One of the core pillars of the security perspective adopted by the Department of Defense is the so-called Zero Trust strategy. This strategy is the adaptation to evolving threats in the world, many of which prey on the presumption of trust from accounts and individuals that can be compromised.
To protect controlled unclassified information and other sensitive data, the presumption of zero trust is necessary to eliminate many common threats. At the same time, it puts more of a burden on cloud service providers, contractors, and others within the defense ecosystem. Adhering to the security controls relevant at each impact level is mandatory, but can be quite difficult, especially at the higher tiers.
BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontZero Trust is core to DoD security: assume no trust for accounts and users to protect controlled unclassified information. DoD impact levels run IL2 to IL6; private firms need IL4 or IL5. Authorization requires a DoD sponsor, narrow system scope, FedRAMP path, NIST-based controls, full documentation (SSP, policies, diagrams, continuous audit, POA&Ms), 3PAO review, and DISA approval. Common failures: broad or unclear scope, incomplete SSP, weak logs, no change control.
In Brief: DoD Impact Levels Explained
Before we dig in, it’s worth reviewing the DoD impact levels. The DoD maintains their own information security framework, controlled by the Defense Information Systems Agency or DISA, that operates in a similar way to frameworks like FedRAMP and CMMC. They evaluate security across the categories of confidentiality, integrity, and availability.
The DoD impact levels range from level 1 to level 6, except that levels 1 and 3 don’t actually exist. Level 1 was too lax in security for something as sensitive as the Department of Defense, while Level 3 was in an awkward middle ground that wasn’t quite as high-security as something like FedRAMP High, but had higher requirements than FedRAMP Moderate, so it proved to be not very useful.
Impact level 2 is an equivalent to Low baseline in other frameworks; the minimum necessary to participate in the ecosystem today. Level 4 is somewhere close to, but not quite as strict as, a High baseline from other frameworks. Level 5 is where more significant security is included, above and beyond High baseline in other frameworks. It’s also the minimum required of a contractor or service provider if they are going to handle national security information. Impact Level 6 is the strongest available level in the DISA framework, and actually opens the door to handling classified and SECRET information.
Since we’re primarily concerned with private businesses looking to work as part of the DoD ecosystem, we’re mostly talking about IL 4 and IL 5 today. If you want a more thorough rundown of all of these levels, we have a resource here.
Do You Need DoD IL4 or IL5?
Increasingly, the answer may be yes.
As the DoD pushes more and more towards Zero Trust, the minimum standard to participate in the defense ecosystem is increasing. When the required implementation for security controls is higher than baseline, reaching just a little further for the next tier up makes more sense. It opens more doors, enhances more security, and assures stronger operations.
Broadly, IL4 is necessary for any organization that wants to support DoD operations, handle CUI above and beyond the basic information security present in frameworks like FedRAMP, and become an integral part of operations.
The difference between IL4 and IL5 is surprisingly minor in definitional terms, but it’s significant in the details. IL4 and IL5 have similar sets of security controls and requirements, but the attention paid to their implementation and the minimum thresholds are higher. It’s more sensitive, stricter, and more closely monitored.
The DoD has reciprocity with FedRAMP; FedRAMP Moderate is equivalent to DoD IL2. For IL4 or IL5, service providers will need to meet new, higher standards and undergo another 3PAO assessment.
If you determine that your organization should seek IL4 or IL5 authorization, you have a lot of work ahead of you. Fortunately, the process is rather well outlined and understood. It’s complex, time-consuming, expensive, and strict, but that’s all necessary for operations within the DoD ecosystem.
Obtaining Sponsorship
The first thing you need to do to work with the DoD is find a component of the DoD willing to work with you.
Having a government sponsor is an integral part of working with the government for most of their frameworks. For the DoD specifically, you need a mission owner or component sponsor to support your addition to the DoD ecosystem.
Scoping and Impact Assessment
Working with a sponsor will determine what kinds of services you provide to the government. Since your sponsor will be a part of the DoD, they will have a specific mission or component in mind to use your services. That means they already know, roughly, what kinds of information you would be handling, and how.
Working with that sponsor will help you determine scoping within your business and determine whether IL4 or IL5 is more appropriate. The more sensitive the information you’ll be handling, the higher the impact level you’ll need to reach.
The authorization path is the route you take through the provisional authorization process. Often, this begins with FedRAMP, either at a Moderate or High baseline. DoD-specific security add-ons are put on top. Component-level authorizations are also included. All of this is determined by your chosen impact level and the scoping work you’ve put into your systems.
One important part of this process and milestone is keeping your system scopes as limited as possible. Because of the work and associated expense of implementing security at a high impact level, it’s valuable to minimize the number of systems that need to be secured at that level. The more segmented and isolated your systems can be, the less work you’ll have ahead of you.
Implementation of Security Controls
Once you know the standards you need to reach, it’s time to put the theory into practice. Like FedRAMP, the security controls are based on NIST documents like NIST SP 800-53 or NIST SP 800-37, as well as FISMA. Much of it is similar to other security frameworks as well, though specific details may be relevant only to DoD security.
