What are Impact Levels?

Impact levels are used within certain security frameworks, such as those provided by the United States Department of Defense (DoD), to categorize the potential impact of unauthorized disclosure, alteration, or destruction of information. These levels help to guide the selection of security controls and measures that need to be implemented to protect information and information systems based on their sensitivity and importance.

In the context of cloud computing, for instance, the DoD categorizes cloud services into Impact Level (IL) categories, ranging from IL2 to IL6, which define the type of data that can be processed, stored, and used on a cloud service, as well as the necessary security protections.

Here is a general outline of what different impact levels might represent:

  • Impact Level 2 (IL2): For non-controlled unclassified information that is not sensitive. Suitable for public or non-sensitive data.
  • Impact Level 4 (IL4): For controlled unclassified information (CUI) that requires protection against unauthorized disclosure.
  • Impact Level 5 (IL5): For CUI that requires a higher level of protection, and may also be used for National Security Systems.
  • Impact Level 6 (IL6): For classified information up to the level of Secret.

Each higher level typically includes the requirements of the lower levels and adds additional controls or measures. These impact levels influence not just the technological solutions but also policies, procedures, and personnel training that must be in place for an information system's accreditation.