Art Clomera
Vice President, Operations
A race against time: imagine a U.S. medical shipment carrying critical supplies to a hurricane-ravaged region. The data that underpins this complex operation is protected by the Department of Defense’s (DoD) Impact Level 5 (IL5) standards, a stringent set of security requirements designed to safeguard sensitive information from bad actors who could exploit vulnerabilities and jeopardize the delivery.
Deterring ‘catastrophic’ scenarios like this is why we need DoD Impact Level 5 (IL5). However, IL5’s impact extends beyond safeguarding the DLA’s supply chain management. It also protects a wide range of sensitive documents, such as technical manuals, personnel records, and financial data, across various DoD agencies. In an age where information is increasingly valuable and machine learning (ML) and AI, trained on domain-specific data, are becoming more sophisticated, the secure handling of CUI is more critical than ever.
What is DoD IL5?
The DoD’s IL5 plays a crucial role in protecting information systems that process, store, or transmit information that, if compromised, could cause ‘catastrophic harm’ to national security.
The DoD Impact Level system, aligning with FedRAMP controls, was first introduced in the 2015 version of the DoD Cloud Computing Security Requirements Guide.
IL5 compliance is the second-highest level of security control requirements for cloud service providers within the DoD. Developed by the DoD’s IT support provider, DISA, the impact levels rank various levels of information sensitivity based on who should have access to it and what controls should be in place to protect it.
Why IL5 is critical to national security?
- Disruption Prevention: IL5 safeguards data needed to prevent logistical failures, operational delays, or vulnerabilities that could harm missions.
- Protection of R&D: Prevents adversaries from gaining insights into cutting-edge military capabilities, maintaining a technological advantage.
- Safeguarding Partnerships: Ensures secure data exchanges with contractors and partners, protecting sensitive business information.
Note: IL5 doesn’t protect classified information (SECRET, TOP SECRET, etc.). That would fall under IL6. Learn more about FedRAMP, IL5, and the other DoD Impact Levels here.
What information does DoD IL5 protect?
DoD Impact Level 5 is designed for unclassified National Security Systems (NSSs) supporting DoD missions. It is intended for systems and data covering Controlled Unclassified Information (CUI) that require a higher level of protection than IL4. This includes higher-sensitivity CUI, Mission-Critical Information, and NSS. Let’s zoom in on that.
Information Type | Description |
Controlled Unclassified Information (CUI) | Sensitive information that is not classified but requires a higher level of protection than IL4 |
National Security Systems (NSS) | Systems that support DoD missions and involve: intelligence activities, cryptologic activities related to national security, military command and control of military forces, equipment that is an integral part of weapons systems, functions critical to direct fulfillment of military or intelligence missions, or systems that store, process, or communicate classified information |
Export Controlled Information | Information that is subject to export control regulations and requires protection |
Privacy Information | Information related to an individual’s privacy, such as medical records or personnel records |
Protected Health Information | Information related to an individual’s health status, treatment, or payment for healthcare services |
For Official Use Only (FOUO) | Information that is not classified but is for official use only and requires protection |
Sensitive But Unclassified (SBU) | Information that is not classified but requires protection due to its sensitivity |
Law Enforcement Sensitive | Information related to law enforcement activities that require protection |
Technical Blueprints and Schematics | Designs for military equipment, weapons systems, and infrastructure |
Supply Chain Data | Information on the manufacturing, sourcing, and movement of critical defense components or materials |
Proprietary Technologies | Sensitive research and development information owned by DIB companies that may have military applications |
Operational and Tactical Information | Detailed plans and real-time data on unit locations and movements, intelligence reports, analyses of enemy capabilities, tactical observations, communications plans, frequencies, encryption methods, and other sensitive information related to military communications networks |
Research and Development Data | Weapons systems designs, blueprints, prototypes, and testing data of cutting-edge weapons systems, technological advancements, new materials, sensor technologies, and communication systems under development |
Vulnerability Research | Analyses of weaknesses in both adversary and DoD systems |
Nuclear Command and Control Information | Information related to the command and control of nuclear weapons and related systems |
Sensitive Compartmented Information (SCI) | Classified information concerning sensitive intelligence sources, methods, or analytical processes related to critical intelligence activities, counterintelligence operations, and other highly sensitive national security matters |
Critical Military Operations and Plans | Information related to critical military operations and contingency plans, including details on force deployments, strategic objectives, and operational vulnerabilities |
What security controls does DoD IL5 include?
DoD Impact Level 5Security Controls |
|
DoD IL5’s controls create a robust, multi-layered framework that safeguards a wide range of sensitive information. This defense-in-depth approach ensures that if one security measure fails, other controls remain in place to prevent or mitigate potential breaches, maintaining the confidentiality, integrity, and availability of the data and systems that support the DoD’s mission-critical functions.
1. Access control
DoD IL5 emphasizes the importance of strict access control measures to ensure that only authorized individuals can access sensitive information based on their roles and responsibilities. This includes:
- Role-Based Access Control (RBAC): Users are granted access to specific resources based on their defined roles within the organization, following the principle of least privilege.
- Multi-Factor Authentication (MFA): Users must provide at least two distinct forms of identification, such as a password and a physical token or biometric data, to gain access to IL5-protected systems.
- Continuous Monitoring: Access logs are continuously monitored for suspicious activities, and regular access reviews are conducted to ensure that user permissions remain appropriate.
2. Data Encryption
To protect sensitive data from unauthorized disclosure, DoD IL5 requires the use of robust encryption methods such as:
- Data at Rest Encryption: All sensitive data stored on devices or servers must be encrypted using approved algorithms, such as AES-256.
- Data in Transit Encryption: Sensitive data must be encrypted using secure protocols, such as TLS/SSL, when transmitted over networks to prevent interception and tampering.
