DoD Impact Level 5: What SaaS Vendors Need to Know to Operate in IL-5 Environments

Written by: 
Team Knox
Published on: 
July 16, 2026

The Department of Defense (DoD) runs its most sensitive unclassified workloads at Impact Level 5 (IL-5), and the bar for entry is higher than most commercial software-as-a-service (SaaS) vendors expect. For SaaS teams, the process can be demanding enough to become its own compliance and engineering workstream.

Some SaaS teams chasing DoD mission systems treat a Federal Risk and Authorization Management Program (FedRAMP) High authorization as the finish line. That assumption leaves out the DoD-specific requirements that follow.

IL-5 starts with a FedRAMP High baseline and layers on tenant separation, U.S. persons personnel rules, hosting constraints, and a DoD-specific control overlay that reshape architecture, staffing, and network design.

Additional work lies between "FedRAMP High authorized" and "IL-5 ready." IL-5 changes authorization, architecture, staffing, hosting, connectivity, and continuous monitoring, and the FedRAMP foundation remains the single longest pole in the tent.

Key Takeaways

  • IL-5 covers higher-sensitivity data. It covers Controlled Unclassified Information (CUI) and unclassified National Security Systems (NSS), sits above Impact Level 4 (IL-4) in the DoD Cloud Computing Security Requirements Guide, and mandates a FedRAMP High baseline.  
  • IL-5 adds extra requirements. Physical tenant separation, U.S. persons access, DoD-approved hosting regions, and a DoD control overlay sit atop the baseline.  
  • Authorization runs through DISA. It begins with FedRAMP High, applies the IL-5 overlay, completes a Third-Party Assessment Organization (3PAO) assessment, and concludes with a Defense Information Systems Agency (DISA) Provisional Authorization, plus mission owner Authority to Operate (ATO) and Cloud Access Point (CAP) connectivity.  
  • Inherited boundaries reduce work. Building on a boundary that already holds the baseline lets a vendor focus on the IL-5-specific overlay and its own application layer.

DoD Impact Level 5 Authorizes Higher-Sensitivity CUI and Unclassified NSS

IL-5 is the tier of the DoD Cloud Computing Security Requirements Guide (SRG) that governs higher-sensitivity CUI and unclassified NSS. The DoD CIO's IL-5 definition encompasses nonpublic, unclassified NSS data, as well as CUI and other mission data for which unauthorized disclosure could cause serious adverse effects, including information requiring greater protection than IL-4 affords.

In the DoD impact-level framework, IL-5 sits directly above IL-4, which covers standard CUI, and below Impact Level 6 (IL-6), which handles classified information up to Secret. NSS determines the threshold: if a system is officially designated as a National Security System, IL-5 is required.

Committee on National Security Systems (CNSS) Policy 32 clarifies the relationship to FedRAMP: the minimum requirement for all unclassified NSS is equivalent to the FedRAMP High baseline, making FedRAMP High the mandatory floor for any IL-5 cloud service offering.

IL-5 requires FedRAMP High plus the DoD-specific operating model.

IL-5 Layers Tenant Separation, Personnel, and Control Requirements on Top of FedRAMP High

IL-5 begins with a FedRAMP High baseline and adds a defined set of DoD-specific requirements beyond those required for a FedRAMP High authorization. A vendor holding FedRAMP High has cleared the foundation while still needing the IL-5 additions. The additions reshape where the system runs, who touches it, and which controls apply.

  • Federal-only tenancy with physical separation from non-federal tenants. Per SRG Section 5.2.2.3, virtual or logical separation between federal tenants is sufficient, but physical separation from non-DoD and non-federal tenants is required. Commercial or non-federal tenants cannot reside in an IL-5 cloud service offering or share its underlying hardware.  
  • U.S. persons requirement for personnel with access. SRG Section 5.6.2 restricts Cloud Service Provider (CSP) personnel with access to IL-5 data to U.S. citizens, U.S. nationals, or U.S. persons. Foreign persons are excluded from such access.  
  • Hosting within DoD-approved regions. IL-5 hosting is constrained to the U.S., U.S. outlying areas, or DoD on-premises facilities, with off-premises connectivity requirements routed through the Non-classified Internet Protocol Router Network (NIPRNet) via a CAP.  
  • The DoD control and parameter overlay. SRG Section 5.1.2, Table 2 specifies additional controls and control enhancements beyond FedRAMP High for a DoD IL-5 Provisional Authorization (PA). For systems designated NSS, Committee on National Security Systems Instruction (CNSSI) 1253 Appendix D overlays apply on top of that.

Those additions turn IL-5 from a baseline compliance exercise into an architecture, staffing, and hosting decision.

Reaching IL-5 Authorization Follows a Defined Sequence Through DISA

IL-5 authorization moves through a predictable sequence that begins with the FedRAMP baseline and ends with a DISA Provisional Authorization and mission owner authorization. The DISA authorization process covers pre-screening, assessment, validation, authorization, and continuous monitoring.

1. Establish the FedRAMP High Baseline

FedRAMP is the minimum security baseline for all DoD cloud services, and IL-5 cannot be reached using only FedRAMP Moderate. To reach IL-5, the offering must demonstrate FedRAMP High baseline compliance plus the IL-5-specific controls during the IL-5 assessment.

2. Apply the DoD IL-5 Control Overlay

Per SRG Section 5.1.1, a FedRAMP High provisional authorization, supplemented with DoD FedRAMP+ controls and SRG requirements, is used to assess offerings toward an IL-5 PA. Extra considerations and requirements must be assessed and approved before a DoD IL-5 PA can be awarded.

