IL5 vs. IL6: What Defense Impact Levels Mean For SaaS Vendors

Written by: 
Team Knox
Published on: 
July 16, 2026

The Department of Defense (DoD) Cloud Computing Security Requirements Guide (CC SRG) sorts defense cloud workloads into impact levels that decide which contracts a Software-as-a-Service (SaaS) vendor can bid on.

Impact Level 5 (IL-5) and Impact Level 6 (IL-6) sit at the top of that framework. Vendors often treat them as neighboring rungs on the same ladder, but that view leads to the wrong authorization path. 

While IL-5 authorizes higher-sensitivity unclassified data to be stored on a commercial government cloud, IL-6 authorizes classified data up to SECRET to be stored within a dedicated, cleared, classified-network-only environment. 

Beyond a shared Federal Risk and Authorization Management Program (FedRAMP) High starting point, the two levels diverge across environment, personnel, and network. A vendor should choose IL-5 or IL-6 based on the contract's data class, hosting model, clearance requirements, network path, and authorization sequence.

Key Takeaways

  • Impact levels gate access. IL-5 and IL-6 govern the most sensitive defense data, and the required levels determine whether a vendor can compete.
  • Data classes differ. IL-5 covers higher-sensitivity Controlled Unclassified Information (CUI) and unclassified National Security Systems (NSS); IL-6 covers classified information up to SECRET.
  • IL-6 changes infrastructure. It requires a classified hosting environment, cleared personnel with active SECRET clearances, and isolated classified-network connectivity.
  • FedRAMP High matters. Inheriting that baseline from a pre-authorized boundary is the most practical way to reduce the foundation lift before the DoD overlay begins.

DoD Impact Levels Classify Cloud Workloads By Data Sensitivity And Required Safeguards

The CC SRG, developed and maintained by the Defense Information Systems Agency (DISA), defines baseline security requirements for cloud service offerings (CSOs) and DoD Provisional Authorization (PA) decisions. DoD impact levels are tiers that classify cloud systems and data by the damage potential from unauthorized disclosure, modification, or destruction, and each level prescribes the safeguards a cloud service must meet to host that data.

The current mission-owner guidance focuses commercial Cloud Service Providers (CSPs) on four impact levels:

  • IL-2. Covers non-controlled unclassified information at a FedRAMP Moderate baseline.
  • IL-4. Covers CUI that requires protection against unauthorized disclosure.
  • IL-5. Covers higher-sensitivity CUI and unclassified NSS, with additional overlays on FedRAMP High.
  • IL-6. Covers classified information up to SECRET inside a dedicated classified environment.

FedRAMP is the mandatory minimum security baseline for DoD cloud services, and IL-5 and IL-6 both build on the FedRAMP High baseline. Once the baseline is set, the practical question is which data class the workload carries.

IL-5 And IL-6 Authorize Different Classes Of Defense Data

The data class is the dividing line: IL-5 authorizes unclassified information, including information with national security weight, and IL-6 authorizes classified information. SECRET is a U.S. government classification level applied to information whose unauthorized disclosure could reasonably be expected to cause serious damage to national security, and it requires personnel clearances, cleared facilities, and isolated networks to handle.

The DoD Cloud Security Playbook directly summarizes the distinction: IL-4 or IL-5 applies to sensitive non-classified data and systems, while IL-6 applies to SECRET data and systems. That distinction sets the requirements for hosting, personnel, network, and assessment authority that follow.

IL-5 Covers Higher-Sensitivity Unclassified Information And NSS

IL-5 extends IL-4 protection for unclassified data that carries national security implications, with the parameters below layered on a FedRAMP High baseline.

  • Higher-sensitivity CUI. Covers unclassified data whose unauthorized disclosure could have a serious adverse effect on operations, assets, or individuals.
  • Unclassified NSS. Accommodates NSS and CUI categorizations at High-High-x NSS categorization (H-H-x).
  • Tenant separation. Virtual or logical separation between DoD and federal tenants is sufficient, but physical separation from non-DoD and non-federal tenants is required.
  • FedRAMP baseline. Builds on FedRAMP High plus overlays for High Confidentiality and Integrity, with additional NSS controls layered on top.

Those parameters keep IL-5 within a commercial government cloud footprint, whereas IL-6 shifts the entire stack to classified infrastructure.

IL-6 Covers SECRET Data In Dedicated Classified Infrastructure

IL-6 governs classified workloads, with environment, tenant, and overlay requirements that have no IL-5 equivalent.

  • Classified information up to SECRET. IL-6 permits SECRET-or-below information only.
  • Dedicated classified infrastructure. Data must be stored and processed in facilities approved for classified information, rated at or above the level being processed.
  • Tenant separation. The entire cloud service offering must be dedicated and separate from all other CSP infrastructures, limiting IL-6 to DoD or federal-contracted providers.
  • FedRAMP baseline. Builds on FedRAMP High, High Confidentiality and Integrity overlays, NSS controls, and a classified overlay.

The data class determines where the workload can run and who can touch it.

The Move From IL-5 To IL-6 Changes The Hosting Environment, Personnel, And Network

The SRG states the difference plainly: IL-6 processes mirror those for IL-4 and IL-5, except for facility and personnel clearances. That exception drives the distinction. IL-6 requires a different environmental category with prerequisites that IL-5 workloads never encounter.

IL-6 Requires Hosting In An Accredited Classified Environment

IL-5 can run in commercial government cloud regions, such as AWS GovCloud, Azure Government, Google Assured Workloads, and Oracle Government Cloud, within non-classified physical facilities.

IL-6, instead, requires every physical location hosting IL-6 data to provide dedicated infrastructure approved for processing classified information, which means it cannot be a standard commercial cloud service. In practice, most SaaS vendors must partner with a provider operating an IL-6-authorized classified environment.

