Section 6.20 - Regulatory Cross-Map Brief
DOC-REF: FRC-REG-IL4-001
FedRAMP vs DoD IL4 Cost: What the Defense Cloud Add-On Costs in 2026
DoD Impact Level 4 (IL4) is the Defense Department's cloud authorization level for Controlled Unclassified Information (CUI). IL4 is not a replacement for FedRAMP. It uses FedRAMP Moderate as its foundational baseline, then layers DoD-specific controls, CUI handling requirements, and DISA review on top to produce a DoD Provisional Authorization. For a CSP that already holds FedRAMP Moderate, plan for $400K to $900K of incremental cost to add IL4. This brief covers the cost, the timeline, and the strategic question of whether IL4 is the right destination for a particular CSP's federal market opportunity.
Headline
IL4 layered on top of an existing FedRAMP Moderate typically adds $400K to $900K of incremental cost and 8 to 14 months of additional timeline. The DoD Cloud Computing SRG requires FedRAMP Moderate as the prerequisite.
Section A
How IL4 actually relates to FedRAMP Moderate
The DoD Cloud Computing Security Requirements Guide (CC SRG) defines five DoD impact levels (IL2 through IL6) that map to data sensitivity and mission criticality within the Department of Defense. IL2 covers public or non-controlled information. IL4 covers Controlled Unclassified Information (CUI). IL5 covers higher-sensitivity CUI and mission-critical workloads. IL6 covers classified information up to SECRET.
For IL2 and IL4, the CC SRG uses FedRAMP Moderate as the baseline. For IL5 it uses FedRAMP High. The DoD adds FedRAMP+ overlays: additional controls, stricter parameter values, DoD-specific configuration requirements, and CUI handling protocols. The CSP first achieves FedRAMP authorization, then pursues the DoD overlay through DISA review.
The practical consequence is that the cost question is not "FedRAMP vs IL4" but "FedRAMP and then IL4 as a delta." The FedRAMP Moderate cost itself is unchanged ($800K to $2M; see the Moderate cost page). The IL4 add-on is the incremental cost above that baseline.
Section B
IL4 cost breakdown: the incremental delta above FedRAMP Moderate
| Cost Component | Indicative Range | Notes |
|---|---|---|
| DoD-specific SSP enhancement (FedRAMP+ delta) | $80K - $180K | CC SRG-aligned narrative additions and CUI handling specifics |
| Additional DoD controls implementation | $80K - $200K | DoD-specific configuration, monitoring, and identity controls |
| DISA-accepted 3PAO assessment delta | $120K - $280K | Targeted assessment of FedRAMP+ overlay controls |
| DoD-approved cloud hosting (if migration needed) | Variable | GovCloud / Azure Government typically already in use; migration if not |
| DISA submission and review processing | $30K - $80K | Documentation packaging and DISA queue time |
| Consulting and Advisory (DoD-experienced) | $60K - $150K | DoD-specific advisory; smaller pool of qualified consultants |
| Total IL4 Add-On Range | $370K - $890K (typical $580K) | Incremental above an existing FedRAMP Moderate authorization |
Section C
3PAO selection matters more for IL4 than for FedRAMP alone
For pure FedRAMP work, any of the recognized 3PAOs can deliver competently. For IL4 work, the assessor's depth on the DoD CC SRG and on the FedRAMP+ overlay matters meaningfully. Not every FedRAMP-accredited 3PAO maintains active IL4 assessment capacity, and the firms that do have varying depth on DoD-specific control parameters.
Kratos / SecureInfo is the most-recognized firm for IL4 and higher DoD work. The firm's parent-company defense heritage produces depth that pure-commercial 3PAOs struggle to match. Coalfire maintains a strong IL4 book through its federal practice. Schellman has growing IL4 capacity but is less established than Kratos or Coalfire in DoD context.
CSPs whose roadmap includes IL4 should consider selecting a DoD-experienced 3PAO from the start of the FedRAMP Moderate engagement, rather than switching for the IL4 delta. The continuity benefits are meaningful: the firm understands the system end-to-end, can structure the FedRAMP assessment to anticipate the IL4 add-on, and can deliver both authorizations with shared documentation and shared assessor team. Switching 3PAOs for the IL4 delta typically adds 6 to 10 weeks and $80K to $200K versus staying with the original firm.
Section D
When IL4 is worth doing
IL4 is worth pursuing when the CSP's three-year DoD addressable revenue includes at least $10M to $20M of revenue that is contingent on IL4 authorization. Below that threshold, the $400K to $900K incremental investment plus ongoing IL4 maintenance cost does not produce attractive ROI.
IL4 is not worth pursuing when the CSP's federal addressable market sits within civilian agencies that do not require DoD authorization (HHS, GSA, USDA, Treasury, Commerce, most of the civilian federal footprint). FedRAMP Moderate is sufficient for those agencies, and the IL4 investment produces capacity that the addressable market does not need.
The intermediate case is CSPs whose product fits both civilian and DoD federal markets. For those CSPs, the decision is sequencing: FedRAMP Moderate first to unlock the civilian market, then IL4 add-on once DoD pipeline materializes. The FedRAMP vs DoD IL5 cost page covers the further-up-the-stack option for CSPs whose DoD revenue justifies pursuing IL5 above IL4.
Section E
Frequently asked questions
What is DoD IL4 and how does it relate to FedRAMP?
DoD Impact Level 4 (IL4) is a Defense Department cloud authorization level for Controlled Unclassified Information (CUI). IL4 uses FedRAMP Moderate as its foundational baseline and adds DoD-specific controls and DISA review to produce a DoD Provisional Authorization (P-ATO). A CSP holding FedRAMP Moderate can pursue IL4 via the FedRAMP+ delta rather than starting from scratch.
What does the IL4 add-on cost beyond FedRAMP Moderate?
The incremental cost of layering IL4 on top of an existing FedRAMP Moderate authorization typically runs $400K to $900K. This covers the DoD-specific SSP enhancement, the DISA-acceptable 3PAO assessment delta, the CUI-specific control additions, and the DISA submission and review process.
Can a CSP get IL4 without FedRAMP Moderate first?
In practice, no. The DoD Cloud Computing Security Requirements Guide (CC SRG) requires FedRAMP Moderate as the prerequisite for IL4 P-ATO. The CC SRG layers DoD-specific controls and requirements on top of the FedRAMP Moderate baseline, so the FedRAMP authorization comes first and IL4 follows.
What additional controls does IL4 require?
The DoD CC SRG adds DoD-specific control parameters and FedRAMP+ overlays that strengthen requirements in areas such as configuration management, identification and authentication, system and communications protection, and physical and environmental protection. Cloud hosting must be in a DoD-approved cloud zone (typically AWS GovCloud, Azure Government, Oracle Government Cloud, or Microsoft Azure DoD).
How long does the IL4 add-on take after FedRAMP Moderate ATO?
Plan for 8 to 14 months from initiating IL4 pursuit to DoD P-ATO. The timeline is shorter than the original FedRAMP authorization because the foundational work is reused, but DISA review adds its own queue time and DoD-specific assessment depth.
Which 3PAOs are accredited for IL4 work?
Not all FedRAMP-accredited 3PAOs perform DoD CC SRG assessment work. Kratos / SecureInfo is the most-recognized firm for IL4 and higher. Coalfire and Schellman both have IL4 books. CSPs whose roadmap includes IL4 typically benefit from selecting a 3PAO with DoD-experienced assessors from the start of FedRAMP Moderate.
Section F