DoD Impact Level 5: The 175-Control Delta from FedRAMP High and the Four Architecture Changes That Matter More

Department of Defense Impact Level 5 is FedRAMP High plus 170 to 175 additional controls, depending on how you count the Committee on National Security Systems Instruction 1253 National Security System overlays. The control count is the headline that vendor blogs cite in three different ways: ten additional control enhancements per the DoD Cloud Service Provider Security Requirements Guide (CSP SRG), 170 controls per a widely cited industry analysis, or 175 when CNSSI 1253 overlays and mandatory parameter values are fully counted. The FedRAMP Moderate vs High cost differential is the financial framework that makes the IL4-to-IL5 business case concrete before the architecture work begins. All three numbers are correct depending on what is being counted, which is the source of the confusion that fails most IL5 readiness assessments.

The architecture change that matters more than the control count is that the DoD CSP SRG elevated IL5 to National Security System classification. The elevation redefines availability, networking, and personnel requirements in ways that do not flow from the control delta itself; they flow from the NSS treatment of the workload. A SaaS architect whose customer is moving an Impact Level 4 workload to IL5 reads three vendor blogs that each report a different control delta and cannot tell whether the difference is real, framing, or vintage, and her timeline depends on the answer.

This article walks the annotated delta across FedRAMP+ enhancements, CNSSI 1253 overlays, and CSP SRG implementation parameters. It names the four architecture changes that flow from the NSS elevation. It is written for the SaaS architect whose customer is moving an IL4 workload to IL5 and needs to know what changes from a real engineering standpoint.

Why Three Different Control Counts Are All Correct

The three published numbers (10, 170, 175) measure different things. Conflating them produces budget plans that are wrong by an order of magnitude.

The number 10 refers to DoD FedRAMP+ Security Controls and Control Enhancements defined in the DoD CSP SRG. These are explicit additions on top of FedRAMP High that the DoD requires for IL5 authorization. Ten controls is a small count, and a vendor reading only this number and not the rest of the CSP SRG concludes that IL5 is a modest uplift over FedRAMP High. That conclusion is wrong.

The number 170 refers to the broader delta that becomes apparent when CNSSI 1253 overlays are layered on top of the NIST Special Publication 800-53 baseline used by FedRAMP High. CNSSI 1253 is the National Security Systems control overlay; it adds requirements to specific controls, escalates parameter values, and imposes additional control enhancements that are not separately enumerated in the CSP SRG’s explicit FedRAMP+ section but are required for NSS treatment.

The number 175 is the practitioner-confirmed total that emerges when 800-53 baseline parameter values, CNSSI 1253 overlays, and CSP SRG mandatory parameter values are all counted as distinct items. The exact number varies slightly by counting methodology, but the practitioner consensus is that the IL5 control burden is materially closer to 175 than to 10 once all overlays are applied.

The right operational answer for a SaaS architect is to plan against the higher number. A budget built on the 10-control framing will fail. A budget built on the 175-control framing has the contingency to absorb the actual implementation effort.

The DoD SRG Transition: CSP SRG v1r1 and Mission Owner SRG

The DoD retired the single Cloud Computing Security Requirements Guide (CC SRG) and replaced it with two separate documents effective 2026: the DoD Cloud Service Provider Security Requirements Guide (CSP SRG v1r1), which governs cloud service providers seeking DoD IL authorizations, and the DoD Mission Owner Security Requirements Guide (MO SRG), which governs DoD mission owners consuming cloud services. This structural split reflects the DoD’s recognition that CSP obligations and mission owner obligations are materially different and require separate governance documents.

Practitioners and vendors citing the old CC SRG v1r3 or v1r4 are referencing retired documents. The NSS elevation of IL5 and the core control framework carry forward into the CSP SRG v1r1; the substantive technical requirements for IL5 authorization remain consistent with the prior framework. Verify current document versions and section references at cyber.mil/dccs/ before beginning any IL5 authorization effort.

The Four Architecture Changes That Flow from NSS Elevation

The CSP SRG elevation of IL5 to NSS classification produces four architecture changes that the control-count framing does not capture. These are the changes that determine implementation cost and timeline.

