What Is an IL5 Certification?

IL5 is a certification by the United States Department of Defense (DoD) that authorizes a cloud service provider (CSP) to store and process some of the DoD’s most sensitive data. The IL5 certification indicates that a CSP has the level of controls, protocols, and technologies to securely handle Controlled Unclassified Information (CUI) that is deemed to be mission critical. The security controls required for IL5 certification are among the strictest in the cloud services industry.

The U.S. Department of Defense relies on cloud infrastructure and services for sharing information, running defense applications, and providing combat support across a full spectrum of military operations. Because of the constant presence of threats to cloud environments, the DoD requires any CSP that works with DoD data to comply with an array of security requirements and to have certain controls and protections in place.

The DoD uses an “Impact Level” system to classify data according to how sensitive the information is and how damaging it would be if the data were lost, exposed, stolen, or compromised.

In addition to classifying data, Impact Levels enable the DoD to assess the security posture of a specific cloud service offering (CSO) from a CSP. An Impact Level certification provides a shorthand for understanding of which CSPs and CSOs can be used for different data security needs.

Impact Level 5, or IL5, is a classification given to unclassified yet highly sensitive and important information. (IL-6 is the highest classification and is reserved for information systems and data classified as SECRET.) An IL5 certification enables vendors to store and process Controlled Unclassified Information (CUI), mission-critical information, and national securities system information. This includes data that could potentially result in a loss of life, in grave damage to the DoD’s ability to conduct operations, or in catastrophic damage to national security.

There are currently four DoD Impact Levels representing different levels of data sensitivity.

• Impact Level 2 (IL2) is for DoD information that has been approved for public release
• Impact Level 4 (IL4) is for DoD Controlled Unclassified Information (CUI)
• Impact Level 5 (IL5) is for DoD CUI and National Security Systems (NSS)
• Impact Level 6 (IL6) is for DoD Classified Information up to SECRET classification

The Defense Information Systems Agency (DISA) is part of the DoD and is responsible for developing and maintaining the DoD Cloud Computing Security Requirements Guide (CC SRG). This document defines the baseline security requirements for assessing the security posture of a CSO and supports the decision-making process for granting a provisional authorization (PA) to allow a CSP to host DoD missions.

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program charged with developing and managing a standardized approach to assessing, authorizing, and continuously monitoring products and services from CSPs. FedRAMP oversees a process of assessment and authorization (including Low, Moderate, and High provisional authorization) that certifies CSPs to work with a variety of federal agencies and to store and process different levels of sensitive information. Any CSP that wants to work with the federal government and its agencies must get a FedRAMP certification. However, businesses that want an IL5 certification must take additional steps and incorporate even stronger security controls.

CSPs must obtain an IL5 certification to work with data that includes:

• CUI that requires a higher level of security than is provided by DoD IL4. This includes information across an array of categories, including information on critical infrastructure, defense, export control, intelligence, law enforcement, financial, nuclear, privacy, and others.
• Information that is part of National Security Systems (NSS). This includes information that is part of intelligence activities, cryptologic activities related to national security, information used in command and control of military forces, information for equipment that plays an integral part of weapons systems, and data that enables functions that are critical to direct fulfillment of military or intelligence missions.

Achieving an IL5 certification requires a rigorous security assessment and adoption of some of the most stringent physical, logical, and cryptographic isolation controls. These include the controls required to achieve a FedRAMP High authorization along with a number of additional requirements necessary to protect National Security Systems and provide the highest level of security for CUI.

An IL5 certification requires a variety of controls in several categories.

• Infrastructure design and security architecture: CSPs may need to implement network segmentation, intrusion detection systems, robust firewall configurations, and encrypted communication channels.
• Identity and access management controls: Multi-factor authentication (MFA), role-based access controls, and privileged access management help to prevent unauthorized users from accessing critical data and systems.
• Data encryption: To ensure that any exposed information remains unreadable, strong encryption mechanisms are essential for data at rest, in transit, and in use.
• Continuous monitoring: Continuous monitoring using intrusion detection and security information and event management (SIEM) systems helps to uncover and mitigate threats quickly.
• Secure DevOps practices: CSPs can prevent security weaknesses in the development process by adopting secure coding practices and methodologies, performing regular and automated security tests to identify and address vulnerabilities.
• Updates and patch management: A regular cadence for applying security patches and updating systems is essential. Pen testing and vulnerability assessments can help uncover weaknesses that may be exploited by attackers.
• Documentation and reporting: CSPs must provide comprehensive documentation of their security controls and compliance efforts, including detailed records concerning policies, procedures, and audits.
• Third-party risk management: Third-party risk assessments are crucial to identifying security gaps and preventing threats that may arise within an organization’s supply chain.