Do I Need a DoD Impact Level 4 (IL4) Solution?

As the Department of Defense (DoD) is deploying new technology to achieve its strategic management priorities, mission owners are looking to identify Cloud Service Providers (CSP) that have Cloud Service Offerings (CSO) that meet the requirements outlined in the DoD Cloud Computing SRG (CC SRG).

Are you seeking information on Impact Level 4 (IL4) CSOs and how they can help you deliver security, accuracy and convenience in mission-critical workflows? This post answers common IL4 questions to help get you on the path to compliance with an end-to-end audit trail.

What is Impact Level 4 (IL4)?

According to the DoD CC SRG, IL4 DoD accommodates non-public, unclassified data where the unauthorized disclosure of information could be expected to have a severe, adverse effect on organizational operations and assets, or individuals.

This encompasses controlled unclassified information (CUI) or other mission data, including that used in direct support of military or contingency operations. CUI is information the federal government creates or possesses that a law, regulation or government-wide policy requires—or specifically permits—an agency to handle using safeguarding or dissemination controls. This includes For Official Use Only (FOUO), Personally Identifiable Information (PII), Protected Health Information (PHI) or non-CUI data.

It’s important to note that IL4 does not accommodate classified information. This includes information that a non-executive branch entity possesses and maintains in its systems that did not come from an executive branch agency or entity acting for an agency.

IL4 also uses IL2 security controls and either a CUI-specific tailored set or FedRAMP High Baseline (HBL) as the security controls.

How is IL4 different from FedRAMP Moderate?

For IL4, the Defense Information Systems Agency (DISA) leverages the FedRAMP authorization and assesses the additional controls and requirements. There are 44 additional security controls in place to achieve and maintain the provisional authorization.

How many controls are in DoD IL4?

Overall, IL4 has 369 controls.

What is the difference between IL2 and IL4?

The primary differences between IL2 and IL4 are the security controls in place and the sensitivity of the information. 

IL2 uses FedRAMP Moderate Baseline (MBL) as the security control. It’s ideal for publicly releasable and non-critical mission data, as well as low confidentially unclassified information that is non-CUI. The IL2 CSO can be accessed via the public internet. 

IL4 includes all aspects of IL2, but also with CUI-Specific Tailored Set or FedRAMP High Baseline (HBL). The separation is Limited “Public” Community with a strong virtual separation between tenant systems and information.

What is the difference between IL4 and IL5? 

As with IL2 and IL4, the primary differences between IL4 and IL5 are the security controls in place and the sensitivity of the information.

In addition to CUI information data, IL5 also encompasses non-public, unclassified National Security System (NSS) data, which includes CUI and other mission data that may require a higher level of protection than that afforded by IL4—as deemed necessary by the information owner, public law or other government regulation. This includes non-public, unclassified data where the unauthorized disclosure of information could seriously and adversely affect organizational operations, organizational assets or individuals.

IL5 also supports unclassified NSSs due to the inclusion of NSS-specific requirements in the FedRAMP+ C/CEs. Therefore, NSS must be implemented at IL5.

When does it make sense to have an IL4 solution?

According to the DoD CC SRG, DoD mission owners must categorize mission information systems in accordance with DoDI 8510.01 and CNSSI 1253 and then identify the cloud information impact level that most closely aligns with the defined categorization and information sensitivity.

IL4 is required if you’re processing information in one of the CUI categories, including military personnel information in HR forms, health records, system access forms, etc.

Where can I find DoD-approved CSOs?

Individuals can access the list of CSPs that have been approved as IL4, IL5 and IL6 CSOs on the DISA Storefront. As of January 2023, there are over 41 CSPs that have achieved a DoD Impact Level, including DocuSign.

Bringing it all together with DocuSign

As you start your journey toward implementing a CSO that can securely modernize your current processes, this post can help determine if you need a DoD IL4 solution.

As a CSP, DocuSign can get you on this path with our provisional authorization for two CSOs for DocuSign eSignature and DocuSign CLM. We’ve successfully maintained the authorization and worked alongside mission owners to implement the IL4 solution into mission-critical processes and workflows.

Whether it’s a digital hand receipt for specialized equipment, a medical request form that can be filled out on a mobile device, or a streamlined approach to in-processing, DocuSign can help break down data silos, streamline workflows and deliver better service member experiences.

As a result, the value delivered by our integrated solutions helps service branches, defense agencies and combatant commands achieve top mission-critical DoD priorities.

Contact our sales team to learn more about DocuSign’s IL4 solutions.