
- Achieve FedRAMP High authorisation through Agency ATO or JAB.
- Add the DoD SRG-defined controls and submit a Provisional Authorisation package to DISA.
- DISA issues a Provisional Authorisation (PA) at the relevant impact level.
- Individual DoD mission owners then issue mission-specific ATOs against the PA.
- Continuous monitoring continues per FedRAMP, with additional DoD-specific reporting.
Relationship to UK Defence
UK Ministry of Defence does not use IL5/IL6 — it uses its own classification (OFFICIAL / SECRET / TOP SECRET) and accreditation regimes including the MOD Cloud (MODCloud) framework and historic MoD List X arrangements for industry. The two systems do not formally map, but the practical security posture for IL5 / OFFICIAL-SENSITIVE is broadly comparable.
Where Yobitel Sits
Yobitel does not pursue IL5/IL6 authorisation directly. UK-headquartered providers are structurally constrained from US-citizens-only operations. Customers requiring IL5/IL6 hosting are referred to partner cloud regions; Yobibyte and InferenceBench are available as workload software inside customer-owned IL5/IL6 boundaries via partner deployments.
References
- DoD Cloud Computing Security Requirements Guide · DISA
- DoD CIO — Cloud · US DoD
- FedRAMP — High baseline · FedRAMP PMO