The Department of Defense processes an enormous volume of sensitive but unclassified information every day — acquisition plans, source selection documents, contractor proposals, program budgets, and operational requirements. Managing that information securely, especially as it moves across cloud systems and commercial software, requires a clear and enforceable framework.

That framework is the DoD's Impact Level system. And for acquisition professionals working with the most sensitive unclassified mission data, Impact Level 5 (IL5) is the critical benchmark to understand.

The DoD Cloud Computing Security Requirements Guide (CC SRG)

To understand IL5, you first need to understand the framework it comes from.

The DoD's Cloud Computing Security Requirements Guide (CC SRG), published and maintained by the Defense Information Systems Agency (DISA), establishes a tiered system for classifying cloud environments based on the sensitivity of the data they process and the threats they must be protected against. Each tier is called an Impact Level, and each one defines:

  • What categories of data can be stored, processed, and transmitted
  • What security controls must be implemented
  • What authorization process must be completed before a cloud system can operate in that environment

The Impact Levels most relevant to federal acquisition work are IL2, IL4, IL5, and IL6. They are not interchangeable — a system authorized at one level cannot legally handle data that requires a higher level without additional authorization.

What the Impact Levels Cover

IL2 is the baseline for publicly releasable information and non-sensitive federal data. Most commercial SaaS tools, if they pursue any DoD authorization at all, start here.

IL4 covers Controlled Unclassified Information (CUI) — information that requires safeguarding under law, regulation, or government-wide policy, but that is not classified. Contractor proposals, acquisition-sensitive documents, and program planning data often fall into this category.

IL5 covers two categories of data: CUI that requires a higher level of protection due to the nature of the program or mission, and unclassified National Security Systems (NSS) workloads. IL5 is required when the sensitivity of the information, the mission context, or the threat environment demands controls beyond what IL4 provides. It is the highest Impact Level for unclassified systems.

IL6 covers classified information up to SECRET.

For acquisition professionals in defense environments — particularly those supporting Navy program offices, Army commands, Air Force acquisition centers, combatant commands, or special operations — IL5 is frequently the floor, not the ceiling, for the tools and systems they are permitted to use.

Why IL5 Exists: The Threat Environment Behind the Standard

IL5 is not a bureaucratic formality. It exists because the threat environment for DoD acquisition data is real and active.

Acquisition information is among the most targeted categories of government data. Adversaries that gain access to source selection criteria, program requirements, contract structures, or technical specifications can use that information to shape bids, understand U.S. capabilities and intentions, or compromise competitive advantage in defense markets. The 2015 OPM breach, various defense contractor intrusions, and documented nation-state targeting of acquisition supply chains have all underscored why standard commercial security postures are insufficient for this data.

IL5 addresses this by requiring:

  • Stronger access controls and identity governance — multi-factor authentication, privileged access management, and role-based access controls that meet DoD-specific requirements
  • Enhanced encryption — both in transit and at rest, using FIPS 140-2 validated cryptographic modules
  • Continuous monitoring and audit logging — the ability to detect, log, and respond to anomalous activity in real time
  • Physical and logical separation — IL5 environments must be isolated from lower-Impact-Level workloads, preventing data from leaking across security boundaries
  • Incident response and auditability — documented processes for detecting and responding to breaches, with audit trails that can support forensic investigation

These requirements apply not just to the data center or cloud infrastructure, but to every tool and application operating within the environment.

What This Means for the Tools Acquisition Professionals Use

This is where IL5 has immediate, practical implications for day-to-day acquisition work.

Any software tool — a proposal management system, a market research platform, a document collaboration environment, a data analytics tool — that processes IL5-categorized data must itself be authorized to operate at IL5. Using an unauthorized tool to handle that data, even inadvertently, creates a compliance gap with real consequences: potential loss of authorization to operate, audit findings, and in some cases, legal liability under the data handling agreements that govern CUI.

In practice, this means acquisition teams in IL5 environments often face a painful tradeoff. The commercial tools that are most capable, most modern, and most efficient — including AI-powered tools — frequently lack the DoD authorization required to use them with sensitive acquisition data. The result is that teams either fall back on manual processes, accept the compliance risk of using unauthorized tools, or work around the problem by sanitizing data before it enters commercial systems, introducing delay and error.

