Defense-grade cloud authorization. Engineered at the implementation level.

bladestack.io is the only advisory-only 3PAO built for DoD cloud authorization. We engineer the technical reality behind DoD Provisional Authorization, boundary architecture, BCAP connectivity, DoD PKI integration, and evidence structures that survive DISA validation. Whether you're pursuing authorization directly or uplifting from FedRAMP, we build packages where the documentation matches the implementation.

  1. Home
  3. Public Sector
  5. DoD IL4/IL5/IL6 Advisory Services | bladestack.io | Impact Level Authorization
Why Choose bladestack.io for DoD?

Two entry points. One standard of engineering.

DoD Impact Levels introduce failure modes that most firms never touch, NIPRNet connectivity through Boundary Cloud Access Points, DoD PKI certificate trust chains, management plane isolation requirements, and control parameters that tighten significantly from FedRAMP baselines. These aren't documentation problems. They're architectural commitments that shape your network, identity plane, and operations model before you write a single word in the SSP Addendum.

Most firms do this backwards. They grab the FedRAMP package, add DoD-specific language to the Addendum, and hope DISA's JVT doesn't drill into the implementation details. That approach produces comment cycles, rework, and credibility loss with assessors who know when they're reading template language.

We start with architecture. We understand your boundary, your connectivity model, your identity flows, your encryption posture. Then we build documentation that tells the truth about what exists. When DISA schedules the Technical Exchange Meeting and starts asking about your SCCA alignment or your BCAP integration timeline, we answer with implementation specifics, not "we'll get back to you."

Differentiators

Same market. Different operating standard.

Advisory-only. Engineer-led. DoD-literate. No Surprises. Custom-built. Here's what those words actually mean.

We help you right-size before you overbuild

The gap between FedRAMP Moderate and DoD IL5 is not paperwork, it's physics. It’s network isolation, dedicated infrastructure, and FIPS-validated cryptography at every layer. We don't just document the delta; we engineer it. We configure the subnets, tune the WAFs, and harden the images to meet the Cloud Computing Security Requirements Guide (CC SRG).

DISA Fluency

We speak the language of the Cloud Assessment Division (RE2). We understand the nuances of the DoD Cloud Authorization Process, from the Initial Intake meeting to the DSAWG review. We guide you through the registration in the SNAP database, the Cloud Approval to Connect (CATC), and the intricate dance of obtaining a DoD Provisional Authorization (PA)

US Persons, US Soil

DoD requirements for personnel are non-negotiable. Our team is comprised of US Citizens located in the United States. We understand the ITAR, EAR, and sovereignty requirements inherent in DoD work. When we access your environment to advise or engineer, we meet the same standards your agency sponsor demands.

No Assessment Conflict

We hold 3PAO accreditation, but we will never assess you. This allows us to sit on your side of the table during the rigorous DISA validation process. When the JVT (Joint Validation Team) asks hard questions about your boundary, we help you answer them with technical precision.

DoD realities, not DoD buzzwords

Ask your current advisor to explain the difference between IL4 Moderate and IL4 High inactivity timeout requirements. Ask them to configure DoD PKI certificate validation for privileged access. Ask them to design management plane isolation that satisfies Section 5.3.3 without destroying your deploy velocity. Ask them what happens when the JVT includes representatives from CAO, SCCA PMO, and NIC teams simultaneously. We answer those questions because our engineers have built those implementations.

Packages built for Cloud eMASS inheritance

DoD authorization is not just producing artifacts. It is organizing control implementations and evidence so mission owners can inherit without ambiguity. We structure packages for how Cloud eMASS is used, not how marketing decks describe it.

Service Lines

Choose your blade.

Flexible engagement models to suit your mission. From strategic advisory to fully managed platforms.

Edit Content

DoD · Advisory Service Components

For organizations pursuing DoD Provisional Authorization or uplifting from an existing FedRAMP baseline

Most firms treat DoD authorization as a FedRAMP add-on, a few extra controls and an SSP Addendum. That's how packages stall in comment cycles while JVT members ask questions nobody prepared for. We build DoD packages from architecture up, with documentation that survives technical scrutiny from assessors who know the CC SRG better than your team does.

