FedRAMP High and DoD Impact Levels 5/6

Regulatory Framework

The Federal Risk and Authorization Management Program, established by OMB Memorandum M-11-29 in December 2011 and codified by the FedRAMP Authorization Act of 2022 within the FY23 NDAA, provides the standardized approach for assessing, authorizing, and continuously monitoring cloud services used by the United States federal government. FedRAMP defines three baselines of NIST SP 800-53 Revision 5 controls: Low, Moderate, and High, where High applies to systems whose loss of confidentiality, integrity, or availability would have severe or catastrophic adverse effect under FIPS 199. The High baseline imposes 421 controls and control enhancements drawn from SP 800-53 Rev 5.

The Department of Defense, while recognizing FedRAMP as a precondition, imposes additional requirements through the DoD Cloud Computing Security Requirements Guide, currently version 1 release 4 issued by DISA. The SRG defines four operative Impact Levels for cloud services. IL2 covers public and non-critical mission information. IL4 covers controlled unclassified information including export-controlled data and critical mission information. IL5 extends IL4 with national security system requirements and is required for DoD CUI categorized as having higher sensitivity, including unclassified national security information. IL6 covers classified information up to and including Secret under Executive Order 13526.

IL5 and IL6 authorizations are not derivative of FedRAMP High; they are separate authorizations issued by the DoD with their own Provisional Authorization process under the DISA Cloud Service Support office. IL5 requires FedRAMP High as a precondition, plus DoD-specific overlays addressing physical separation, U.S.-citizen administrator requirements, and CNSSI 1253 categorization for national security systems. IL6 requires that the cloud service operate within the SIPRNet enclave, with classified-cleared personnel, classified physical infrastructure, and additional controls drawn from CNSSI 1253 high-high-high categorization.

Architectural Requirement

The defining architectural requirement across FedRAMP High and IL5/IL6 is continuous, evidence-bearing demonstration of control effectiveness. The continuous monitoring obligations under FedRAMP and the equivalent ConMon obligations under the DoD SRG require monthly vulnerability scans, monthly POA&M updates, and annual assessments by an accredited Third Party Assessment Organization for FedRAMP or a DoD authorizing official's designated assessor for IL5/IL6. These obligations are not periodic audit events; they are an ongoing operational state.

The system must therefore produce, as a constitutive property of normal operation, the evidence stream that the authorization depends on. Authentication events, authorization decisions, configuration changes, vulnerability postures, incident detections, and personnel actions must each emit recordable, attributable, tamper-evident artifacts. Under SP 800-53 AU-family controls and the DoD SRG audit overlays, the gaps in this evidence stream are themselves findings, regardless of whether the underlying control is operating correctly.

The cross-Impact-Level requirement compounds the architectural challenge. Modern federal missions span IL2 public-facing components, IL4 CUI systems, IL5 national security systems, and IL6 classified enclaves, with information flowing under controlled cross-domain conditions. The system must preserve the chain of evidence as data and decisions cross Impact Level boundaries, because a control assessor at IL5 cannot rely on evidence whose provenance dissolves at the IL2-IL4 boundary upstream.

Why Procedural and Bolt-On Compliance Fails

The historical compliance pattern is to operate the system and then collect evidence for audit. SIEM platforms ingest logs, GRC tools track POA&M items, and 3PAO assessors translate operational artifacts into the System Security Plan and Security Assessment Report. This pattern produces authorizations but at substantial cost, and it produces them through a translation layer that introduces gaps the assessor must paper over with compensating documentation. The gaps are real, and their accumulation is the principal source of authorization delay.

Bolt-on continuous-monitoring tooling does not resolve the structural problem. A monitoring overlay reports the state it can observe, but it cannot reconstruct the authority under which a given action was taken if that authority was not recorded at the moment of action. Under SP 800-53 controls AC-2, AC-3, AC-6, and AU-10 in particular, the assessor needs to see not only that an action occurred but that it was credentialed, authorized, and non-repudiable. Reconstructing those properties from logs alone is structurally insufficient.

The cross-Impact-Level case exposes the procedural approach most sharply. When an IL2 component contributes telemetry to an IL5 decision, the IL5 authorizing official must determine whether the IL2 evidence is admissible. Procedural compliance treats this as a documentation exercise; the architectural reality is that admissibility must be a property of the evidence itself, established at the moment of capture and preserved through every transformation. Without an architectural primitive expressing this, cross-IL operation is permitted only under heavy manual review.

What The AQ Primitive Provides

Governance chain is the Adaptive Query primitive that makes the evidentiary substrate of federal-cloud operations a constitutive property of the system. It is composed of five chained properties, each of which addresses a specific structural failure of procedural compliance, and together they produce an operational state in which authorization evidence is generated as a side-effect-free consequence of normal operation rather than as a separate audit-preparation activity.

