Skip to main content
INS // Insights

DoD IL5 Cloud Authorization: Architecture Guide

Updated March 2026 · 7 min read

DoD Impact Level 5 (IL5) is the highest cloud authorization level for unclassified information. It covers National Security Systems (NSS) data — information that may require protection from foreign intelligence collection — and some categories of Controlled Unclassified Information (CUI) that are particularly sensitive.

Building for IL5 requires more than FedRAMP High compliance. DISA's Cloud Computing Security Requirements Guide (CC SRG) adds DoD-specific requirements on top of the FedRAMP High baseline — requirements around physical isolation, US-person access controls, and data sovereignty that shape the entire architecture.

IL5 vs. IL4: Where the Line Is

Understanding the difference between IL4 and IL5 clarifies what additional architecture is required:

IL4: Covers CUI and Personally Identifiable Information (PII). Requires FedRAMP Moderate authorization minimum. Can run on physically isolated (but not NSS-specific) cloud infrastructure. Most DoD CUI workloads land at IL4.

IL5: Covers CUI-High, Controlled NSS data, and Mission Critical DoD data. Requires FedRAMP High authorization minimum. Requires physical separation from non-DoD tenant workloads. Requires US-person access controls — the cloud provider must certify that all individuals with administrative access to the infrastructure are US persons.

The physical isolation and US-person requirements at IL5 effectively require AWS GovCloud (US) or Microsoft Azure Government (DoD regions) rather than commercial cloud.

DISA CC SRG IL5 Requirements Overview

The DISA Cloud Computing Security Requirements Guide defines the authorization requirements for DoD cloud workloads. For IL5, the critical requirements beyond FedRAMP High include:

US-Person Access Controls

All individuals with privileged access to IL5 infrastructure must be US persons (US citizens or Lawful Permanent Residents). This must be enforced contractually with the cloud service provider and verified through the CSP's personnel security processes.

For AWS GovCloud, Amazon certifies that all personnel with administrative access to GovCloud infrastructure are US persons. This CSP-level assurance is required for IL5 authorization.

Physical Isolation

IL5 workloads must be physically separated from non-DoD workloads. In AWS GovCloud, this means dedicated hardware (dedicated tenancy) or isolated account structures where the CSP guarantees physical separation from commercial tenants.

For most IL5 workloads, dedicated instance tenancy on EC2 is the minimum requirement — shared hypervisors with commercial tenants are not acceptable.

# IL5 requirement: Dedicated instance tenancy for compute resources
resource "aws_instance" "il5_workload" {
  ami           = var.ami_id
  instance_type = "m5.xlarge"
  tenancy       = "dedicated"  # Required for IL5 physical isolation

  tags = {
    Classification = "IL5"
    ImpactLevel   = "5"
  }
}

FedRAMP High Baseline Controls

IL5 requires implementation of all FedRAMP High security controls, which includes the NIST SP 800-53 High baseline. This is a more extensive control set than the Moderate baseline required for IL4:

  • High baseline: ~325 controls across 18 families
  • Moderate baseline: ~261 controls
  • The delta between High and Moderate is primarily in additional controls for System and Communications Protection, Audit and Accountability, and Access Control

Data Sovereignty and Geofencing

IL5 data must remain within the United States (US persons, US soil). AWS GovCloud regions are geographically restricted to the US (us-gov-west-1 in Oregon, us-gov-east-1 in Ohio). Data replication must stay within these regions.

The Terraform configuration must prevent cross-region replication to commercial AWS regions:

# SCP to prevent data replication outside GovCloud regions
resource "aws_organizations_policy" "il5_data_sovereignty" {
  name = "il5-data-sovereignty"
  type = "SERVICE_CONTROL_POLICY"

  content = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "DenyNonGovCloudRegions"
        Effect = "Deny"
        Action = "*"
        Resource = "*"
        Condition = {
          StringNotLike = {
            "aws:RequestedRegion" = ["us-gov-west-1", "us-gov-east-1"]
          }
        }
      }
    ]
  })
}

The IL5 Reference Architecture

A production IL5 environment requires the following components, all defined in Terraform:

Network layer:

  • VPC with no internet gateway (air-gapped from public internet)
  • AWS PrivateLink for all AWS service access (no public endpoints)
  • Transit Gateway connecting to DoD-approved connectivity (DISA's BCAP or equivalent secure access points)
  • VPC Flow Logs to the audit account

Identity and access:

  • AWS IAM Identity Center federated to CAC/PIV identity provider (required for DoD users)
  • No IAM users in production accounts
  • All service-to-service authentication via IAM roles with OIDC-federated CI/CD
  • Just-in-time access elevation for administrative functions (session-scoped, logged, audited)