  • DoD Authorization Advisory Complete DoD security package development: SSP with DoD-specific parameters, architecture aligned to CC SRG requirements, evidence structures for Cloud eMASS, and validation preparation. For direct DoD PA pursuit or FedRAMP-to-DoD uplift paths.
  • DoD Readiness Assessment Technical assessment against your target Impact Level. Full scope analysis of CC SRG requirements, architectural readiness, and, for uplift scenarios, delta-driven roadmap showing what must change, what can be inherited, and what creates schedule risk. Impact Level selection guidance before you commit resources.
  • SSP and Addendum Development Documentation in the style DISA expects: clear data flows, clear trust boundaries, clear inheritance models, no contradictions. Authorization boundary diagrams that answer assessor questions before they're asked.
  • Architecture Brief and Boundary Narratives Documentation in the style DISA expects: clear data flows, clear trust boundaries, clear inheritance models, no contradictions. Authorization boundary diagrams that answer assessor questions before they're asked.
  • Validation Support We prep your team for Technical Exchange Meetings and help you respond to JVT comments with technical precision, not churn. When CAO or NIC representatives raise connectivity concerns, we address them with implementation specifics.

Includes:

  • DoD authorization advisory (direct or uplift path)
  • Readiness assessment and roadmap
  • SSP and SSP Addendum authoring
  • Impact level selection guidance
  • Architecture brief and boundary narratives
  • Evidence structure guidance for Cloud eMASS
  • Validation prep and comment response
  • DSAWG review support
Edit Content

DoD · Enjinia Blade Division

Implementation for defense-grade requirements

Some requirements aren't advisory problems. They're build problems. Bitstream Merc engagements embed our engineering team with yours to architect, implement, and remediate, closing gaps that would become findings.

  • BCAP Connectivity Architecture IL4 and IL5 CSOs must connect to DoD networks through DISA Boundary Cloud Access Points. We handle CSP coordination, SCCA PMO alignment, and NIC integration. Your architecture needs to support this connectivity without compromising your commercial operations model.
  • DoD PKI and Identity Paths DoD authorization requires accepting DoD PKI certificates for authentication. Certificate trust chains, OCSP/CRL validation, and identity flows from your IdP must satisfy IA-2 requirements. We configure the integration, not just document the intention.
  • SCCA Alignment Engineering Secure Cloud Computing Architecture patterns affect your network design, your boundary protection approach, and your monitoring strategy. We implement alignment that satisfies CC SRG intent without creating an unmanageable operations model.
  • Management Plane Isolation Higher Impact Levels require increasing separation between CSO management plane and commercial infrastructure. We design separation patterns that meet CC SRG Section 5.3.3 requirements without destroying deploy velocity or creating operational nightmares.
  • Cryptography and FIPS Mode Enforcement TLS configurations, key management, storage encryption, hardened and validated across the real boundary. FIPS-validated mode isn't optional at IL4+. We configure it correctly.
  • Remediation Sprints JVT findings don't fix themselves. We provide the engineering muscle to close gaps fast, before or during validation, so your timeline doesn't slip and your engineers stay focused on mission.

Includes:

  • Architecture and implementation sprints
  • Infrastructure-as-code for DoD controls
  • STIG hardening implementation
  • BCAP connectivity engineering
  • DoD PKI integration
  • Remediation engineering
  • Code review and configuration audit
  • Security stack deployment
Edit Content

DoD · bladeRAMP Managed Services

DoD compliance operated, not just achieved

DoD authorization doesn't end at the PA memo. You maintain posture through continuous monitoring, remediation timelines, annual assessment readiness, and evidence discipline that never stops. Monthly ConMon reporting to DISA. 30/90/180 day vulnerability remediation windows. Annual 3PAO reassessments. bladeRAMP turns that operational burden into a managed service, run by the team that already knows your architecture because we built the package.

Service Lines:

  • bladeRAMP · DoD Complete managed compliance: Platform Build (defense-grade security stack, SCCA-aligned architecture, management layer isolation) + HANZO SecOps (24/7 security operations with DISA-ready reporting) + GENJI ConMon (DoD-specific continuous monitoring with eMASS evidence integration) + SRE infrastructure capability. Full-stack compliance operations from the team that built your package.
  • GENJI · FedRAMP Continuous Monitoring (ConMon) For teams running their own security operations but needing DoD-grade ConMon structure. POA&M lifecycle management aligned to 30-90-180 day remediation timelines, scan analysis with CC SRG context, evidence generation for eMASS, DISA monthly deliverables, and annual assessment preparation
  • HANZO · 24/7 Security Operations (SecOps) 24/7 threat detection, incident response, vulnerability management, and infrastructure protection. Full SIEM integration, host-based IDS/IPS, container security, and FIPS-validated hardening.