Availability Architecture

FedRAMP High requires recovery time objectives and recovery point objectives that most cloud-native architectures can meet with a single-region deployment plus backup. NSS classification under IL5 frequently requires availability commitments that demand geographic redundancy, active-active patterns, or specific recovery times that single-region architectures cannot provide.

The engineering implication is a multi-region architecture for any workload moving from IL4 to IL5. The cost implication is duplicated infrastructure plus inter-region data-transfer costs. The timeline implication is the multi-month effort required to design, deploy, and validate a multi-region architecture with consistent state across regions.

Networking and Cryptographic Boundary

FedRAMP High requires FIPS 140-2 or 140-3 validated cryptographic modules at boundary protection points; many implementations satisfy this with FIPS-validated modules at the perimeter and standard cryptographic libraries internally. NSS overlays under IL5 typically require FIPS-validated modules end-to-end across all data paths, with specific cipher suite restrictions.

The engineering implication is auditing the entire data path for cryptographic compliance, not just the perimeter. Embedded cryptographic operations in application code, third-party libraries, and platform services all become subject to the FIPS-validated requirement. The timeline implication is significant when third-party libraries are involved; some libraries cannot be easily replaced with FIPS-validated equivalents, and the architecture may require restructuring to isolate non-compliant operations from the data path.

Personnel Security

NSS classification often triggers personnel-security requirements that exceed the FedRAMP High baseline. Background investigations, citizenship requirements, and clearance levels become tied to system access. The vendor’s engineering organization may need to identify which personnel can perform IL5 system administration and which cannot.

The engineering implication includes operational changes to access workflows, ticketing systems, and on-call rotations. The timeline implication includes the lead time for background investigations, which is multi-month for many clearance levels and is outside the vendor’s control.

Supply Chain Risk Management

NSS treatment expands supply-chain risk management requirements under NIST SP 800-161 Rev 1. Component-level provenance, restricted-source procurement, and alignment with the Cybersecurity Maturity Model Certification (CMMC) framework become operational requirements. Hardware procurement is materially affected; software procurement is affected by component-level analysis.

The engineering implication includes a procurement-pipeline review to confirm that components used in the IL5 environment originate from approved sources and meet provenance requirements. Section 889 covered-entity controls apply across IL4 and IL5 per DFARS 252.204-7018; the elevated scrutiny that NSS classification triggers in practice means supply-chain provenance gaps that pass at IL4 often require remediation before an IL5 Provisional Authorization is granted. The timeline implication is the time required to inventory the supply chain, identify gaps, and remediate them.

Counting the Delta by Control Family

Within the 175-control practitioner-confirmed total, the distribution across control families is uneven. Five families absorb most of the additional burden.

System and Communications Protection (SC) absorbs the largest share, primarily through the cryptographic-module requirements and the boundary protection enhancements. Audit and Accountability (AU) absorbs a substantial share through expanded log retention, log integrity, and real-time analysis requirements. Contingency Planning (CP) absorbs a share through the availability-architecture requirements that NSS classification triggers. Personnel Security (PS) absorbs a share through the investigation and clearance requirements. System and Information Integrity (SI) absorbs a share through enhanced continuous monitoring and threat-intelligence integration.

The remaining control families absorb smaller shares distributed across access control, configuration management, identification and authentication, incident response, maintenance, media protection, physical and environmental protection, planning, risk assessment, security assessment and authorization, supply chain risk management, and system and services acquisition.

The IL4-to-IL5 Migration Path

For a workload currently authorized at IL4 moving to IL5, the migration path has five phases. Each phase produces a deliverable that supports the eventual IL5 Provisional Authorization decision.

Phase one is the gap analysis. Map the workload’s current control implementation against the IL5 requirements. The output is a gap register identifying every requirement not currently satisfied. The gap register typically lists 80 to 130 items for a workload moving from IL4 to IL5 (practitioner estimate); the exact count depends on the IL4 implementation maturity.

Phase two is the architecture redesign. The four architecture changes from NSS elevation drive the redesign. Some workloads can satisfy IL5 with focused additions to an IL4 architecture; others require structural changes that approach a re-architecture. The redesign should be specific about which IL4 architectural decisions persist into IL5 and which do not.