3. Complete a 3PAO Assessment Against the Combined Control Set

Offerings seeking IL-5 are assessed against the additional controls and parameters and then submitted to DISA for validation, along with the assessment results.

4. Obtain a DISA Provisional Authorization and a Mission Owner ATO

A DoD component must sponsor the offering, with application through DISA RE2 via the Cloud eMASS instance. The DISA PA pre-qualifies the platform; the component mission owner's Authority to Operate authorizes a specific mission owner's use of it.

5. Establish Connectivity Through a CAP

A Boundary Cloud Access Point (BCAP) connects IL-5 workloads to NIPRNet. The DoD CAP requirement routes sensitive cloud services through a CAP provided by DISA or another DoD Component. DISA activates the connection only after a mission owner receives a Cloud Permission to Connect.

Each step depends on the one before it, which is why the FedRAMP foundation governs the overall IL-5 timeline.

Operating in an IL-5 Environment Imposes Ongoing Connectivity, Monitoring, and Access Constraints

Authorization is the entry point. Running a system at IL-5 entails ongoing obligations that differ from those in a standard FedRAMP environment, and these constraints shape the product's architecture and operations indefinitely.

  • Connectivity through a CAP: All DoD traffic to and from off-premises IL-5 infrastructure must traverse a NIPRNet BCAP. Because DISA BCAP locations are housed in a handful of Equinix facilities, this constraint directly affects latency and network design.  
  • Continuous monitoring against the full IL-5 control set: Standard FedRAMP continuous monitoring sets the floor, with recurring Plans of Action and Milestones (POA\&M), inventory, and vulnerability scan submissions. On top of that, teams monitor the DoD FedRAMP+ controls and any CNSSI 1253 overlays.  
  • Ongoing personnel and access management under the U.S. persons rule: Every individual with privileged access must remain a U.S. person, enforced contractually and verified through CSP personnel security processes. Termination and access-revocation workflows must be designed for the stricter IL-5 operating model.  
  • Change management within the separated boundary: The underlying hypervisors, storage, and network switches must stay physically severed from non-federal tenants. Any change to the boundary has to preserve that physical separation.

Those ongoing constraints make the choice of boundary material before the IL-5 overlay work begins.

A Shared FedRAMP Boundary Reduces the Foundational Work Required Before IL-5

For greenfield vendors, the FedRAMP High baseline is typically the longest pole in the IL-5 timeline, with traditional paths taking 12 to 36 months and legacy costs reaching upwards of $3.5 million before continuous monitoring begins. The IL-5 overlay sits on top of all that.

Much of the baseline lies outside the application code, in shared boundary responsibilities like physical security, media protection, and infrastructure operations. Greenfield vendors spend a significant portion of their budget recreating documentation and control implementations that have already been validated elsewhere.

Deploying on a pre-authorized FedRAMP boundary lets the application inherit validated foundational controls, leaving the vendor to focus on its application layer and the IL-5-specific overlay it cannot inherit, such as U.S. persons and separation rules.

The question, then, is straightforward: build the FedRAMP High boundary yourself, or inherit one that is already authorized?

Sequencing the FedRAMP Foundation Early Protects the IL-5 Timeline

Because IL-5 depends on the FedRAMP High baseline, every month spent deferring the foundation pushes back the date by which a DoD mission owner can deploy your system and can cause vendors to miss the procurement window the authorization was meant to open.

Knox Systems is a FedRAMP-as-a-Service platform with a pre-authorized boundary that lets SaaS vendors inherit a significant portion of required controls on day one. Knox currently supports FedRAMP Moderate, FedRAMP High, and DISA IL-4, with IL-5 authorization in process and estimated for completion in December 2026. The platform spans AWS, Azure, and GCP and provides continuous monitoring capabilities that would otherwise consume a small compliance team.

Knox is designed to compress FedRAMP authorization to roughly 90 days at approximately 90% lower cost than traditional methods. If DoD mission systems are on your roadmap, book a meeting to map your path to IL-5.

FAQs About Department of Defense Impact Level 5

Is FedRAMP High the Same as IL-5?

No. Treat FedRAMP High as the prerequisite package, not the DoD authorization outcome. The practical gap is the work a vendor must plan after the baseline: overlay assessment, mission sponsorship, and operating constraints that affect deployment.

Which Major Cloud Providers Does DISA List for DoD Cloud Deployments?

DISA's DoD Cloud Infrastructure as Code resources include Microsoft Azure, AWS, GCP, and Oracle Cloud Infrastructure (OCI). For SaaS vendors, the provider list does not settle the application-layer authorization question; the IL-5 boundary, assessment path, and mission owner authorization still determine whether the service can be used.

How Long Does a DISA Provisional Authorization Remain Valid?

A DISA PA is granted for a defined term tied to ongoing continuous monitoring performance, and vendors must sustain control evidence, scan submissions, and overlay compliance throughout that period to keep the authorization current. Lapses in monitoring can put the PA at risk and disrupt downstream mission owner ATOs that depend on it.

What Is the Difference Between a DISA PA and a Mission Owner ATO?

The DISA PA is a platform-level pre-qualification that confirms the offering meets IL-5 requirements, while the mission owner ATO authorizes a specific DoD component to use the offering for a specific mission. A vendor needs both PA eligibility and at least one mission owner ATO to actually run production workloads.

Why Does IL-5 Require a CAP?

Because IL-5 connectivity is part of the authorization path, not a post-deployment network choice. The deployment plan has to account for routing, latency, and Cloud Permission to Connect sequencing before production traffic moves.