FedRAMP High vs. Moderate and DoD IL4/IL5
The authorization tiers that determine which cloud services federal agencies — and especially DoD — are permitted to use for sensitive workloads.
FedRAMP (Federal Risk and Authorization Management Program), established under OMB Memorandum M-11-30 and codified in the FedRAMP Authorization Act (December 2022), provides a standardized security assessment framework for cloud services used by federal agencies. Authorization levels map to FIPS 199 impact categories: FedRAMP Low (≤low confidentiality/integrity/availability), FedRAMP Moderate (the most common baseline, covering ~80% of federal unclassified data, 325+ controls from NIST SP 800-53 rev 5), and FedRAMP High (421+ controls, required for systems where a breach could cause severe or catastrophic harm — law enforcement, emergency services, financial systems, health and safety). As of 2024, fewer than 20 CSP offerings hold FedRAMP High authorization, compared to 300+ Moderate authorizations.
The DoD Cloud Computing Security Requirements Guide (CC SRG) extends FedRAMP with DoD-specific impact levels. IL2 maps to FedRAMP Moderate and covers public-release information. IL4 covers Controlled Unclassified Information (CUI) and requires FedRAMP High equivalency plus DoD-specific controls (PA-1 through PA-7, additional encryption requirements, US-person support restrictions). IL5 covers National Security Systems (NSS) data that is not classified but requires additional protection; it requires the same controls as IL4 plus physical isolation of government data from non-government tenants. IL6 covers classified information up to SECRET and requires a separate classified cloud authorization. AWS GovCloud, Azure Government, and Google Cloud Government are the primary IL4/IL5 commercial options; each has specific authorized services lists that differ from commercial regions.
A critical engineering nuance: FedRAMP authorization applies to the CSP's cloud platform, not to workloads running on it. A DoD agency or contractor running a CUI application on an IL4-authorized cloud must separately demonstrate that their application's architecture, configuration, and operational procedures satisfy the IL4 controls — the platform authorization is inherited but the application-layer controls are not. The customer responsibility matrix (CRM) from the CSP documents exactly which controls are inherited, shared, and fully customer-responsible. For containerized applications, this means separately addressing DISA Kubernetes STIG, container image hardening, and network policy controls that the platform does not provide by default.
We architect IL4/IL5-compliant application stacks on authorized government cloud platforms, beginning with the CSP's Customer Responsibility Matrix to precisely identify which controls require customer implementation. We deliver pre-hardened infrastructure-as-code templates for IL4/IL5 environments, implement DoD-specific encryption and US-person access controls, and produce the boundary-specific SSP documentation required for the agency ATO.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.