Department of Defense cloud environments operate at Impact Levels that impose security requirements significantly more stringent than standard FedRAMP Moderate. IL4 covers Controlled Unclassified Information (CUI) and IL5 covers National Security Systems information at the unclassified level. Container workloads running in IL4 and IL5 environments face vulnerability thresholds, scanning requirements, and hardening standards that require a different approach than typical commercial container security programs.
The DoD Impact Level Framework
The Cloud Computing Security Requirements Guide (CC SRG) defines the impact level framework:
IL2: Publicly releasable data. Roughly equivalent to FedRAMP Low.
IL4: Controlled Unclassified Information (CUI). FedRAMP Moderate baseline plus DoD-specific requirements. Many DoD contracts involve IL4 data.
IL5: CUI that requires additional protection beyond IL4, plus National Security Systems information at the unclassified level. The most stringent unclassified DoD cloud authorization level.
IL6: Classified information. Beyond the scope of commercial cloud containers for most providers.
IL4 Container Security Requirements
IL4 requires FedRAMP Moderate controls plus DoD-specific augmentations. For container scanning:
RA-5 Enhanced: Vulnerability scanning frequency requirements are more demanding than Moderate. DISA guidance for IL4 environments typically requires scanning within 72 hours of new CVE disclosure for in-scope systems, in addition to scanning before every deployment.
CM-7 Stringent Interpretation: “Least functionality” at IL4 is not advisory — DISA STIGs provide specific guidance on what should and should not be present in containerized systems. The DISA Container Platform SRG and the relevant application STIGs define what packages and capabilities are acceptable.
Zero Critical CVE Threshold: While FedRAMP Moderate may allow documented risk acceptance for some Critical CVEs, IL4 implementations typically require zero open Critical CVEs or Critical CVEs with patches actively in progress.
DISA STIG Compliance: Container images must comply with applicable DISA STIGs. This includes the Container Platform SRG, OS-level STIGs for the container base OS, and application-specific STIGs where applicable.
IL5 Additional Requirements
IL5 adds requirements beyond IL4:
More Aggressive Patching Timelines: Critical CVEs must typically be patched within days rather than weeks. An IL5 system with an open Critical CVE may trigger a halt to operations until the vulnerability is addressed.
Enhanced Boundary Controls: IL5 requires more stringent separation between IL5 data and lower-classification data, which may affect how container registries and orchestration platforms are configured.
DISA Approved Tools: IL5 environments may require the use of DISA-approved or DISA-validated tools for specific security functions. Container scanning tools used in IL5 environments should be evaluated against DISA’s Approved Products List (APL).
Why Standard Container Security Programs Are Insufficient?
Commercial container security programs typically accept residual CVE counts that IL4/IL5 requirements cannot accommodate:
| Metric | Typical Commercial | IL4 Target | IL5 Target |
|---|---|---|---|
| Critical CVEs per image | 5-20 | 0 | 0 |
| High CVEs per image | 10-50 | 0-3 | 0 |
| Scan-to-remediation (Critical) | 7-30 days | 24-72 hours | Same day |
| SBOM availability | On request | Per deployment | Per deployment |
| Runtime profiling | Optional | Required | Required |
The gap between typical commercial posture and IL4/IL5 requirements is not bridgeable through process improvements alone. The CVE counts in standard unminimized base images are too high. IL4/IL5 environments require a fundamentally different approach to image security that starts from near-zero CVE baselines.
Achieving IL4/IL5 CVE Targets
FedRAMP container scanning programs designed for IL4/IL5 environments must achieve near-zero CVE counts as the operational baseline, not as an aspirational target. The technical approach:
Stage 1: Base image selection: Start from the most minimal available base for the required runtime. For Linux containers, this means Alpine or distroless bases. For frameworks requiring specific OS libraries, use slim variants with documented package justification.
Stage 2: Automated hardening: Apply runtime profiling-based hardening to remove packages without execution evidence. For an IL4/IL5 environment, the hardening must be documented with sufficient specificity for DISA review: which packages were present, which profiling methodology was used, which packages were removed, and why each retained package is necessary.
Stage 3: Post-hardening verification: Scan the hardened image against DISA STIG checklists and CVE databases. Document any remaining findings with specific remediation timelines.
Stage 4: Continuous monitoring: For IL4/IL5, continuous monitoring is not monthly — it is event-driven. New CVE disclosures that match any package in any in-scope image trigger an immediate assessment and remediation workflow.
Frequently Asked Questions
What is the difference between IL4 and IL5 container scanning requirements?
IL4 requires FedRAMP Moderate controls plus DoD-specific augmentations, including scanning within 72 hours of new CVE disclosure and a zero open Critical CVE threshold. IL5 imposes even more aggressive patching timelines — Critical CVEs must typically be addressed within days rather than weeks — and may require the use of DISA-approved scanning tools from the Approved Products List. Both levels require per-deployment scanning and SBOM attestation, but IL5 allows effectively no remediation deferral for Critical findings.
Why are standard commercial container security programs insufficient for DoD IL4 and IL5?
Commercial programs typically accept residual CVE counts that IL4 and IL5 requirements cannot accommodate — standard unminimized base images carry 5–20 Critical CVEs, while IL4 and IL5 targets are zero. The scan-to-remediation window for Critical CVEs at IL5 is same-day versus the 7–30 days common in commercial programs. Bridging this gap requires a fundamentally different starting point: near-zero CVE baselines achieved through automated hardening, not process improvements applied to high-CVE images.
What is DISA STIG compliance for container images?
DISA STIGs (Security Technical Implementation Guides) are configuration standards that define specific security requirements for containerized systems in DoD environments. For containers, compliance requires removing unnecessary packages (addressed by runtime profiling-based hardening), minimizing attack surface, and providing integrity verification through image signing and SBOM attestation. The DISA Container Platform SRG provides the complete control set, and hardening records that document which packages were removed and why provide the evidence that STIG assessors require.
How does automated hardening help achieve IL4 and IL5 CVE targets?
Automated hardening uses runtime execution profiling to identify which packages are actually loaded during application operation, then removes all packages with no execution evidence. This process eliminates the large majority of CVEs in a standard container image — those residing in system utilities, build tools, and OS packages that the application never invokes. The resulting image starts from a near-zero CVE baseline, which is the operational prerequisite for IL4 and IL5 continuous monitoring requirements.
DISA STIG Compliance for Containers
Hardened container images that have been processed through runtime profiling and automated package removal address many DISA STIG controls for containers:
- STIG requirement to remove unnecessary packages: satisfied by documented profiling and removal workflow
- STIG requirement for minimal attack surface: satisfied by retention of only executed packages
- STIG requirement for integrity verification: satisfied by image signing and SBOM attestation
The DISA Container Platform SRG provides the complete control set. A hardened image with documented removal evidence satisfies the minimal footprint controls more completely than manual Dockerfile optimization, because the removal decisions are based on observed execution behavior rather than developer judgment.
DoD organizations pursuing IL4/IL5 container authorization should treat CVE reduction not as a target but as a prerequisite: the authorization process assumes that CVE management is already in place and functioning before the authorization submission.