Platform Components:

  • Platform Build The foundational deployment: landing zone architecture, security stack enablement, network segmentation, zero-trust remote access, and environment hardening. Defense-grade infrastructure from day one.
  • HANZO · 24/7 Security Operations (SecOps) 24/7 threat detection, incident response, vulnerability management, and infrastructure protection. Full SIEM integration, host-based IDS/IPS, container security, and FIPS-validated hardening.
  • GENJI · FedRAMP Continuous Monitoring (ConMon) POA&M lifecycle management, scan analysis, evidence generation, monthly and annual deliverables, and agency reporting. Continuous monitoring that satisfies DoD requirements on autopilot.
  • SRE Infrastructure Site reliability engineering capability for your authorization boundary. Infrastructure operations, patching, availability management, and operational support.

You didn't come this far to lose your authorization on a missed scan or a late deliverable. bladeRAMP transforms continuous compliance from a staffing problem into an operational service. Your team stays focused on product while we keep the ATO intact.

Includes:

  • Platform build and deployment (DoD-aligned)
  • ConMon cadence and DISA reporting
  • POA&M lifecycle discipline
  • Vulnerability management timeline tracking
  • Evidence packaging and eMASS maintenance
  • Annual assessment readiness support
  • SRE infrastructure operations
Edit Content

DoD · Impact Level Uplift Services

Engineered pathways from IL4 to IL5 to IL6

Impact Level uplift isn't one change. It's a set of parameter shifts, architectural constraints, and operational expectations that compound. Organizations that treat uplift as a documentation update discover mid-assessment that their architecture doesn't support the target level.

  • FedRAMP to IL4 Your FedRAMP authorization is the foundation, not the destination. IL4 adds DoD-specific overlays, parameter tightening, and connectivity requirements that your FedRAMP package doesn't address. We map the delta and build the DoD-specific artifacts.
  • IL4 Moderate to IL4 High Baseline shift from FedRAMP Moderate to FedRAMP High plus DoD overlays. Significant control parameter tightening across session management, access control, and audit requirements.
  • IL4 High to IL5 (NSS) IL5 isn't "IL4 on steroids." Beyond adding CNSSI 1253 NSS "+" controls, IL5 fundamentally changes your hosting model. Only federal government community or DoD private clouds qualify. Physical separation from non-DoD/non-federal tenants is required, virtual separation is not sufficient. We help you determine if IL5 is actually required for your mission data, and if so, engineer the path.
  • IL5 to IL6 (Classified) Advisory and engineering support for organizations pursuing the highest bar. IL6 requires classified infrastructure, cleared personnel, and operational procedures that change fundamentally from unclassified environments.
  • Multi-Impact Architectures Architecture strategies for serving multiple Impact Level requirements while preserving isolation and inheritance clarity. Note: IL5 tenant isolation requirements significantly constrain multi-tenancy options with non-federal customers.

Includes:

  • Delta mapping and uplift roadmap
  • Architecture redesign guidance
  • SSP Addendum updates
  • Control implementation engineering
  • Documentation update strategy
  • Validation support for uplift cycles
Edit Content

DoD · APEX - Authorization Pathway EXpansion

Boundary expansion, overlays, and multi-CSO strategy

Expansion is where teams accidentally trigger validation rework. A new region, a new service module, a new overlay requirement, each introduces documentation updates, evidence mapping changes, and JVT communication that can derail timelines if handled poorly. APEX is how you scale deliberately.

Service Lines:

  • Boundary Expansion New regions, modules, or services with a disciplined change story and updated traceability. Documentation structured for eMASS, evidence mapped to controls, JVT communication that prevents surprise findings.
  • Overlay Integration CJIS, ITAR, CMMC mapped cleanly onto your DoD baseline without duplicating work. Each overlay adds requirements. We map the delta, engineer implementations, and update documentation to satisfy multiple frameworks simultaneously.
  • Multi-CSO Strategy Portfolio design that maximizes inheritance and minimizes repeated implementations across Cloud Service Offerings. When you have multiple products serving DoD, we help structure boundaries for efficient authorization and maintenance.
  • Multi-cloud and Region Expansion Expansion planning across partitions and clouds with clear boundary and control ownership. AWS GovCloud to commercial regions. Azure Government additions. CC SRG requirements satisfied across environments without creating documentation chaos.