3. Network security
DoD IL5 mandates robust network security measures to protect against cyber threats, for instance:
- Firewalls and Intrusion Detection/Prevention Systems (IDS/IPS): These tools monitor network traffic, identify potential threats, and block unauthorized access attempts.
- Network Segmentation: Networks are divided into separate segments based on data sensitivity levels, with strict access controls enforced between segments.
4. Physical security
DoD IL5 facilities and infrastructure are subject to stringent physical security measures, including perimeter controls, access control systems, surveillance systems, and secure storage areas. For example:
- Secure Facilities: Data centers and server rooms must have strict access controls, such as biometric scanners and security cameras, and be protected against environmental threats like fires and floods.
- Media Handling: Strict procedures for handling, storing, and disposing of physical media containing sensitive data must be followed to prevent data leakage.
5. Incident response and contingency planning
DoD IL5 systems have robust incident response procedures and contingency plans to address potential security breaches, system failures, or other disruptive events, including:
- Incident Response Procedures: Documented procedures for detecting, reporting, and responding to security incidents must be in place, and regular drills must be conducted to ensure readiness.
- Disaster Recovery and Business Continuity: Robust backup and recovery mechanisms, including off-site data storage and failover systems, must be implemented to ensure the availability and integrity of sensitive data during a disruption.
6. Security assessments and audits
DoD IL5 systems are continuously monitored and audited to ensure the effectiveness of security controls and detect potential security incidents or vulnerabilities.
- Periodic vulnerability scans, penetration tests, and security audits are conducted to identify and address potential system weaknesses.
- Continuous Monitoring: Security logs and events are monitored to detect and respond to potential security incidents in real-time.
7. Personnel security
Since human error and malicious intent are significant risks, personnel with access must be vetted and trained to understand and adhere to the security requirements and best practices included in the DoD IL5 framework.
- Background Checks: Thorough screening processes to verify individuals’ identities, trustworthiness, and potential for security risks.
- Security Clearances: Often requires appropriate security clearance levels for individuals, depending on their roles and access needs.
- Security Training: Mandates ongoing training on IL5 requirements, data handling procedures, and how to identify and report potential security incidents.
Beyond red tape, the benefits of DoD IL5 for government agencies
Consider the use case of the U.S. Cyber Command (USCYBERCOM), which is responsible for securing and defending the nation’s cyber infrastructure. By adhering to DoD IL5 standards, the government agency achieves the following:
- Mission-Critical Data Protection: IL5 ensures the security of sensitive information crucial to USCYBERCOM’s operations, such as cyber threat intelligence, defense strategies, and national security communications. This protection is vital for maintaining the integrity and effectiveness of the nation’s cyber defense capabilities.
- Compliance and Risk Mitigation: By meeting IL5 standards, USCYBERCOM aligns with regulatory requirements and establishes robust risk management practices. This proactive approach minimizes the likelihood of cyber breaches and their potential impact on national security.
- Operational Efficiency and Resilience: IL5-compliant systems enable USCYBERCOM to operate efficiently, with streamlined processes for managing and accessing secure information. In a cyber incident, these systems provide the resilience to recover and restore critical operations quickly.
- Secure Collaboration and Innovation: IL5 facilitates secure collaboration between USCYBERCOM, other DoD agencies, and external partners. This trusted environment supports joint initiatives, information sharing, and the development of innovative cyber defense technologies.
- Trust and Reputation: By adhering to IL5, USCYBERCOM reinforces its reputation as a reliable guardian of the nation’s cyber domain. This trust is essential for fostering partnerships and maintaining the confidence of the American public and international allies.
In this example, DoD IL5’s benefits extend beyond compliance, providing USCYBERCOM with controls to bolster mission continuity and defend national cyber infrastructure.
Achieve and maintain DoD IL5 compliance with IPKeys
We understand the complexities of navigating DoD security requirements. From in-depth risk assessments to ongoing monitoring and incident response, we provide the tools, expertise, and ongoing support you need to safeguard your critical assets. Explore our full range of cybersecurity services.
Visit our Cybersecurity and Analytics page to learn how IPKeys can be your trusted partner in achieving DoD IL5 compliance.
Common FAQs
While both IL5 and FedRAMP focus on cybersecurity for sensitive data, they have different scopes and audiences. IL5 is specifically for the Department of Defense to protect unclassified information vital to national security. FedRAMP is a government-wide program focused on cloud service providers, offering standardized security assessments and authorizations.
DoD IL5 is the second-highest level of security for unclassified information, and it is exceeded only by IL6 (which handles information classified as SECRET). Lower impact levels (IL4 and IL2 below) protect less sensitive, though still significant, information with progressively less rigorous security controls.
The DoD IL5 standards are updated or revised as needed to address emerging threats and new vulnerabilities. The NIST SP 800-171 Rev. 3, closely related to DoD IL5, is expected to be released in early 2024, with updates to the assessment guide (NIST SP 800-171A) to follow.
- IL2: Primarily for public and non-sensitive information, requiring basic security measures to protect against unauthorized access.
- IL4: Targets Controlled Unclassified Information (CUI) that necessitates protection from unauthorized disclosure and is applicable to non-federal systems.
- IL5: Designed for CUI that demands a higher level of security, including information that would cause catastrophic harm to national security if released but still unclassified.
- IL6: Reserved for classified information up to the SECRET level, requiring the highest degree of security controls to prevent unauthorized access and protect national security.
The absence of an IL3 indicates that the DoD Impact Levels are not a linear progression but a categorization of different levels of information sensitivity and the required controls to protect it. The impact levels are based on a tiered system that ranks information sensitivity and the required controls to protect it.
