Skip to main content
DoDI 8510.01 · Risk Management Framework for DoD

DoD Cloud Authorization, Built on STIG-Hardened Infrastructure

DoDI 8510.01 codifies how the Department of Defense applies the NIST Risk Management Framework. Combined with the DoD Cloud Computing SRG, it defines what cloud services qualify for DoD workloads at each Impact Level. Our IL2-authorized platform inherits DoD-specific requirements — DISA STIG hardening, US persons support, CAC/PIV identity — out of the box.

7
RMF Process Steps
4
Cloud Impact Levels
800+
DISA STIGs Supported
IL2
Current GDH Authorization
DoD IL2 Authorized
DoDI 8510.01 RMF
DISA STIG Hardened
CAC / PIV Compatible
US Persons Only
Why It Matters

What DoD RMF Means for Your Organization

The Department of Defense applies the NIST Risk Management Framework through its own implementing instruction — DoDI 8510.01 — which adds DoD-specific roles, tooling, categorization standards, and control overlays. Combined with the DoD Cloud Computing Security Requirements Guide, these documents define the rules of the road for DoD cloud authorization.

Replaces DIACAP

DoDI 8510.01 fully replaced the legacy DIACAP process. RMF transition completed in 2017, and all new DoD systems must follow RMF; legacy systems migrate at reauthorization.

DISA STIGs Are Mandatory

DoD systems must implement applicable DISA Security Technical Implementation Guides. STIG compliance is checked continuously and reported through automated tooling.

Documentation in eMASS

Most DoD components use Enterprise Mission Assurance Support Service for RMF documentation, ATO packages, POA&M tracking, and continuous monitoring artifact submission.

Reciprocity Across Components

DoD policy explicitly favors reciprocity. An authorization issued by one component’s AO can be accepted by another component’s AO without commissioning a new assessment, when impact levels align.

DoD Cloud Computing Security Requirements Guide

Four Cloud Impact Levels for DoD Workloads

The DoD CC SRG layers DoD-specific requirements on top of the FedRAMP baseline. Cloud Service Offerings supporting DoD missions must be authorized at the appropriate Impact Level based on the sensitivity of the data they process.

IL4

CUI & Mission Support

FedRAMP High + DoD CUI controls
  • CUI, export-controlled, FOUO data
  • Mission support & non-NSS workloads
  • Available through partner platforms
  • CAC/PIV authentication required
IL5

NSS & Higher Sensitivity CUI

IL4 baseline + NSS controls
  • National Security Systems (unclassified)
  • Higher sensitivity CUI & mission systems
  • Available through partner platforms
  • Dedicated infrastructure required
IL6

Classified — SECRET

SECRET-level classified information
  • Information classified up to SECRET
  • Operates on dedicated SIPRNet enclave
  • Outside the scope of commercial cloud offerings
  • Requires cleared personnel & facilities
DoDI 8510.01 — DoD RMF Process

The 7-Step DoD Risk Management Framework

DoDI 8510.01 implements the NIST RMF for DoD information systems and Platform IT, replacing the legacy DIACAP process. The DoD adds its own categorization standard (CNSSI 1253), tooling (eMASS), and overlays (Privacy, Classified, Cross Domain, Tactical, Space).

1. Prepare Establish context and risk environment for the system; identify Authorizing Official, ISSO, ISSE, and System Owner roles.
2. Categorize Apply CNSSI 1253 (the DoD/IC variant of FIPS 199) to determine impact levels and required overlays. Document in eMASS.
3. Select Select NIST 800-53 baseline plus applicable DoD overlays. Tailor controls per system context. Document control selection rationale.
4. Implement Deploy controls. DISA STIGs apply by default for DoD systems. Implementation evidence captured directly in eMASS.
5. Assess Independent Security Control Assessor evaluates each control. Component AOs may also require Validator participation.
6. Authorize Authorizing Official issues ATO, IATT, or DATO based on residual risk. Conditions and restrictions documented in ATO letter.
7. Monitor Continuous monitoring per NIST 800-137. STIG compliance tracking, vulnerability scanning, and ConMon reporting via eMASS.
Reciprocity DoD policy strongly encourages reciprocity. An ATO from one component is generally accepted by another component reviewing the package.
Built for DoD Workloads

DoD-Ready Infrastructure with STIG Hardening

Our IL2-authorized platform is engineered to inherit DoD-specific requirements: DISA STIG-hardened images, US-only data residency, US citizen support staff, FIPS 140-2 validated cryptography, and CAC/PIV-compatible authentication. For IL4 and IL5 workloads we partner with AWS GovCloud and Azure Government cloud platforms.