It’s worth noting that none of the security controls are hidden or private information. You’re fully capable of starting work on implementing these controls before you’ve even talked to potential DoD sponsors. In fact, being proactive about implementing security at your intended or ideal impact level can be a point in your favor in winning them over.
Compiling Documentation
Security is only viable to a 3PAO if you can prove it exists, and that’s what documentation is for. In addition to all of the usual configurations, validation reports, auditing logs, and other details, you’ll need to compile the core critical documents you’ll need for your authorization.
These include:
- Your system security plan. The SSP is the core guiding document that outlines everything about your security and your systems, and serves as a guidebook for both your implementation and the audits and assessments you’ll undergo.
- Your policies and procedures. All of your various company policies and security procedures will need to be documented and outlined in accordance to the security controls and impact level you’re trying to reach.
- Your system architecture diagrams. In order to ensure that your systems are properly secured, maps of those systems and the flow of information through them will need to be developed. This is part of scoping and implementation, and ensures that you’re securing the minimum necessary systems.
- Your continuous monitoring strategy. The core to any security is keeping it up to date, watching for signs of threats, intrusions, or compromise, and being attentive to even the smallest drift in compliance. Having a documented and viable strategy helps prove not just existing security, but ongoing security.
- Your POA&Ms. If you undergo an initial assessment and you are found lacking in certain areas (and you almost certainly will), you will need to use Plans of Action and Milestones documents to track your progress in remedying those deficiencies.
This is one area where we at Ignyte can help. We build the Ignyte Assurance Platform as a centralized tool for tracking, monitoring, automating, and managing risks, documentation, and compliance across a wide range of security standards. You can see how it all works by booking a demo; it can certainly assist with achieving your initial DoD authorization, as well as monitoring your security status beyond the assessments.
3PAO Assessment
The next major milestone is the assessment to validate your security. This is where you contact a valid DoD-authorized third-party assessment organization to evaluate and assess your security.
This 3PAO will go through and validate your security controls, will seek out evidence of compliance, and will do deep dives into different aspects of your systems and architecture to check for even the smallest details. While they won’t necessarily check every single control, their sample will be representative.
Additionally, the assessment will include interviews with personnel ranging from stakeholders to everyday employees who will work within the boundary and, consequently, will be beholden to training and policy that guides their behavior.
If you’ve already undergone an assessment for FedRAMP or another security framework, you have some idea of what to expect. DoD assessments are generally stricter, especially at IL4 and IL5. They emphasize a clear boundary for secured systems, detailed and comprehensive logging, aggressive and proactive monitoring, and access enforcement based on role.
Assessment results are delivered by the 3PAO to DISA itself, which will serve as the validating authority on the results and will make the final determination.
Once your assessment is complete and the results are sent to DISA, they will make the final decision as to whether or not you pass. If you pass, great! You can begin work with the DoD operation that sponsored you. You can also be listed in the DISA marketplace for high-authorization service providers, a relatively exclusive list. Continuous monitoring must carry through.
If you don’t pass the assessment, you will either be given the opportunity to implement POA&Ms to achieve compliance or be told to address the issues and try again. Many organizations can expect to stumble once or twice on this process, since the standards are so high.
The most common causes for a failure at this point include:
- Overly broad system boundaries. If you’re trying to secure much more of your business than is necessary, you’re doing a lot of work and, more importantly, broadening your threat surface, for no tangible benefit. An enclave strategy is a must.
- Unclear system boundaries. In order to be able to claim security, you need to have tight control over your systems and know which aspects of which systems are within your scope, versus which are not.
- Incomplete SSPs. The SSP is an incredibly comprehensive document, but it’s also one that your 3PAO will be looking at with intense scrutiny. Leaving anything out of it or leaving it inconsistent or incomplete will be a critical failure.
- Failure to comply with DoD overlay requirements. Many organizations go into an IL4 or IL5 push as if it’s FedRAMP High, which underestimates how much they’ll need to do. Don’t underestimate the scale of your undertaking.
- Poor logging and monitoring. Ongoing logging, auditing of those logs, and monitoring of your systems are critical to maintain security beyond an audit. If your logging isn’t handled properly, it risks leaving routes for intrusion that go undetected.
- Missing change control processes. Change control is an important part of iterative security while staying within compliance. Your process needs to be developed and repeatable for the easiest compliance process.
The good news is, despite all of this, there are many avenues to successful high-impact level authorizations, many of which make use of a tight scope and aggressive automation to take the guesswork (and potential for mistakes) out of your hands.
Meanwhile, our assurance platform can also help by providing a centralized source of authority for your documentation and your compliance efforts. From tracking your implementation to gathering proof, the Ignyte Assurance Platform is in your corner. Just reach out to get started and see what we can do for you.
Working with the Department of Defense at a high impact level is a high bar to clear, but it’s entirely doable with the right tools and experts on your side.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.