TL;DR
- The DoD Cloud Computing Security Requirements Guide (SRG) defines six Impact Levels (IL) for cloud workloads, currently using IL2, IL4, IL5 and IL6 in practice.
- IL5 covers Controlled Unclassified Information (CUI) and National Security Systems below the classified threshold.
- IL6 covers SECRET-classified information and requires hosting on the classified SIPRNet network.
- Both require FedRAMP High as a starting point, with DoD-specific overlays for personnel, physical, and network controls.
The Impact-Level System#
The Defense Information Systems Agency (DISA) publishes the DoD Cloud Computing Security Requirements Guide — universally referred to as the SRG. The current version defines impact levels that map data sensitivity to required cloud-control intensity:
| Level | Data | Network |
|---|---|---|
| IL2 | Public or non-critical mission data. | Internet. |
| IL4 | CUI, non-CUI requiring greater protection, mission-support data. | Internet (with controls) or NIPRNet. |
| IL5 | CUI requiring higher confidentiality / mission-critical data / National Security Systems data. | NIPRNet only; restricted physical / personnel controls. |
| IL6 | Classified information up to SECRET. | SIPRNet (classified network); accredited classified facilities. |
IL5 in Detail#
IL5 is the level where US DoD cloud requirements diverge sharply from civilian FedRAMP. The data category is broadly CUI plus mission-critical and National Security Systems below SECRET, and the controls go beyond FedRAMP High in several areas:
- US-citizens-only operations — personnel with privileged access must be US citizens.
- Dedicated cloud infrastructure — typically physically separated from commercial customers, at minimum logically separated with DoD-only personnel touching the underlying systems.
- CAC / PIV-based authentication for privileged access.
- Mandatory boundary on NIPRNet, not the public internet.
- Cleared cyber-defence operations centre with DoD reporting integration.
IL6 in Detail#
IL6 is for SECRET-classified workloads. It requires the cloud service to operate on SIPRNet, the US DoD classified network, from inside accredited classified facilities with cleared personnel.
There are only a handful of IL6 cloud offerings globally. Hyperscaler IL6 regions are physically separate facilities, isolated from commercial cloud regions and from IL5 environments.
IL6 is materially different from IL5. The personnel-clearance, facility-accreditation and network-connection requirements are very specific to US DoD classified operations. A provider authorised for IL5 cannot host IL6 workloads without separate authorisation and infrastructure.
Relationship to UK Defence#
UK Ministry of Defence does not use IL5/IL6 — it uses its own classification (OFFICIAL / SECRET / TOP SECRET) and accreditation regimes including the MOD Cloud (MODCloud) framework and historic MoD List X arrangements for industry. The two systems do not formally map, but the practical security posture for IL5 / OFFICIAL-SENSITIVE is broadly comparable.
Where Yobitel Sits#
Yobitel does not pursue IL5/IL6 authorisation directly. UK-headquartered providers are structurally constrained from US-citizens-only operations. Customers requiring IL5/IL6 hosting are referred to partner cloud regions; Yobibyte and InferenceBench are available as workload software inside customer-owned IL5/IL6 boundaries via partner deployments.
References
- DoD Cloud Computing Security Requirements Guide · DISA
- DoD CIO — Cloud · US DoD
- FedRAMP — High baseline · FedRAMP PMO