DoD Impact Levels Explained

The Department of Defense (DoD) impact levels classify information systems depending on the potential impact in the event of a cyber attack. To classify impact levels, the Federal Risk and Authorization Management Program (FedRAMP) considers security qualities such as confidentiality, integrity, and availability.

The program uses impact levels to verify that cloud service providers deploy the right data security when providing cloud services to US government agencies. To comply with FedRAMP, a cloud service provider must deploy a baseline set of security measures depending on three impact levels:

• Low
• Medium
• High

By understanding and properly classifying these systems, you can ensure that the necessary security measures are in place to protect your sensitive data and systems. In this article we explain the importance of properly classifying your information systems based on their potential impact and how to ensure that the necessary security measures are in place to protect your sensitive data and systems. 

With extensive experience working with the Department of Defense and FedRAMP, Quzara is well-equipped to guide you through the importance of properly classifying information systems based on their potential impact in the event of a cyber attack. Take advantage of the opportunity to learn from Quzara's expertise and as we explore DoD Impact Levels below.

Is your Data Low, Moderate, or High-Security Impact?

Figuring out which impact levels your cloud service provider should follow is integral to the compliance process. The levels describe the extent of disruption that may occur if a data system gets compromised and the baseline security requirement you should deploy.

Here's a quick summary of each level.

Low Impact Level

A low impact level is a security standard for cloud services when the information system you manage houses publicly available data. The loss of integrity, confidentiality, and data availability would cause the least possible harm to a federal agency's assets, operations, or individuals.

FedRAMP has two security baselines for systems with low-impact data:

• Low baseline
• Low-impact SaaS

The low baseline impact level applies to cloud service providers that handle federal information intended for public use and includes 125 controls. Any data loss at this level cannot compromise the government agency's mission, reputation, finances, or safety.

Conversly, the Low-impact SaaS applies to cloud service providers with low-impact Software-as-a-Service (LI-SaaS) systems. LI-SaaS baseline has fewer security controls — only 38 — and the security documentation is consolidated.

LI-SaaS allows a faster authorization process for low-risk services such as:

• Collaboration tools
• Tools that have developed open-source code
• Project management applications

Moderate Impact Level

The moderate impact level is the cloud security standard for controlled, unclassified information (CUI) across federal government agencies. Cloud Service Providers handling publicly available government data must meet security controls under moderate impact.

A data breach under this level could severely harm the government agency's operation, mission, and assets. A successful attack can also result in financial loss or individual harm. An example of data categorized under moderate impact level is personally identifiable information. 

The moderate-level system has 325 baseline controls. The controls require cloud service providers to deploy automated solutions to support the management of information system accounts. For instance, an email or text message should automatically notify account managers when users are transferred or terminated. The information systems must also monitor account usage.

High Impact Level

High impact level is the cloud security standard to protect the federal government's most sensitive unclassified information in the cloud. High-impact data include information used by:

• Law enforcement
• Healthcare industry
• Emergency services

A cyber attack on cloud service providers housing high-impact data is potentially catastrophic because it can shut down government operations and systems, impede the economy, derail investigations, jeapardize intellectual property and even threaten human life.

Department of Defense (DoD) Impact Levels

The Defense Information System Agency (DISA) has released a DoD cloud computing security requirements guide. DoD impact levels apply a FedRAMP concept by accepting the security work executed during the FedRAMP process but adding specific requirements and security controls.

The DoD Cloud Computing requirements guide defines the security characteristics for each impact level (IL) which include:

• DoD impact level 2 (IL2): Describes security characteristics and requirements for public and non-critical mission information.
• DoD impact level 4 (IL4): Defines security characteristics and requirements for Controlled Unclassified Information (CUI), such as information for official use only, personal health information, personally identifiable information, non-critical mission information, and non-national security systems.
• DoD Impact Level 5 (IL5): Involves highly sensitive information, mission-critical data, and non-national security systems. There is a thin gap between IL5 and IL6 that's only differentiated by the inclusion of non-national security systems.
• DoD Impact Level 6 (IL6): The impact level includes information and information systems classified as secret.

DoD impact levels are excellent in labeling a comprehensive security categorization system. The labels help cloud service providers and managers quickly determine the minimum security measures necessary for handling information systems.

Quzara Can Help You Manage FedRAMP Compliance

Your cloud services offerings must prove through proper documentation that they comply with FedRAMP controls requirements to work with a government agency. ,Documenting and maintaining compliance is challenging with spreadsheets and manual processes.

At Quzara, we can help you classify the type of data your organization is handling and the type of protection the data need so that you can best determine whether you'll need to comply with FedRAMP's high, moderate, or high-security baselines.

Contact us today to help you understand the level of your cloud services and the correlated security categorization.

Featured Image Credit: Gorodenkoff / Shutterstock