The first property is authority-credentialed observation. Every observation entering the system is bound at capture time to the credentialed authority under which the observation was made, so that the observation's later use carries the authority forward. This addresses SP 800-53 IA-family identity-and-authentication obligations not as a perimeter check but as a property of every datum.

The second property is evidential weighting. Observations carry a weight reflecting their assurance level, and downstream computations propagate that weight, so that a decision combining IL2 telemetry with IL5 authority-bearing evidence reflects the weakest contributing assurance in its own assurance label. The third property is composite admissibility, which determines whether a combination of evidence is admissible under the applicable authorization regime; this is the structural mechanism that makes cross-Impact-Level operation tractable, because admissibility is computed rather than negotiated.

The fourth property is governed actuation, addressed in detail elsewhere in this series, applied here to the federal context: every state-changing action in the system is gated by an actuation decision tied to the credentialed authority and admissible evidence supporting the action. Under SP 800-53 AC-3 access-enforcement and AC-6 least-privilege controls, this provides the structural enforcement the controls require, rather than a perimeter approximation. The fifth property is lineage-recorded provenance, which preserves the full chain from observation through admissibility through actuation as a tamper-evident record satisfying SP 800-53 AU-10 non-repudiation and AU-11 audit-record-retention obligations.

The five properties are not optional layers; they are a chain in the strict sense that each property presupposes the prior and provides the substrate for the next. This is what permits the chain to bear authorization evidence under FedRAMP High and IL5/IL6, because the chain's integrity is itself the evidence the authorization depends on.

The chain is also the structural answer to the supply-chain provisions of Executive Order 14028 on Improving the Nation's Cybersecurity, which require software bill of materials artifacts under NTIA minimum-elements guidance and attestation under OMB Memorandum M-22-18 and M-23-16. Because the chain records authority and provenance constitutively, SBOM and attestation artifacts become projections of the chain rather than separately maintained artifacts subject to drift, addressing the principal weakness of procedural SBOM compliance.

Compliance Mapping

Governance chain maps to SP 800-53 Rev 5 control families with structural rather than documentary fit. The AC family is satisfied through authority-credentialed observation and governed actuation: AC-2 account management, AC-3 access enforcement, AC-6 least privilege, and AC-16 security and privacy attributes are expressed as properties of the chain rather than as separate enforcement points. The AU family is satisfied through lineage-recorded provenance: AU-2 event logging, AU-3 content of audit records, AU-9 protection of audit information, AU-10 non-repudiation, and AU-12 audit record generation become constitutive rather than additive.

The CA family continuous-monitoring obligations are satisfied because the chain produces the monthly ConMon artifacts as a byproduct of operation. The IA family identity-and-authentication controls are satisfied through credentialed observation. The SI family system-and-information-integrity controls, particularly SI-4 system monitoring and SI-7 software-firmware-and-information integrity, are supported through evidential weighting and composite admissibility.

For DoD IL5, the additional CNSSI 1253 overlays for national security systems are accommodated through composite admissibility, which can express the heightened admissibility threshold required for NSS contributions. For IL6, the chain operates within the SIPRNet enclave and provides the classified-side evidentiary substrate without architectural change, because the chain's properties are independent of the classification level of the data they describe.

Adoption Pathway

Adoption typically begins at the FedRAMP Moderate or High baseline for a single system boundary, with the governance chain instantiated as the system's evidentiary substrate from initial categorization under FIPS 199 forward. The System Security Plan documents the chain as the structural mechanism satisfying the AC, AU, CA, IA, and SI control families, and the 3PAO assessment plan tests the chain's properties as the principal compliance evidence.

Extension to IL5 follows once the FedRAMP High authorization is in hand, with the DoD-specific overlays expressed as additional admissibility rules within composite admissibility rather than as a parallel evidentiary system. Extension to IL6 requires SIPRNet-side deployment and classified-cleared operations personnel, but the architectural substrate is unchanged. Multi-cloud and cross-Impact-Level operations follow naturally because the chain's properties compose across boundaries without requiring renegotiation at each boundary.

Programs aligning with OMB Memorandum M-22-09 federal zero-trust strategy and the related CISA Zero Trust Maturity Model find that governance chain instantiates the maturity model's pillars as a single architectural commitment rather than as five parallel implementations. Identity, devices, networks, applications and workloads, and data each receive the chain's evidentiary treatment, and the cross-pillar visibility-and-analytics and automation-and-orchestration capabilities the model requires emerge as constitutive properties of the chain rather than as separate platforms layered on top.

For agencies operating under the Cybersecurity Maturity Model Certification 2.0 framework administered by the DoD CIO, the chain's properties map directly to the practices required at Level 2 and Level 3, with the same evidence package serving CMMC assessment, FedRAMP continuous monitoring, and DoD ConMon obligations. This consolidation of evidentiary obligation across overlapping regimes is the principal practical benefit of architectural rather than procedural compliance, because it eliminates the per-regime translation cost that dominates the operational compliance budget of federal cloud providers.