Did you know that according to the 2022 Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) the Cloud Service Providers (CSPs) with an IL4 or IL5 status may need a SOC 1 report?
Defining IL 4 & IL 5
“IL” stands for Impact Level, which is based on the sensitivity of the information stored or processed, and the potential impact that the loss of confidentiality, integrity, or availability that information could have if compromised.
Multiple classifications are used for organizations working with the DoD, but the most pertinent to the 2022 DoD SRG are IL4 and IL5.
- DoD IL4 – IL4 organizations must adhere to the elevated FedRAMP Moderate control requirements and the security requirements defined in Section 5 of the CC SRG.
- DoD IL5 – IL5 organizations are able to host unclassified National Security Systems (NSSs) supporting DoD missions. This comes with additional controls on top of the IL4 controls.
Why Your Organization Needs a SOC 1
Any cloud service or data hosting organizations that offer hosting or deliver financial or non-financial applications relevant to DoD financial statement audits will be required to have a SOC 1 Type 2 with IT general control objectives.
In addition, Application Service Providers (ASPs) will need to add business process control objectives for how they may manage applicable financial data.
Many organizations have already received a letter about compliance for the next year, but the SOC 1 Type 2 period is Oct. 1 to Jun. 30 every year, so now is the perfect time to jump on the necessary compliance attestations.
Choosing an Experienced SOC 1 Partner
Auditwerx’s experienced SOC 1 team is here to support your organization’s compliance needs. When it comes to the DoD SRG, we can offer the SOC 1 Type 2 services you need, and we can work with your existing compliance partners to ensure your examination is completed in a timely and transparent manner.
