Impact Level 2, 4, 5 & 6

The DoD Cloud Computing Security Requirements Guide (CC SRG) defines Impact Levels as a way to match cloud environment security controls to the sensitivity of the data being processed. The level required for a given workload is not a choice the contractor makes freely — it is determined by the classification and sensitivity of the data, the systems involved, and the program requirements specified in the contract.

Understanding what each level actually requires — in terms of infrastructure, personnel, oversight, and cost — is essential before a program office commits to a cloud deployment strategy or a contractor begins building out a mission system.

IL2 — Non-Controlled Unclassified Information

IL2 covers publicly releasable information and non-controlled unclassified information — data that does not require protection under law or regulation but still resides in a government or contractor system. Most commercial SaaS and cloud platforms operating under a FedRAMP Moderate or High authorization meet IL2 requirements.

What IL2 means in practice: standard FedRAMP controls apply, multi-tenant commercial cloud infrastructure is acceptable, and the data involved does not carry handling restrictions. Email collaboration, scheduling, productivity applications, and unclassified program management tools typically operate at IL2. Commercial Microsoft 365, Google Workspace (FedRAMP authorized), and most standard AWS or Azure regions meet IL2 requirements.

The common mistake at IL2: treating it as if it means no security requirements. FedRAMP authorization still mandates access controls, audit logging, incident response, and configuration management. IL2 is the floor, not the absence of a requirement.

IL4 — Controlled Unclassified Information

IL4 covers Controlled Unclassified Information (CUI) — the same category governed by CMMC on the contractor side. At IL4, the data requires protection under law, regulation, or DoD policy, but it is not classified. Defense acquisition sensitive information, export-controlled technical data, and For Official Use Only (FOUO) data typically land at IL4.

What IL4 requires beyond IL2: FedRAMP Moderate authorization at minimum, logical isolation from commercial tenants (meaning your data cannot share infrastructure with non-government workloads in a way that creates exposure risk), US-only data residency, and background screening requirements for cloud service provider personnel with access to the environment.

Azure Government and AWS GovCloud (US) are the primary platforms that meet IL4 requirements. Standard commercial Azure and AWS regions do not. This has real implications for program planning: if your current environment is built on commercial cloud and the contract requires IL4 handling of CUI, a migration is not optional — it is a contractual requirement.

IL5 — Higher-Sensitivity CUI and National Security Systems

IL5 covers higher-sensitivity CUI and National Security Systems (NSS) — systems that, if compromised, could cause significant damage to national security. This includes systems processing information related to intelligence activities, cryptographic systems, command and control of military forces, and weapons or weapons systems.

What IL5 requires beyond IL4: dedicated infrastructure that is physically or logically separate from IL2/IL4 workloads within the same cloud region, more stringent personnel security requirements for cloud provider support staff (US citizenship required, additional screening), enhanced monitoring and incident response capabilities, and tighter configuration baselines.

Azure Government (with DoD-specific regions) and AWS GovCloud (US) both have IL5 authorized services, but not every service within those platforms is IL5 authorized — program offices and contractors have to verify the specific services in use carry the appropriate authorization before deploying workloads. This is a detail that has delayed programs: building an IL5 environment on a platform that has IL5-authorized compute but not IL5-authorized storage or database services creates a compliance gap that requires remediation before the system can go live.

IL5 also represents the threshold at which many programs require a DoD Provisional Authorization (PA) from DISA rather than accepting a commercial FedRAMP authorization. The PA process is separate, more rigorous, and takes longer.

IL6 — Classified Up to SECRET

IL6 covers classified information up to SECRET. At this level, the cloud environment is no longer a commercial or government-community cloud with enhanced controls — it is a classified infrastructure with all the physical, personnel, and operational requirements that classification entails.

What IL6 means in practice: the infrastructure must be physically located in government-controlled or government-approved facilities, all personnel with access must hold at minimum a Secret clearance with appropriate access approvals, physical security controls (access controls, TEMPEST mitigations, visitor control, classified material handling) apply to the facilities hosting the infrastructure, and the accreditation process follows Intelligence Community and DoD classification guidance rather than FedRAMP.

Microsoft's Azure Government Secret and Amazon's AWS Secret Region are the two primary IL6-capable commercial cloud platforms. Both operate as physically isolated regions with no connectivity to commercial internet. Both require government-to-vendor agreements at the program level before a contractor or program office can provision resources. These are not platforms you sign up for — they are platforms you contract for through government channels.

What Air-Gapped Actually Means

Air-gapped is one of the most misused terms in government IT. In a casual conversation, people use it to mean anything from 'not connected to the public internet' to 'physically isolated from all networks.' Those are not the same thing, and the distinction matters when someone is making an accreditation decision or designing a system that has to protect classified or highly sensitive information.

A true air gap means there is no network connection of any kind between the isolated system and any other system or network — not a filtered connection, not a one-way data diode, not a VPN tunnel to a jump server. No wire. No wireless. No optical connection. Data moves in and out only on physical media, through a controlled transfer process, with human handling at each end.

What most people describe as air-gapped in practice is more accurately called network-isolated or cross-domain-controlled: systems that are on separate network segments with no direct routing to unclassified networks, but which do have controlled mechanisms for data transfer. Cross-domain solutions (CDS) — hardware and software systems that enforce one-way or policy-governed data flows between classification levels — are the most common implementation. They are not air gaps. They are controlled interfaces. The distinction matters because cross-domain solutions have their own vulnerability surface, their own accreditation requirements, and their own operational overhead.

True air-gapped systems exist in environments where the consequences of any connection — even a controlled one — are unacceptable. Weapons system control networks, certain intelligence processing systems, and isolated test environments for highly sensitive capabilities are examples. Operating in these environments requires not just the right network architecture but the operational discipline to enforce the gap: no unauthorized media, no personal devices, no exceptions to the transfer procedures, and personnel who understand exactly why those rules exist.

We have built and operated environments at every point on this spectrum. When a program requirement says air-gapped, we ask what they actually mean — and we make sure the implementation matches the intent.