FedRAMP vs. DISA Impact Levels (IL4, IL5)

Federal cloud authorization, from civilian to defense

Selling software to the U.S. government means navigating two major frameworks: FedRAMP for civilian agencies, and the DoD Cloud Computing SRG for defense. Here's how they relate, when you need each, and how to operate across both.

Map your authorization path See how they relate

How the frameworks stack up

Before FedRAMP or DISA Impact Levels, there is FIPS 199 — the standard that classifies every federal system by the impact of a security breach.

FIPS 199 rates systems across confidentiality, integrity, and availability, then categorizes each as Low, Moderate, or High. Those categories determine the required security controls. FedRAMP applies FIPS 199 to cloud systems. The DoD Cloud Computing SRG builds on FedRAMP, and Impact Levels extend those requirements for defense use.

Confidentiality · Integrity · Availability Low · Moderate · High

Civilian vs. defense

Two frameworks, one lineage

FedRAMP standardizes cloud security for civilian agencies. The DoD Cloud Computing SRG takes that same baseline and adds defense-specific requirements on top.

FedRAMP

The standard for civilian federal agencies

FedRAMP produces a standardized, reusable authorization package assessed against NIST SP 800-53. Each agency reviews that package and issues its own ATO based on mission and risk tolerance.

NIST SP 800-53 Low · Moderate · High

DoD CC SRG

The framework for defense cloud security

Governed by DISA, the DoD Cloud Computing SRG applies Impact Levels (IL2, IL4, IL5, IL6) on top of FedRAMP baselines to address DoD-specific data sensitivity and mission requirements.

DISA IL2 · IL4 · IL5 · IL6

CUI and Impact Levels

How the DoD measures data sensitivity

Controlled Unclassified Information (CUI) is sensitive government data that is not classified, but still requires protection — export-controlled data, critical infrastructure information, health information, law enforcement data, and mission-related operational data. Impact Levels define how sensitive DoD data is and what protection it requires.

IL2 Impact Level 2

Low-sensitivity, public or non-critical data
Roughly aligned with FedRAMP Moderate
Not typically relevant for most SaaS companies

IL4 Impact Level 4

Primary level for CUI workloads
Based on FedRAMP Moderate or High, plus DoD FedRAMP+ controls and CNSSI 1253 overlays, depending on data categorization
Supports confidentiality / integrity levels up to MMx or HHx
Requires a DISA Provisional Authorization (PA)

IL5 Impact Level 5

Unclassified National Security Systems and National Security Information (NSS / NSI)
Based on FedRAMP High, plus DoD FedRAMP+ controls, CNSSI 1253 overlays, and NSS controls
Elevated-protection CUI may also be hosted here when required
Requires stronger isolation and access controls than IL4

Layered, not separate

Impact Levels extend FedRAMP. They don't replace it.

The frameworks stack. FedRAMP is the baseline. Impact Levels are a DoD construct applied on top of that baseline to address defense data sensitivity and mission requirements — each level inherits everything below it and adds more.

Quick comparison

FedRAMP vs. IL4 vs. IL5

The same security lineage, escalating by data sensitivity and mission requirements.

	FedRAMP	IL4	IL5
Governing body	GSA / FedRAMP PMO	DISA	DISA
Primary use	Civilian agencies	DoD CUI workloads	DoD NSS / NSI workloads
Security baseline	NIST SP 800-53	FedRAMP Moderate or High + DoD overlays	FedRAMP High + DoD overlays
Data type	Low, Moderate, High	CUI	NSS / NSI (with some elevated CUI)
Authorization	Agency ATO	DISA Provisional Authorization	DISA Provisional Authorization
Typical entry point	Moderate	IL4	IL5

See where your product lands across both frameworks.

Map your product

When do you need each

FedRAMP, IL4, or IL5?

Most companies move through all three over time — FedRAMP for baseline authorization and civilian adoption, IL4 for initial DoD entry, IL5 for deeper defense and national security work.

You need FedRAMP if