IL-6 Personnel Must Hold U.S. Security Clearances

IL-5 restricts personnel access to U.S. citizens, U.S. nationals, or U.S. persons when processing unclassified national security information. IL-6 requires SECRET-level access controls for personnel with system access; the minimum security clearance for system access to the classified network or for unescorted access to the surrounding physical environment is SECRET.

Investigation requirements can increase for critical-sensitive roles. Clearance processing can materially extend a project schedule. The Defense Counterintelligence and Security Agency (DCSA) must also authorize facility clearances in coordination with DISA, a step that has no IL-5 equivalent.

IL-6 Workloads Use Isolated Government Networks

IL-5 workloads can operate outside a classified-network-only enclave. IL-6 workloads require a closed classified enclave: a self-contained environment isolated from the public internet and unclassified government networks. Access runs through private classified network connections or approved methods, and any alternative connectivity must be approved by the DoD CIO. The CSP must also enforce DoD and NSS certificate-based authentication.

The federal authorization sequence carries those operational differences forward: both levels start at FedRAMP High, while IL-6 adds classified prerequisites where IL-5 remains unclassified.

Cost And Timeline Separate The IL-5 Path From The IL-6 Path

The expense and duration of IL-5 sit an order below IL-6 because of the classified-environment requirements. A FedRAMP High authorization can cost upwards of $3.5 million and take 12 to 36 months on the traditional path before the DoD overlay begins. IL-5 adds DoD overlay validation and personnel-access requirements on top of that foundation. IL-6 adds dedicated classified infrastructure, facility clearances, dual-agency validation, and SECRET clearance processing, which can further stretch the schedule.

The right level is the one that matches where you intend to sell, decided against the criteria below:

  • Match the target contract's data class to the level. Classified SECRET data makes IL-6 mandatory. CUI requiring extra protection or unclassified NSS points to IL-5.
  • Weigh the cost and timeline delta against the addressable pipeline. IL-6's classified prerequisites limit SaaS-layer offerings, and the DISA Cyber Exchange list does not enumerate IL-6 SaaS-model offerings with PA status.
  • Account for the FedRAMP High baseline lift. Both paths stall at the same foundation; inheriting controls from a pre-authorized IaaS or PaaS narrows your scope to the SaaS-layer controls you own.

Those criteria all point back to the baseline lift, where most vendors lose time, and the authorization sequence begins.

Reaching IL-5 Or IL-6 Follows A Sequential Authorization Path

Both levels follow the same sequence at the start and diverge only at the final stage, where the IL-6-classified environment costs concentrate. Here’s how to sequence them:

  1. Establish the FedRAMP High baseline. Both IL-5 and IL-6 require FedRAMP High, obtained through an existing agency Authority to Operate (ATO) or the DoD-direct authorization path.
  2. Apply the DoD control overlay from the SRG. The CSP adds DoD FedRAMP+ controls, DISA parameters, and overlays for High Confidentiality and Integrity, as well as a System Security Plan (SSP) Addendum covering DoD-specific implementations.
  3. Obtain DISA PA with Mission Owner sponsorship. A DoD component sponsors the CSO, DISA issues the PA, and a DoD Component AO issues the mission-level Authority to Operate. Continuous monitoring obligations apply.
  4. For IL-6 only, stand-up classified prerequisites. Required elements include a DCSA-authorized facility clearance, cleared personnel, classified-facility accreditation, and a Security Assessment Report jointly validated by DISA and DCSA.

Because the sequence front-loads the same FedRAMP High work, the cost gap between the two paths turns on the classified-environment layer added at the end.

Sequencing The Impact-Level Decision Protects DoD Market Access

Treat the impact-level choice as an early market-access decision. Commit to IL-6 when the contract only ever needed IL-5, and you have funded classified infrastructure and clearance processing for data that never required either. Commit to IL-5 when the work is genuinely classified, and the bid requires IL-6.

The level you authorize is the level you can sell into, and the FedRAMP High baseline work can be reused in future DoD opportunities at that tier. Each agency still reviews the approved security documentation and grants any required authorization.

Knox Systems is a FedRAMP-as-a-Service platform that operates a pre-authorized FedRAMP High boundary, which means SaaS vendors can inherit a substantial portion of required controls from the start and reach the baseline in approximately 90 days at 90% less cost than the traditional path. For a vendor eyeing IL-5, that reduced compliance burden compresses the baseline lift that gates both IL-5 and IL-6. While the DoD overlay still requires Mission Owner sponsorship and level-specific controls, the foundation arrives already built.

Book a meeting to map your target contract's data class to the right impact level and the fastest path to its baseline.

FAQs About IL-5 vs. IL-6

Can A SaaS Vendor Get An IL-6 Authorization Independently?

In practice, most SaaS vendors partner with an IL-6-authorized provider. An independent path requires classified infrastructure, cleared access, and the authorization support needed to operate inside that environment.

Does FedRAMP 20x Speed Up The IL-5 Or IL-6 Path?

FedRAMP 20x targets Low and Moderate authorizations. The FedRAMP High baseline, which underlies both IL-5 and IL-6, remains on the traditional Rev5 path.

Did IL-5 Requirements Change Recently?

Yes. Recent CSP SRG updates made IL-5 require NSS controls. Vendors targeting IL-5 for standard CUI should confirm with their Mission Owner whether IL-4 is actually the correct level.

Who Issues The Authorization At Each Level?

At IL-5, DISA issues the PA. At IL-6, DISA and DCSA jointly validate the Security Assessment Report, with DCSA authorizing the required facility clearances. The sponsoring DoD Mission Owner retains responsibility for its own ATO at both levels.