Insight by Zscaler

Achieving ‘the most trusted capability’ for cloud service providers: DoD Impact Level 5

This content is sponsored by Zscaler.

The Federal Risk Authorization and Management Program (FedRAMP) is the gold standard for cloud products and services for federal agencies, and has been for many years now. The “evaluate once and use often” approach enforces continuous monitoring and evaluation, as well as reporting requirements that are essential in today’s threat landscape. Any cloud service provider that wants to do business with the federal government needs to get FedRAMP certified first. But companies that want to do business with the Defense Department have to go a step further. That’s where the Defense Information Systems Agency’s Impact Level Certifications come into play.

FedRAMP Moderate aligns with DoD Impact Level 2, and FedRAMP High covers 521 of the National Institute of Standards and Technology’s 800-53 security and privacy controls. But IL 4 and 5 go a step further than that in order to meet the DoD’s unique security requirements. IL 5 specifically has an additional 11 requirements from NIST 800-53 above and beyond FedRAMP High, as well as 18 DoD general requirements.

“The reason is Impact Level 5 authorizes that cloud service to store and process data that’s considered at the very highest level of unclassified but controlled level,” said Patrick Perry, director of federal emerging technical solutions at Zscaler, a cloud service provider that recently achieved IL 5 certification. “So a lot of people will talk about the term called CUI, which is controlled unclassified information. This is the level above things like personal identifying information and other unclassified but close-hold information. Impact level five now allows the cloud service to process data that includes mission support information, national security services information and other very highly controlled unclassified information, but not classified.”

Perry said there are two scenarios for getting IL 5 certified. The first happens when a company has already been approved at a FedRAMP High level by the Joint Authorization Board, which consists of the General Services Administration, and the departments of Defense and Homeland Security. If that company then wants to get IL 5 certified on top of that, it goes through what’s known as an uplift. That means DoD runs its own assessments at that point, and the cloud service provider may have to adjust its Plan of Action and Milestones (POAM), a corrective action plan for tracking and planning the resolution of information security weaknesses, according to the DoD’s Readiness Assessment Report (RAR).

And that can be a lengthy process, depending on the DoD’s backlog. Perry said it’s not unusual for it to take around a year, even if an organization is already FedRAMP High certified.

“This is actually very akin to the FedRAMP system right now because of their saturation rate; obviously, between the pandemic and a huge push for every cloud service to try to get into the DoD,” he said. “DISA is doing the best it can, but there’s only so many people that can do the work and there’s a lot more work to get done. So as an example, we originally got our name on the list and had our initial kickoff meeting in August of 2020. We didn’t actually kick anything off until January 2021, and we didn’t get anything finalized until basically November 1, 2021.”

In the second scenario, a company that has not yet been FedRAMP certified would have to go through that process as well. It would have to build out its environment, get it validated by a Certified Third Party Assessment Organization (C3PAO), and work out all the security requirements. Along with that, it would have to go through 90 to 180 days of security monitoring. This can take up to 18 to 24 months before DoD can even begin its additional steps.

And, Perry stressed, this is entirely an investment a cloud service provider makes without any guarantee of payoff at the end. IL 5 certification represents a significant strategic investment just to get in the door.

“This isn’t just sign a couple pieces of paper, set up one server and say the DoD is the only one connecting to it. This whole process as a company investment consumes a significant amount of strategic time and resources,” he said. “Unlike many other DoD contracts, in which the building, sustaining and other elements are awarded before the investment, this is a ‘build it and they will hopefully come’ approach. So our company had to invest millions and millions of dollars, two to three years of time and people to get to this point, now just to create the opportunities for DOD mission owners to use it. And I don’t think that everybody fully realizes that level investment from industry to this process.”

So why do cloud service providers make this investment?

“From the executive order all the way down to mission commanders, it has been stressed that partnerships between industry, academia and government are essential to innovation. This is our investment in that belief. This level of accreditation validates that we are committed to meet the government’s requirements to manage data in the unclassified environment with the most stringent of security controls,” Perry said. “We’ve topped off as the most trusted kind of capability out there as a cloud service provider.”

Comments