DoD Impact Levels (IL) are used to categorize information systems and the information they store and process based on the potential impact in the case the information system or the associated information were to be compromised. The security qualities taken into account when determining DoD ILs include confidentiality, integrity, and availability.
Confidentiality — There is limited access to information.
Integrity — Information is trustworthy and accurate.
Availability — There is reliable access to information by authorized parties.
The Defense Information Systems Agency (DISA) published the Department of Defense (DoD) Cloud Computing Security Requirements Guide (CC SRG) based on the guidance of the Federal Information Systems Management Act (FISMA) and the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37. The DoD CC SRG applies a FedRAMP+ concept by accepting the security work carried out during the FedRAMP process via reciprocity, then adding specific requirements and security controls that meet the special needs of the DoD.
The DoD CC SRG defines the security characteristics for each IL:
- IL2 — IL2 includes Public or Non-Critical Mission Information
- IL4 — IL4 includes Controlled Unclassified Information (CUI) (e.g. For Official Use Only (FOUO), Personally Identifiable Information (PII), and Personal Health Information (PHI)), Non-Critical Mission Information, and Non-National Security Systems (NSS)
- IL5 — IL5 includes higher sensitivity CUI, Mission Critical Information, and NSS. IL5 exists within a narrow category between IL4 and IL6, but it is distinguishable by the inclusion of NSS.
- IL6 — IL6 includes information systems and information classified SECRET
DoD ILs are useful labels for a comprehensive security categorization system. They allow DoD information system owners and managers to quickly identify the security criticality of information systems and their associated information, and determine the minimum security measures necessary for handling that system.