Understanding Impact Levels

The Department of Defense (DoD) uses Impact Levels (IL) to classify information systems based on the potential consequences if their data is compromised. This classification ensures that each system has appropriate security measures.

Each Impact Level considers three main security aspects:

• Confidentiality: Ensuring only authorized individuals access the information.
• Integrity: Maintaining the accuracy and trustworthiness of the information.
• Availability: Guaranteeing reliable access to information for authorized users.

The Defense Information Systems Agency (DISA) developed the DoD Cloud Computing Security Requirements Guide (CC SRG) to provide security guidelines for cloud computing. This guide incorporates standards from:

• Federal Information Security Management Act (FISMA)
• National Institute of Standards and Technology (NIST) Special Publication 800-37

The CC SRG extends the FedRAMP framework with enhanced, DoD-specific security controls designed to meet the distinct demands of military and national security systems.

---

Overview of Impact Levels

The DoD defines several Impact Levels, each corresponding to the sensitivity of the data:

Impact Level 2 (IL2)Impact Level 4 (IL4)Impact Level 5 (IL5)Impact Level 6 (IL6)

• Data Type: Publicly releasable information.
• Use Case: Suitable for systems handling non-sensitive data.

• Data Type: Controlled Unclassified Information (CUI).
• Use Case: Systems requiring protection for sensitive but unclassified data.

• Data Type: Controlled Unclassified Information (CUI) and National Security Systems (NSS) information.
• Use Case: Systems that handle higher sensitivity data needing stricter controls.

• Data Type: Classified information up to SECRET level.
• Use Case: Systems managing classified data with the highest security requirements.

Why Impact Levels matter

If your organization wants to work with the DoD, understanding Impact Levels is essential due to the following reasons:

1. You must match the right security level:

Each DoD project or system requires a certain level of protection. The Impact Level tells you:

• What kind of data you're dealing with (e.g., public, sensitive, or classified).
• What security controls are needed to protect that data.

If your solution doesn't meet the required Impact Level, it can't be used in that environment.

2. It impacts your cloud hosting choices:

Not all cloud platforms are authorized for every Impact Level. For example:

• IL2 can use commercial cloud environments.
• IL5 and IL6 require specially authorized environments.

This affects how and where you can deploy your software.

3. It shapes your compliance path:

The higher the Impact Level, the more security and documentation you need. Knowing your target level early helps you:

• Plan your compliance and certification strategy.
• Avoid surprises later in the authorization process.

4. It builds trust with DoD partners:

Demonstrating that you understand and meet the right Impact Level shows:

• You’re serious about cybersecurity.
• You’re a credible partner for defense work.

---

Game Warden environments

Game Warden environments are aligned with DoD Impact Levels and follow a structured deployment lifecycle. Each deployment stage corresponds to a designated Impact Level aligned with the data sensitivity and operational purpose of that environment.

Development (DEV)Staging (STG)Production (PRD)

Your application is first deployed to the Game Warden Commercial environment, which serves as our DEV for early configuration, code validation, and foundational functional testing. This environment is authorized for non-classified data only and provides broad access for both your team and Game Warden customer engineering staff.

During this phase, our engineers work closely with your team to validate configurations, resolve issues, and confirm that your application operates effectively within the Game Warden ecosystem before progressing to higher security boundaries.

After initial onboarding, your application is promoted to the Staging (STG) environment. The Impact Level of the STG environment matches the intended Production (PRD) IL. For example, if your application is destined for IL5 production, your staging environment will also operate at IL5.

This is where extensive testing and verification take place under real-world conditions. Access to STG is more tightly controlled and may be limited depending on classification and mission sensitivity.

Once staging tests are successfully completed, your application is deployed to Production (PRD) at your selected IL (IL4 or IL5). This live environment is accessible to authorized end users and is protected by the full set of controls appropriate to its Impact Level.

Game Warden supports production deployments at IL4 and IL5, with IL6 support on the roadmap. Additional security controls are applied as the Impact Level increases to ensure compliance and operational integrity.

Warning

Access to each environment is restricted based on the user's assigned IL. Only personnel with the appropriate credentials and authorizations can access higher-level environments such as IL5.