Differences between Impact Levels 4 and 5—Take 2

The Defense Information Systems Agency (DISA) defines four Impact Levels (IL2, 4, 5 and 6): Impact levels 1-3 were combined into lL 2 covering information for public release. Impact Level 4 accommodates DoD controlled unclassified information (CUI), IL 5 accommodates DoD CUI and National Security Systems. Impact Level 6 accommodates DoD information up to Secret. DISA identifies key security requirements for each impact level; Information Sensitivity, Security Controls, Location, Off-Premises Connectivity, Separation, and Personnel Requirements referenced and defined in the DoD Cloud Computing Security Requirements Guide (SRG).


The above table, published by DISA, captures most of the key considerations.


DISA Key Security Requirements Summary


Requirement 1: Information Sensitivity


Impact Level 4 data is controlled unclassified information (CUI) that may include data subject to export control, privacy information protected health information and other data requiring explicit CUI designation (e.g. For Official Use Only, Law Enforcement Sensitive, Sensitive Security Information).

Impact Level 5 data includes controlled, unclassified information (CUI) that requires a higher level of protection as deemed necessary by the information owner, public law or government regulation.” as defined by Azure Government as the first commercial cloud service awarded an impact level 5 DoD Provisional Authorization by the Defense Information Systems Agency. https://devblogs.microsoft.com/azuregov/azure-dod-regions-accredited-at-impact-level-5-and-now-generally-available/

The impact of unclassified information may easily be overlooked and deemed as unimportant which is the purpose of using impact levels 4 and 5. There are 20 Controlled unclassified index groupings and associated their controlled unclassified information categories:

  1. Critical Infrastructure: Ammonium Nitrate, Chemical-terrorism Vulnerability Information, Critical Energy Infrastructure Information, Emergency Management, General Critical Infrastructure Information, Information Systems Vulnerability Information, Physical Security, Protected Critical Infrastructure Information, SAFETY Act Information, Toxic Substances, Water Assessments

  2. Defense: Controlled Technical Information, DoD Critical Infrastructure Security Information, Naval Nuclear Propulsion Information, Unclassified Controlled Nuclear Information - Defense

  3. Export Control: Export Controlled, Export Controlled Research

  4. Financial: Bank Secrecy, Budget, Comptroller General, Consumer Complaint Information, Electronic Funds Transfer, Federal Housing Finance Non-Public Information, Financial Supervision Information, General Financial Information, International Financial Institutions, Mergers, Net Worth, Retirement

  5. Immigration: Asylee, Battered Spouse or Child, Permanent Resident Status, Status Adjustment, Temporary Protected Status, Victims of Human Trafficking, Visas

  6. Intelligence: Agriculture, Foreign Intelligence Surveillance Act, Foreign Intelligence Surveillance Act Business Records, General Intelligence, Geodetic Product Information, Intelligence Financial Records, Internal Data, Operations Security

  7. International Agreements: International Agreement Information

  8. Law Enforcement: Accident Investigation, Campaign Funds, Committed Person, Communications, Controlled Substances, Criminal History Records Information, DNA, General Law Enforcement, Informant, Investigation, Juvenile, Law Enforcement Financial Records, National Security Letter, Pen Register/Trap & Trace, Reward, Sex Crime Victim, Terrorist Screening, Whistleblower Identity

  9. Legal: Administrative Proceedings, Child Pornography, Child Victim/Witness, Collective Bargaining, Federal Grand Jury, Legal Privilege, Legislative Materials, Presentence Report, Prior Arrest, Protective Order, Victim, Witness Protection

  10. Natural and Cultural Resources: Archaeological Resources, Historic Properties, National Park System Resources

  11. North Atlantic Treaty Organization (NATO): NATO Restricted, NATO Unclassified

  12. Nuclear: General Nuclear, Nuclear Recommendation Material, Nuclear Security-Related Information, Safeguards Information, Unclassified Controlled Nuclear Information - Energy

  13. Patent: Patent Applications, Inventions, Secrecy Orders

  14. Privacy: Contract Use, Death Records, General Privacy, Genetic Information, Health Information, Inspector General Protected, Military Personnel Records, Personnel Records, Student Records

  15. Procurement and Acquisition: General Procurement and Acquisition, Small Business Research and Technology, Source Selection

  16. Proprietary Business Information: Entity Registration Information, General Proprietary Business Information, Ocean Common Carrier and Marine Terminal Operator Agreements, Ocean Common Carrier Service Contracts, Proprietary Manufacturer, Proprietary Postal

  17. Provisional: Homeland Security Agreement Information, Homeland Security Enforcement Information, Information Systems Vulnerability Information - Homeland, International Agreement Information - Homeland, Operations Security Information, Personnel Security Information, Physical Security - Homeland, Privacy Information, Sensitive Personally Identifiable Information

  18. Statistical: Investment Survey, Pesticide Producer Survey, Statistical Information, US Census

  19. Tax: Federal Taxpayer Information, Tax Convention, Taxpayer Advocate Information, Written Determinations

  20. Transportation: Railroad Safety Analysis Records, Sensitive Security Information

https://www.archives.gov/cui/registry/category-list

Requirement 2: Security Controls


Impact Level security controls require an established baseline, not a minimum.


