The Defense Information Systems Agency (DISA) defines four Impact Levels (IL2, 4, 5 and 6): Impact levels 1-3 were combined into lL 2 covering information for public release. Impact Level 4 accommodates DoD controlled unclassified information (CUI), IL 5 accommodates DoD CUI and National Security Systems. Impact Level 6 accommodates DoD information up to Secret. DISA identifies key security requirements for each impact level; Information Sensitivity, Security Controls, Location, Off-Premises Connectivity, Separation, and Personnel Requirements referenced and defined in the DoD Cloud Computing Security Requirements Guide (SRG).
The above table, published by DISA, captures most of the key considerations.
DISA Key Security Requirements Summary
Requirement 1: Information Sensitivity
Impact Level 4 data is controlled unclassified information (CUI) that may include data subject to export control, privacy information protected health information and other data requiring explicit CUI designation (e.g. For Official Use Only, Law Enforcement Sensitive, Sensitive Security Information).
Impact Level 5 data includes controlled, unclassified information (CUI) that requires a higher level of protection as deemed necessary by the information owner, public law or government regulation.” as defined by Azure Government as the first commercial cloud service awarded an impact level 5 DoD Provisional Authorization by the Defense Information Systems Agency. https://devblogs.microsoft.com/azuregov/azure-dod-regions-accredited-at-impact-level-5-and-now-generally-available/
The impact of unclassified information may easily be overlooked and deemed as unimportant which is the purpose of using impact levels 4 and 5. There are 20 Controlled unclassified index groupings and associated their controlled unclassified information categories:
Critical Infrastructure: Ammonium Nitrate, Chemical-terrorism Vulnerability Information, Critical Energy Infrastructure Information, Emergency Management, General Critical Infrastructure Information, Information Systems Vulnerability Information, Physical Security, Protected Critical Infrastructure Information, SAFETY Act Information, Toxic Substances, Water Assessments
Defense: Controlled Technical Information, DoD Critical Infrastructure Security Information, Naval Nuclear Propulsion Information, Unclassified Controlled Nuclear Information - Defense
Export Control: Export Controlled, Export Controlled Research
Financial: Bank Secrecy, Budget, Comptroller General, Consumer Complaint Information, Electronic Funds Transfer, Federal Housing Finance Non-Public Information, Financial Supervision Information, General Financial Information, International Financial Institutions, Mergers, Net Worth, Retirement
Immigration: Asylee, Battered Spouse or Child, Permanent Resident Status, Status Adjustment, Temporary Protected Status, Victims of Human Trafficking, Visas
Intelligence: Agriculture, Foreign Intelligence Surveillance Act, Foreign Intelligence Surveillance Act Business Records, General Intelligence, Geodetic Product Information, Intelligence Financial Records, Internal Data, Operations Security
International Agreements: International Agreement Information
Law Enforcement: Accident Investigation, Campaign Funds, Committed Person, Communications, Controlled Substances, Criminal History Records Information, DNA, General Law Enforcement, Informant, Investigation, Juvenile, Law Enforcement Financial Records, National Security Letter, Pen Register/Trap & Trace, Reward, Sex Crime Victim, Terrorist Screening, Whistleblower Identity
Legal: Administrative Proceedings, Child Pornography, Child Victim/Witness, Collective Bargaining, Federal Grand Jury, Legal Privilege, Legislative Materials, Presentence Report, Prior Arrest, Protective Order, Victim, Witness Protection
Natural and Cultural Resources: Archaeological Resources, Historic Properties, National Park System Resources
North Atlantic Treaty Organization (NATO): NATO Restricted, NATO Unclassified
Nuclear: General Nuclear, Nuclear Recommendation Material, Nuclear Security-Related Information, Safeguards Information, Unclassified Controlled Nuclear Information - Energy
Patent: Patent Applications, Inventions, Secrecy Orders
Privacy: Contract Use, Death Records, General Privacy, Genetic Information, Health Information, Inspector General Protected, Military Personnel Records, Personnel Records, Student Records
Procurement and Acquisition: General Procurement and Acquisition, Small Business Research and Technology, Source Selection
Proprietary Business Information: Entity Registration Information, General Proprietary Business Information, Ocean Common Carrier and Marine Terminal Operator Agreements, Ocean Common Carrier Service Contracts, Proprietary Manufacturer, Proprietary Postal
Provisional: Homeland Security Agreement Information, Homeland Security Enforcement Information, Information Systems Vulnerability Information - Homeland, International Agreement Information - Homeland, Operations Security Information, Personnel Security Information, Physical Security - Homeland, Privacy Information, Sensitive Personally Identifiable Information
Statistical: Investment Survey, Pesticide Producer Survey, Statistical Information, US Census
Tax: Federal Taxpayer Information, Tax Convention, Taxpayer Advocate Information, Written Determinations
Transportation: Railroad Safety Analysis Records, Sensitive Security Information
https://www.archives.gov/cui/registry/category-list
Requirement 2: Security Controls
Impact Level security controls require an established baseline, not a minimum.
Impact Level 4 incorporates security controls of Level 2 with the addition of a Controlled Unclassified Information-specific tailored set.
Impact Level 5 incorporated security controls of Level 4 with the addition of a National Security Systems-specific tailored set.
Requirement 3: Location
Impact Levels 4 and 5 may reside on US / US outlying areas or Department of Defense on-premises.
Requirement 4: Off-Premises Connectivity
Impact Levels 4 and 5 connectivity requirements are the same for off-premises connectivity on Non-classified Internet Protocol via Connection Approval (NIPRNet via CAP).
Requirement 5: Separation
Impact Level 4 –
Virtual / Logical
Limited “Public” Community
Strong Virtual Separation between Tenant Systems & Information
Impact Level 5 –
Virtual / Logical
FEDERAL GOV. COMMUNITY
Dedicated Multi-Tenant Infrastructure Physically Separate from Non-Federal Systems
Strong Virtual Separation between Tenant Systems & Information
Requirement 6: Personnel Requirements:
There are four personnel requirement which are the same for Impact Levels 4 and 5.
US Persons
ADP-1 Single Scope Background Investigation (SSBI)
ADP-2 National Agency with Law and Credit (NACLC)
Non-disclosure agreement (NDA)
Impact levels 4 and 5 are closely aligned, as they provide controls for protecting Controlled Unclassified information. Simply stating IL5 pertains to a level of impact higher than that covered by IL4 does not provide enough of a reference point to articulate subjects covered and why the extra layer of protection and cost is required. An unofficial guideline is to ask oneself if the information could create a personal or local impact which would be covered under IL4 or an organizational/government impact which would be covered under IL5.
Sources/References
https://www.mythics.com/about/blog/dod-impact-levels-and-provisional-authorizations
The other products to achieve IL5 requirements are:
Amazon Web Services GovCloud
General Dynamics Information Technology's milCloud 2.0
IBM's SmartCloud for Government
IBM's Cloud Managed Services for Government
Microsoft Azure DoD
Microsoft MS O365 vNext
Oracle's Federal Managed Cloud Services
Written by Jules Patterson, Sr. Business Systems Analyst
& Stacey Rhody, Program Manager
