Department of Defense (DoD) in Azure Government
Overview
Azure Government is used by the US Department of Defense (DoD) entities to deploy a broad range of workloads and solutions. Some of these workloads can be subject to the DoD Cloud Computing Security Requirements Guide (SRG) Impact Level 4 (IL4) and Impact Level 5 (IL5) restrictions. Azure Government was the first hyperscale cloud services platform to be awarded a DoD IL5 Provisional Authorization (PA) by the Defense Information Systems Agency (DISA). For more information about DISA and DoD IL5, see Department of Defense (DoD) Impact Level 5 compliance documentation.
Azure Government offers the following regions to DoD mission owners and their partners:
Regions | Relevant authorizations | # of IL5 PA services |
---|---|---|
US Gov Arizona US Gov Texas US Gov Virginia |
FedRAMP High, DoD IL4, DoD IL5 | 150 |
US DoD Central US DoD East |
DoD IL5 | 60 |
Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia (US Gov regions) are intended for US federal (including DoD), state, and local government agencies, and their partners. Azure Government regions US DoD Central and US DoD East (US DoD regions) are reserved for exclusive DoD use. Separate DoD IL5 PAs are in place for US Gov regions vs. US DoD regions. For service availability in Azure Government, see Products available by region.
The primary differences between DoD IL5 PAs that are in place for US Gov regions vs. US DoD regions are:
- IL5 compliance scope: US Gov regions have many more services authorized provisionally at DoD IL5, which in turn enables DoD mission owners and their partners to deploy more realistic applications in these regions.
- For a complete list of services in scope for DoD IL5 PA in US Gov regions, see Azure Government services by audit scope.
- For a complete list of services in scope for DoD IL5 in US DoD regions, see US DoD regions IL5 audit scope in this article.
- IL5 configuration: US DoD regions are reserved for exclusive DoD use. Therefore, no extra configuration is needed in US DoD regions when deploying Azure services intended for IL5 workloads. In contrast, some Azure services deployed in US Gov regions require extra configuration to meet DoD IL5 compute and storage isolation requirements, as explained in Isolation guidelines for Impact Level 5 workloads.
Note
If you are subject to DoD IL5 requirements, we recommend that you prioritize US Gov regions for your workloads, as follows:
- New deployments: Choose US Gov regions for your new deployments. Doing so will allow you to benefit from the latest cloud innovations while meeting your DoD IL5 isolation requirements.
- Existing deployments: If you have existing deployments in US DoD regions, we encourage you to migrate these workloads to US Gov regions to take advantage of additional services.
Azure provides extensive support for tenant isolation across compute, storage, and networking services to segregate each customer's applications and data. This approach provides the scale and economic benefits of multi-tenant cloud services while rigorously helping prevent other customers from accessing your data or applications.
Hyper-scale cloud also offers a feature-rich environment incorporating the latest cloud innovations such as artificial intelligence, machine learning, IoT services, intelligent edge, and many more to help DoD mission owners implement their mission objectives. Using Azure Government cloud capabilities, you benefit from rapid feature growth, resiliency, and the cost-effective operation of the hyper-scale cloud while still obtaining the levels of isolation, security, and confidence required to handle workloads subject to FedRAMP High, DoD IL4, and DoD IL5 requirements.
US Gov regions IL5 audit scope
For a complete list of services in scope for DoD IL5 PA in US Gov regions (US Gov Arizona, US Gov Texas, and US Gov Virginia), see Azure Government services by audit scope.