DoD RMF Activity
GovDataHosting Handles
You Handle
CNSSI 1253 Categorization
Templates & categorization workshops
Final categorization per program needs
Baseline Control Selection
Pre-selected baselines for IL2 / FedRAMP High
Application overlays & tailoring decisions
DISA STIG Hardening
800+ STIG-compliant images, automated checks
Application-level STIG compliance
eMASS Documentation Support
Inheritance language & control narratives
eMASS package authorship & submission
CAC / PIV Authentication
PKI-enabled identity infrastructure
Application identity integration
US Persons / US Data Residency
US datacenters, US citizen support staff
Nothing — sovereignty is fully ours
FIPS 140-2 Cryptography
FIPS-validated modules across the platform
Application crypto configuration
Continuous Monitoring
Infrastructure scans, STIG drift alerts
Application scan review & POA&M items
The GovDataHosting Process

Your Path to DoD RMF Compliance

Our proven methodology shortens timelines and reduces risk by combining inheritable controls, dedicated compliance staff, and direct experience with DoD RMF-aligned authorizations.

Step 1

Categorize per CNSSI 1253

Determine system impact and identify required DoD overlays (Privacy, Classified, Cross Domain, Tactical, Space).

Step 2

Inherit from FedRAMP High

Map system to GovDataHosting’s FedRAMP High + IL2 baseline. Apply DoD overlays where required by program.

Step 3

STIG & Implement

Deploy on STIG-hardened infrastructure. Implement DoD-specific application controls. Document everything in eMASS.

Step 4

SCA & Authorize

Coordinate Security Control Assessor activities, support AO decision, transition to continuous monitoring with STIG drift tracking.

Frequently Asked Questions

DoD RMF FAQs

What is the difference between FedRAMP High and DoD CC SRG IL4?

FedRAMP High is the foundation; IL4 builds on it. To reach IL4, a Cloud Service Offering must hold a FedRAMP High authorization, then satisfy additional DoD-specific requirements: US persons-only access for privileged operations, additional CUI handling controls, CAC/PIV authentication, and a DoD-specific assessment by DISA. IL5 layers further requirements for National Security System workloads.

Do I need IL4 or can I run on IL2?

It depends entirely on the data your system handles. If your workload contains no CUI — public information, agency operational data without sensitive content, training environments with synthetic data — IL2 may be sufficient. The moment Controlled Unclassified Information enters the system, you typically need IL4 (or higher for export-controlled or NSS data). Your sponsoring component’s AO makes the final determination.

How does eMASS fit into the RMF process?

Enterprise Mission Assurance Support Service is the DoD’s system of record for RMF artifacts. The SSP, control implementation evidence, SAR, POA&M, and ATO letter live in eMASS. Continuous monitoring data feeds in through automated and manual submissions. We provide content for eMASS sections — control narratives, inheritance language, evidence references — but eMASS package authorship and submission stay with your government program team.

Can a contractor get an ATO, or only the government?

ATOs are issued by government Authorizing Officials, not by contractors. However, contractor-operated systems often hold an ATO issued by the sponsoring government program’s AO, with the contractor responsible for implementation, evidence, and continuous monitoring. The system holds the ATO; the contractor operates under it. Our role is to provide the underlying infrastructure with inheritable controls and documentation that supports the contractor’s evidence package.

Ready to Pursue a DoD ATO?

Schedule a free DoD authorization review. We will help map impact levels, identify applicable overlays, and project a path to ATO with maximum control inheritance.