This tradeoff is especially pronounced for AI tools. The emergence of large language models and AI-assisted workflows has created enormous potential for acquisition efficiency — faster market research, automated compliance checks, AI-assisted solicitation drafting, and intelligent proposal review. But most AI platforms have not pursued IL5 authorization, which means acquisition professionals in high-assurance environments cannot legally use them with their actual data.

How IL5 Authorization Is Granted

Achieving IL5 authorization requires a formal assessment and an Authority to Operate (ATO) from a DoD Authorizing Official. The process is governed by DoDI 8510.01, the DoD Risk Management Framework (RMF), and involves:

Security control implementation — The platform must implement all required controls from NIST SP 800-53 at the appropriate baseline, plus DoD-specific overlays defined in the CC SRG.

Assessment and validation — A third-party assessment organization (3PAO) or government assessor reviews the platform's control implementation and produces a security assessment report.

Provisional Authorization — The DoD CIO or a designated authorizing official reviews the assessment and, if satisfied, grants a Provisional Authorization to Operate (P-ATO). Individual agencies may then grant their own ATO based on the P-ATO, accepting residual risk for their specific mission context. Authorized cloud offerings can be found on the DISA Cloud Computing Security page.

Continuous monitoring — IL5 authorization is not a one-time event. Authorized platforms must maintain continuous monitoring programs, report security status regularly, and remediate findings on defined timelines.

The process is rigorous by design. It typically takes years and significant investment for a commercial platform to achieve IL5 authorization independently. Some platforms pursue IL5 through deployment on pre-authorized infrastructure — such as a DoD-accredited platform-as-a-service environment — which allows them to inherit foundational security controls and accelerate the authorization timeline without sacrificing depth.

IL5 and FedRAMP High: Related but Different

Acquisition professionals working across both civilian and defense environments often encounter both IL5 and FedRAMP High. They are related frameworks, but they are not equivalent and do not substitute for each other.

FedRAMP High is a government-wide authorization framework managed by GSA. It authorizes cloud platforms to handle the most sensitive civilian agency data — health records at HHS, law enforcement data at DHS, financial systems at Treasury. FedRAMP High is a demanding authorization with broad applicability across the civilian federal government.

DoD IL5 is the DoD's own authorization for high-assurance unclassified environments. While the DoD can accept FedRAMP High as a baseline — a concept known as FedRAMP+ — IL5 adds DoD-specific requirements, particularly around mission-critical systems, NSS workloads, and the threat environment specific to defense operations, that FedRAMP High alone does not fully address.

In short: FedRAMP High is necessary but not sufficient for IL5. A platform must meet both sets of requirements to operate across civilian and defense high-assurance environments. For acquisition professionals who work across the civil-military boundary — or who support both civilian agencies and defense programs — understanding this distinction matters when evaluating whether a tool is actually authorized for their use case.

Practical Guidance for Acquisition Professionals

If you are a contracting officer, program manager, or acquisition professional working in a DoD environment, here are the practical questions to ask when evaluating any tool or system that will touch acquisition data:

What Impact Level is this tool authorized at? Ask vendors directly, and verify on the FedRAMP Marketplace or DISA's list of authorized cloud products. "We're working on authorization" is not the same as authorized.

Does the data I'm working with require IL5? Review the CUI Registry and the data categorization guidance for your program. CUI that relates to national security systems, critical infrastructure, or programs with elevated threat profiles may require IL5 even if the default CUI handling requirement would be IL4.

What is the authorization pathway? Understand whether a vendor achieved IL5 through their own infrastructure or through a pre-authorized environment like a DoD-accredited platform. Both can be valid, but the scope and inheritance of controls may differ.

What is the continuous monitoring posture? An ATO granted two years ago on outdated controls is not the same as an actively maintained authorization with current monitoring. Ask about the currency of the assessment and the ongoing monitoring program.

Is there a procurement vehicle? IL5-authorized tools available through vehicles like GSA Multiple Award Schedule or accessible through OTA mechanisms can significantly streamline procurement. Ask whether a compliant buying path exists before beginning a sole-source justification process.

The Bottom Line

Impact Level 5 is the DoD's standard for unclassified systems handling the most sensitive mission data. For acquisition professionals, it defines the security floor for the tools and environments you can use with your actual program data — and understanding it is essential for making sound decisions about software, systems, and workflows.

As AI-powered tools become more capable and more relevant to acquisition work, IL5 authorization is increasingly the threshold question: not whether a tool is useful, but whether it is authorized for the environment in which you actually operate.