US DoD regions IL5 audit scope
The following services are in scope for DoD IL5 PA in US DoD regions (US DoD Central and US DoD East):
- API Management
- Application Gateway
- Microsoft Entra ID (Free
- Microsoft Entra ID (P1 + P2)
- Azure Analysis Services
- Azure Backup
- Azure Cache for Redis
- Azure Cloud Services
- Azure Cosmos DB
- Azure Database for MySQL
- Azure Database for PostgreSQL
- Azure DNS
- Azure ExpressRoute
- Azure Firewall
- Azure Front Door
- Azure Functions
- Azure HDInsight
- Azure Lab Services
- Azure Logic Apps
- Azure Managed Applications
- Azure Media Services
- Azure Monitor
- Azure Resource Manager
- Azure Scheduler (replaced by Azure Logic Apps)
- Azure Service Fabric
- Azure Service Manager (RDFE)
- Azure Site Recovery
- Azure SQL Database
- Azure Synapse Analytics
- Batch
- Dynamics 365 Customer Engagement
- Event Grid
- Event Hubs
- Import/Export
- Key Vault
- Load Balancer
- Microsoft Azure portal
- Microsoft Defender for Endpoint (formerly Microsoft Defender Advanced Threat Protection)
- Microsoft Graph
- Microsoft Stream
- Network Watcher
- Power Apps
- Power Apps portal
- Power Automate (formerly Microsoft Flow)
- Power BI
- Power BI Embedded
- Service Bus
- SQL Server Stretch Database
- Storage: Blobs (incl. Azure Data Lake Storage Gen2)
- Storage: Disks (incl. managed disks)
- Storage: Files
- Storage: Queues
- Storage: Tables
- Traffic Manager
- Virtual Machine Scale Sets
- Virtual Machines
- Virtual Network
- VPN Gateway
- Web Apps (App Service)
Frequently asked questions
What are the US DoD regions?
Azure Government regions US DoD Central and US DoD East (US DoD regions) are physically separated Azure Government regions reserved for exclusive use by the DoD. They reside on the same isolated network as Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia (US Gov regions) and use the same identity model. Both the network and identity model are separate from Azure commercial.
What is the difference between US Gov regions and US DoD regions?
Azure Government is a US government community cloud providing services for federal, state and local government customers, tribal entities, and other entities subject to various US government regulations such as CJIS, ITAR, and others. All Azure Government regions are designed to meet the security requirements for DoD IL5 workloads. They're deployed on a separate and isolated network and use a separate identity model from Azure commercial regions. US DoD regions achieve DoD IL5 tenant separation requirements by being dedicated exclusively to DoD. In US Gov regions, some services require extra configuration to meet DoD IL5 compute and storage isolation requirements, as explained in Isolation guidelines for Impact Level 5 workloads.
How do US Gov regions support IL5 data?
Azure provides extensive support for tenant isolation across compute, storage, and networking services to segregate each customer's applications and data. This approach provides the scale and economic benefits of multi-tenant cloud services while rigorously helping prevent other customers from accessing your data or applications. Some Azure services deployed in US Gov regions require extra configuration to meet DoD IL5 compute and storage isolation requirements, as explained in Isolation guidelines for Impact Level 5 workloads.
What is IL5 data?
IL5 accommodates controlled unclassified information (CUI) that requires a higher level of protection than is afforded by IL4 as deemed necessary by the information owner, public law, or other government regulations. IL5 also supports unclassified National Security Systems (NSS). This impact level accommodates NSS and CUI categorizations based on CNSSI 1253 up to moderate confidentiality and moderate integrity (M-M-x). For more information on IL5 data, see DoD IL5 overview.
What is the difference between IL4 and IL5 data?
IL4 data is controlled unclassified information (CUI) that may include data subject to export control, protected health information, and other data requiring explicit CUI designation (for example, For Official Use Only, Law Enforcement Sensitive, and Sensitive Security Information).
IL5 data includes CUI that requires a higher level of protection as deemed necessary by the information owner, public law, or government regulation. IL5 data is inclusive of unclassified National Security Systems.
Do Azure Government regions support classified data such as IL6?
No. Azure Government regions support only unclassified data up to and including IL5. In contrast, IL6 data is defined as classified information up to Secret, and can be accommodated in Azure Government Secret.
What DoD organizations can use Azure Government?
All Azure Government regions are built to support DoD customers, including:
- The Office of the Secretary of Defense
- The Joint Chiefs of Staff
- The Joint Staff
- The Defense Agencies
- Department of Defense Field Activities
- The Department of the Army
- The Department of the Navy (including the United States Marine Corps)
- The Department of the Air Force
- The United States Coast Guard
- The unified combatant commands
- Other offices, agencies, activities, and commands under the control or supervision of any approved entity named above
What services are available in Azure Government?
For service availability in Azure Government, see Products available by region.
What services are part of your IL5 authorization scope?
For a complete list of services in scope for DoD IL5 PA in US Gov regions, see Azure Government services by audit scope. For a complete list of services in scope for DoD IL5 PA in US DoD regions, see US DoD regions IL5 audit scope in this article.
Next steps
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for