Azure Government Hero Microsoft

Impact Level compliance is granted by the Defense Information Systems Agency (DISA), which provides information technology (IT) and communications support to the President, Vice President, Secretary of Defense, the military services, the combatant commands, and any individual or system contributing to the defense of the United States.

As the Microsoft shares on its website, the provisional authorization now given to Microsoft Azure “will allow United States Department of Defense (DoD) mission owners and officials the ability to plan, assess, and authorize workloads for Impact Level 5 controlled unclassified information (CUI). This includes those workloads supporting National Security Systems as well as mission critical data transiting, or being stored or processed within the Azure Government cloud.”

To achieve the required security level, “Microsoft has established two physically isolated and geographically separated Azure Government regions exclusively for the Department of Defense. These regions are designed to support Impact Level 5 workloads with stringent DoD security requirements.”

Mcirosoft has already achieved several government related cloud authorizations and assesments such as FedRAMP High P-ATO (provisional). It is the highest of the three available compliance ratings given by US Federal Risk and Authorization Management Program (FedRAMP) to validate the security of cloud services.

As Microsoft points out on its website, DISA has also granted the Impact Level 5 PA rating for Office 365. You can read in detail about the DISA Impact Level classification system in the official Department of Defense Cloud Computing Security Requirements Guide. Microsoft provides a quick summary, explaining all DoD Impact Levels.

Impact Level 5 is defined in the following way:

“Level 5 accommodates CUI that requires a higher level of protection than that afforded by Level 4 as deemed necessary by the information owner, public law, or other government regulations. Level 5 also supports unclassified National Security Systems (NSSs) due to the inclusion of NSS specific requirements in the FedRAMP+ C/CEs. As such, NSS must be implemented at Level 5. Some types of CUI may not be eligible to be hosted on Impact Level 4 and 5 CSOs without a specific rider to the DoD PA. (e.g., for Privacy.) This level accommodates NSS and CUI information categorizations based on CNSSI-1253 up to moderate confidentiality and moderate integrity (M-M-x).”

This table, taken from the official DISA guide gives a brief overview of all impact levels:

DoD Impact levels from DISA overview official
The current information impact levels as defined by DISA