Impact Level 4 incorporates security controls of Level 2 with the addition of a Controlled Unclassified Information-specific tailored set.


Impact Level 5 incorporated security controls of Level 4 with the addition of a National Security Systems-specific tailored set.

https://csrc.nist.gov/csrc/media/events/cryptographic-key-management-workshop-2014/documents/ckmw2014_session5_ronross.pdf

Requirement 3: Location

Impact Levels 4 and 5 may reside on US / US outlying areas or Department of Defense on-premises.

Requirement 4: Off-Premises Connectivity

Impact Levels 4 and 5 connectivity requirements are the same for off-premises connectivity on Non-classified Internet Protocol via Connection Approval (NIPRNet via CAP).

Requirement 5: Separation

Impact Level 4 –

Virtual / Logical

Limited “Public” Community

Strong Virtual Separation between Tenant Systems & Information


Impact Level 5 –

Virtual / Logical

FEDERAL GOV. COMMUNITY

Dedicated Multi-Tenant Infrastructure Physically Separate from Non-Federal Systems

Strong Virtual Separation between Tenant Systems & Information

Requirement 6: Personnel Requirements:

There are four personnel requirement which are the same for Impact Levels 4 and 5.

  • US Persons

  • ADP-1 Single Scope Background Investigation (SSBI)

  • ADP-2 National Agency with Law and Credit (NACLC)

  • Non-disclosure agreement (NDA)

Impact levels 4 and 5 are closely aligned, as they provide controls for protecting Controlled Unclassified information. Simply stating IL5 pertains to a level of impact higher than that covered by IL4 does not provide enough of a reference point to articulate subjects covered and why the extra layer of protection and cost is required. An unofficial guideline is to ask oneself if the information could create a personal or local impact which would be covered under IL4 or an organizational/government impact which would be covered under IL5.

Sources/References


https://www.bing.com/search?q=impact+level+4+and+5+example&form=ANNH02&refig=42e256dbe8c64d7c9b49512ce72101c8


https://devblogs.microsoft.com/azuregov/azure-dod-regions-accredited-at-impact-level-5-and-now-generally-available/


https://www.bing.com/search?q=difference+between+il4+and+il5+dod&form=ANNH02&refig=74978529a44b4b4eb89751f34731ea3a&sp=2&qs=SC&pq=differnces+between+il+4&sk=PRES1SC1&sc=8-23&cvid=74978529a44b4b4eb89751f34731ea3a


https://www.mythics.com/about/blog/dod-impact-levels-and-provisional-authorizations


http://cloudcomputingcaucus.org/pdfs/KeynotePresentation_DoD_SRG.pdf#:~:text=%E2%80%A2IL%204%20%3D%20Shared%20or%20dedicated%20with%20strong,or%20Federal%20Government%20community%20clouds%20can%20be%20used


https://azure.microsoft.com/en-us/blog/microsoft-cloud-for-government-extends-leadership-in-compliance/#:~:text=Building%20on%20the%20successful%20FedRAMP%20High%20pilot%20completion%2C,by%20Executive%20Order%2013556%20or%20other%20mission-critical%20data.


https://www.bing.com/search?q=impact+level+5+companies&form=ANNH02&refig=abcbe1d8f3cb435794bc68f8a6734453

https://www.nextgov.com/it-modernization/2019/02/disa-announces-new-impact-level-5-certification/154860/

The other products to achieve IL5 requirements are:

  • Amazon Web Services GovCloud 

  • General Dynamics Information Technology's milCloud 2.0 

  • IBM's SmartCloud for Government 

  • IBM's Cloud Managed Services for Government 

  • Microsoft Azure DoD 

  • Microsoft MS O365 vNext 

  • Oracle's Federal Managed Cloud Services 

Written by Jules Patterson, Sr. Business Systems Analyst

& Stacey Rhody, Program Manager

d1e1871a85e906df5b85bace3dbfd254.jpg

INNOVATION FACILITY NOW OPEN

PSI's state-of-the-art Innovation Facility is now open in Valparaiso, FL. It is designed to provide a cyber secure ecosystem for development of new technologies and approaches, illustrating the company’s commitment to deliver excellence to its customers. Watch a video about the Innovation Facility.