IL5 / FedRAMP
FedRAMP (Federal Risk and Authorization Management Program) is the US federal authorization framework for cloud services used by federal civilian agencies. IL5 (DoD Impact Level 5) is the Department of Defense's authorization tier for the highest sensitivity of unclassified information and most defense-mission workloads. Together they define which cloud services can host federal and DoD data and under what controls.
Etymology / origin
FedRAMP launched in 2011 to standardise federal cloud security assessments. DoD Cloud Computing Security Requirements Guide established the IL1–IL6 impact level framework in 2015, with IL5 the highest unclassified level and IL6 covering Secret-classified workloads.
Where you encounter this term
FedRAMP and IL5 authorizations are prerequisites for any cloud vendor pursuing federal or DoD contracts that involve government data hosting. Major hyperscalers (AWS GovCloud, Microsoft Azure Government, Google Cloud for Government) maintain separate environments and authorizations for these tiers. Software vendors layering on top of authorized infrastructure may inherit some controls but typically need their own ATO (Authority to Operate). NATO Ally cloud and SaaS vendors selling to US DoD must plan for the multi-year authorization timeline.
Example — from the WULFRN database
WULFRN's US defense coverage (3,305 records) includes many SAM.gov notices for cloud, SaaS, and IT services that require FedRAMP Moderate, High, or IL5 authorization as a bid prerequisite. International software vendors targeting these contracts should expect a 12-24 month authorization runway.
Related glossary terms
- SAM.gov (System for Award Management)US federal government's official procurement portal, the single source for US Department of Defense contracting opportunities.
- FAR / DFARSFederal Acquisition Regulation (FAR) and its Defense supplement (DFARS), the regulatory framework governing all US federal and DoD contracting.
- International Traffic in Arms Regulations (ITAR)US regulations controlling the export of defense articles and services on the US Munitions List — a core compliance constraint for all US-touched defense work.
Continue reading on WULFRN
Frequently asked questions
What is FedRAMP?
FedRAMP (Federal Risk and Authorization Management Program) is the US federal authorization framework for cloud services used by federal civilian agencies. It standardises security assessments so that authorizations can be reused across agencies. FedRAMP has Low, Moderate, and High baselines mapped to FIPS-199 impact categories.
What does DoD Impact Level 5 (IL5) cover?
IL5 is the DoD's authorization tier for Controlled Unclassified Information (CUI) including mission-critical national-security systems and information regulated by federal law that has higher sensitivity than IL4. Most DoD-mission cloud workloads target IL5. IL6 covers Secret-classified workloads and runs on physically separated infrastructure.
How long does FedRAMP or IL5 authorization take?
FedRAMP Moderate typically takes 9–18 months, FedRAMP High and IL5 typically 18–36 months. Cloud vendors usually pursue them in sequence rather than in parallel. International vendors targeting US DoD cloud contracts should plan a multi-year authorization runway before bidding on contracts that require these authorizations.