Encryption:

  • All data at rest encrypted with FIPS 140-2 validated algorithms (AES-256 with customer-managed KMS keys)
  • All data in transit encrypted with TLS 1.2 minimum (TLS 1.3 preferred)
  • KMS keys in the workload account, with key usage logged and audited

Logging and monitoring:

  • CloudTrail organization trail (all API calls, all regions, log file validation enabled)
  • AWS Config with all required rules enabled and mapped to NIST 800-53 controls
  • Security Hub aggregating all findings across accounts
  • GuardDuty enabled across the organization
  • Log retention: 5 years (online + cold storage)

Dedicated tenancy:

  • EC2 instances on dedicated hardware
  • RDS instances on dedicated hardware where applicable
  • No shared multi-tenant compute for IL5 data processing

IL5 Authorization Process (PA → DISA)

Achieving IL5 authorization through DISA involves:

  1. FedRAMP High Authorization: If the CSP doesn't already have FedRAMP High, that comes first. AWS GovCloud has FedRAMP High authorization — programs building on GovCloud inherit the CSP authorization.
  2. Package preparation: System Security Plan documenting all 325+ FedRAMP High controls, System Architecture, Data Flow Diagrams, Boundary descriptions.
  3. DISA PA (Provisional Authorization): Submission to DISA for review. DISA's cloud authorization team reviews the package and issues a Provisional Authorization if satisfied.
  4. Program-level ATO: The program's Authorizing Official (AO) grants the program-level ATO, leveraging the DISA PA.

What IL5 Architecture Enables

An IL5-authorized environment enables DoD programs to handle the most sensitive unclassified data in cloud infrastructure — enabling mission-critical capabilities that previously required on-premise NIPRNET connections or cumbersome legacy infrastructure.

Programs with IL5 authorization can process sensitive acquisition data, personnel data, and mission-planning data in cloud-native architectures with the scale and agility advantages that cloud provides.

View Rutagon's government capabilities →

Also see our related work on FedRAMP readiness in cloud architecture and NIST 800-171 cloud implementation.

Frequently Asked Questions

What is DoD Impact Level 5 (IL5)?

DoD Impact Level 5 is the highest cloud authorization level for unclassified DoD information. It covers Controlled NSS (National Security Systems) data, CUI-High, and Mission Critical DoD data. IL5 requires physical separation from non-DoD workloads, US-person access controls from the cloud service provider, and implementation of the full FedRAMP High security control baseline plus DISA CC SRG-specific requirements. IL5 workloads effectively require AWS GovCloud or equivalent DoD-isolated cloud infrastructure.

How is IL5 different from FedRAMP High?

FedRAMP High establishes the baseline security control requirements (~325 NIST 800-53 controls). IL5 adds DoD-specific requirements on top of FedRAMP High: physical isolation from non-DoD commercial tenants, US-person access controls from the cloud provider at the infrastructure level, and DISA Provisional Authorization in addition to the CSP-level FedRAMP authorization. You need both FedRAMP High (from the CSP) and DISA PA (for DoD) to achieve IL5.

What encryption is required for DoD IL5 cloud infrastructure?

IL5 requires FIPS 140-2 validated cryptographic modules for all encryption. In AWS GovCloud, this means: AES-256 encryption for all data at rest using customer-managed KMS keys (AWS-managed keys are not sufficient), TLS 1.2 minimum for all data in transit (TLS 1.3 preferred), and FIPS endpoints for all AWS API calls (GovCloud FIPS endpoints use FIPS 140-2 validated TLS termination). The encryption configuration must be documented in the SSP and verified during the DISA PA process.

Does AWS GovCloud automatically qualify for IL5?

AWS GovCloud has FedRAMP High authorization, which is the CSP-level prerequisite for IL5 workloads. However, the program building on GovCloud still needs to implement the program-level security controls (the 325+ FedRAMP High requirements) and obtain a DISA Provisional Authorization for their specific system. AWS's authorization covers the infrastructure layer; the program is responsible for the application layer and data handling controls. AWS GovCloud's "inheritable" controls from FedRAMP High significantly reduce the program's authorization burden, but don't eliminate it.

What is the DISA Provisional Authorization process timeline?

The DISA Provisional Authorization timeline varies based on system complexity and completeness of the submitted package. Well-prepared packages with mature documentation, complete control implementations, and clear system boundary definitions can achieve PA in 3–6 months. Packages with significant gaps require remediation cycles that extend the timeline. The most common delays come from incomplete data flow documentation, undocumented control implementation, and boundary ambiguities. Starting with a complete and accurate SSP is the most impactful factor in timeline control.