Phase three is the implementation. The redesign is built. Implementation typically runs six to twelve months for a workload of meaningful complexity. The implementation should be staged so that the workload can be re-tested at IL4 with each major change before final IL5 cutover.

Phase four is the assessment. A 3PAO assesses the workload against the IL5 control set. The assessment surfaces findings that must be remediated before the Authorizing Official can grant the Provisional Authorization. Assessment durations are typically two to four months including remediation cycles.

Phase five is the authorization. The DoD Authorizing Official evaluates the assessment results, the Plan of Action and Milestones, and the residual risk. The authorization decision is an explicit acceptance of the residual risk. Authorization timelines vary substantially based on the AO’s docket and the complexity of the residual risk.

Cost Framework

The all-in cost of an IL4-to-IL5 migration for a representative cloud service offering ranges from $2.0 million to $5.5 million in incremental first-year cost, with annual run-rate increases of $600,000 to $1.4 million against the IL4 baseline (practitioner estimate range; no single published benchmark). The wide range reflects the variability in availability-architecture requirements, cryptographic boundary work, and supply-chain remediation.

The cost categories are infrastructure (40 to 60 percent), operations (25 to 35 percent), assessment and authorization (10 to 15 percent), and documentation (5 to 10 percent). The infrastructure category dominates because the architecture changes from NSS elevation are infrastructure-intensive. The operations category captures the personnel-security overhead, the expanded continuous monitoring, and the supply-chain controls. The assessment and authorization category captures the 3PAO work, the documentation refresh, and the AO engagement.

For workloads where the customer base does not justify the IL5 investment, staying at IL4 is the appropriate posture. IL5 is not a default progression from IL4; it is a separate authorization tier with separate economics.

Frequently Asked Questions

What replaced the DoD Cloud Computing SRG?

The DoD retired the single Cloud Computing Security Requirements Guide (CC SRG) effective 2026 and replaced it with two documents: the DoD Cloud Service Provider Security Requirements Guide (CSP SRG v1r1), which governs CSPs seeking DoD IL authorizations, and the DoD Mission Owner Security Requirements Guide (MO SRG), which governs DoD mission owners consuming cloud services. Current documents are available at cyber.mil/dccs/.

Why does the DoD CSP SRG list only ten additional controls?

The CSP SRG’s explicit FedRAMP+ section lists controls that DoD adds on top of FedRAMP High. It does not capture CNSSI 1253 overlays, mandatory parameter values, or the implementation requirements that flow from NSS classification. The section’s narrow scope is the source of the most common misreading of the IL5 control burden.

What is the difference between IL5 and IL6?

IL5 covers unclassified National Security Information; IL6 covers Secret-level classified information. The control burden, infrastructure requirements, and personnel security requirements are materially higher at IL6. Most commercial cloud service providers do not offer IL6 services.

Can I authorize at IL5 without an IL4 authorization first?

Yes. IL5 is a separate authorization tier; an IL4 authorization is not a prerequisite. Some providers authorize directly at IL5 when the customer base demands it. The cost of direct IL5 authorization is similar to the migration cost from IL4 to IL5 because the architecture work is comparable.

Does IL5 require a separate cloud environment from IL4?

Most providers maintain separate IL5 and IL4 environments because the NSS overlays require operational separation. Some architectures support a single environment that is operated to the higher tier; the trade-off is operational cost versus separation simplicity.

What is the timeline from IL4 to IL5 authorization?

Twelve to twenty-four months including architecture redesign, implementation, assessment, and authorization. Faster timelines are possible when the IL4 architecture was designed with IL5 in mind from the outset; longer timelines are common when material architecture work is required.

Is FedRAMP 20x available at IL5?

FedRAMP 20x focused initially on FedRAMP Moderate baselines. Extension to FedRAMP High and to DoD Impact Levels is expected as the program matures, but specific guidance has not been published. Providers planning IL5 work should monitor the FedRAMP 20x roadmap and adjust authorization strategy as the scope expands.