All information systems present some level of risk, so to stay ahead of threats the Department of Defense (DoD) implements a classification system for security, with different levels of impact. In this blog, we will be focusing on DoD Impact Level 6 (IL6), its requirements, and how it impacts software delivery to the defense community.
What is DoD Impact Level 6 (IL6)?
DoD IL6 is a high level security classification for data and information systems within the DoD. It is used for systems that contain data that is deemed critical to national security and that require maximum protection against unauthorized access or manipulation.
IL6 most commonly applies to data and systems that involve classified information, such as those related to intelligence, military operations, and other sensitive government activities. This may include systems that contain information related to national security, defense, and intelligence, as well as those that involve critical infrastructure or other high-value assets. Examples of systems that may fall under the IL6 classification include secure communication networks, command and control systems, and systems that support the development and testing of advanced technologies for military or intelligence applications. It is important to note that the specific systems and data to which IL6 applies may vary depending on the particular mission, organization, or program involved.
What are the IL6 Requirements for Data and Information Systems?
DoD IL6 security classification requires strict control and protection of "Secret" information. DoD Manual 5200.01, Volume 2 provides detailed guidance on how to classify, mark, handle, and safeguard such information. The manual specifies that "Secret" information must be protected in accordance with the security controls specified in CNSSI 1253, which includes the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 controls, as well as the application of an IL6 Overlay. Some of the key requirements for IL6 include:
- Physical security: The system must be protected physically to prevent unauthorized access or damage.
- Access control: The system must control access to data and resources based on need-to-know and least privilege principles.
- Audit and accountability: The system must be able to track and audit all actions taken on the system.
- Risk management: The system must have a formalized risk management program that is used to assess and mitigate risks.
- Incident response: The system must have a formalized incident response plan that is used to detect and respond to security incidents.
How to get DoD IL6 Approval for Commercial Software Companies
Getting approval for commercial software companies to work at the IL6 level can be difficult, as it requires not only meeting the specific security controls but also undergoing a rigorous evaluation and authorization process to achieve an Authority to Operate (ATO). The evaluation and authorization process can take several months or even years, depending on the complexity of the system and the level of risk it presents.
As a high level security classification for data and information systems within the DoD, meeting the requirements of IL6 can provide maximum protection against unauthorized access or manipulation, but it can also be expensive and complex. Commercial software companies seeking approval for IL6 must undergo a rigorous evaluation and authorization process. It is important for organizations working with the DoD to be aware of the security requirements and processes to ensure the protection of sensitive information and compliance with regulations.
To help commercial companies accelerate their delivery of emerging technologies to U.S. and Allied warfighters, Second Front Systems® offers Game Warden®, a DevSecOps platform and secure cloud hosting environment that removes the burden from commercial software companies by enabling them to leverage our security controls and DoD-approved platform to streamline software delivery. Learn more about how Game Warden can help you accelerate the delivery of your software to the DoD and NatSec community by downloading our white paper, or contacting us here.