Includes:

  • Expansion architecture strategy
  • Significant change documentation
  • Overlay integration (CJIS, ITAR, CMMC)
  • Multi-CSO portfolio design
  • eMASS structure updates
  • Significant Change Documentation
  • JVT communication and coordination
Our Approach

The Path to Provisional Authorization.

FedRAMP teaches you compliance. DoD teaches you discipline. The CC SRG doesn't just add controls, it changes expectations. DISA assessors operate differently than commercial 3PAOs. The JVT asks questions 3PAOs don't. Sponsors have mission timelines that don't bend. We've learned what survives this process and built our approach around it.

00.

PHASE 0: Impact Level Determination & Readiness

For organizations committed to the full DoD PA journey

The most expensive mistake in DoD authorization isn't a failed assessment, it's pursuing the wrong Impact Level. We've watched organizations burn six months engineering IL5 requirements for data that qualified as IL4 High. We've seen sponsors request IL5 without understanding the hosting model restrictions that come with it.

Phase 0 answers the question your sponsor may not have asked clearly: What Impact Level does your data actually require?

We analyze your data types against CC SRG definitions. We evaluate your current architecture against target-level requirements. For organizations with existing FedRAMP authorization, we map the delta, what transfers, what tightens, what changes architecturally.

This phase produces:

  • Impact Level determination with documented rationale
  • CC SRG gap analysis against your target baseline
  • Architectural change requirements (if any)
  • Sponsor communication package
  • Resource and timeline projections

The deliverables from Phase 0 don't sit in a folder waiting for someone to act on them. They become the foundation of your package development. The Impact Level determination shapes every control narrative. The gap analysis drives your remediation priorities. The architectural requirements inform your engineering timeline. When Phase 0 closes, Phase 1 opens with clarity instead of assumptions.

01.

DoD · Gap Assessment

For organizations evaluating the DoD PA journey before committing

Not every conversation leads to a full engagement. Sometimes you need answers before committing budget. Our DoD gap assessment gives you the truth about your readiness, including whether DoD authorization makes sense for your business model at all.

We focus on the requirements that eliminate options: BCAP connectivity feasibility, DoD PKI integration complexity, hosting model constraints for your target IL, and the separation requirements that reshape architectures.

You'll know:

  • Whether your current infrastructure can support your target IL
  • What architectural changes are non-negotiable
  • Realistic cost and timeline ranges
  • Whether FedRAMP-first makes more sense than direct DoD pursuit

This is the off-ramp if you need one. Some organizations discover that DoD authorization requires more architectural change than their timeline allows. Others learn that their target Impact Level doesn't match their actual data classification. Better to know now than six months into package development. If the path forward makes sense, the gap assessment becomes your roadmap. If it doesn't, you've saved significant investment by learning early.

02.

DoD · Advisory & Package Engineering

Building documentation that survives the JVT.

DoD packages face parallel scrutiny: 3PAOs validate against both FedRAMP and CC SRG baselines while the JVT validates against CC SRG requirements. Documentation that satisfies one can fail the other. We build packages designed for both audiences simultaneously.

The SSP Addendum isn't a bolt-on. It's integrated architecture documentation that traces DoD-specific requirements to your actual implementation. Control parameters reflect CC SRG values, not FedRAMP defaults. Boundary narratives address SCCA alignment. Data flows show BCAP integration points.

We write for the Technical Exchange Meeting, the moment when DISA asks how your management plane isolation actually works and your team needs to answer without hesitation.

Package Components:

  • DoD SSP or integrated SSP Addendum
  • Architecture brief formatted for DISA RE2 review
  • DoD-specific data flow documentation
  • Evidence mapped to both FedRAMP and CC SRG requirements
  • Cloud eMASS-ready package structure
  • Mission owner inheritance documentation

Package delivery isn't the finish line. It's the moment your documentation faces external scrutiny for the first time. We build packages expecting that scrutiny, anticipating the questions assessors ask and the evidence they'll request. When the 3PAO opens your SSP, they should find answers before they formulate questions. When the JVT reviews your architecture brief, the SCCA alignment should be obvious. That's the product of engineering discipline applied to documentation, and it's what separates packages that sail through from packages that stall in comment cycles.

03.

DoD · Bastion · Assessment Validation Support

Navigating the JVT process.

The Joint Validation Team isn't a single reviewer. It's a panel: DISA SCA-R leads, your sponsor's analysts, and specialists from CAO, SCCA PMO, NIC, and PKI teams. Each brings different concerns. Each asks different questions. A response that satisfies one may raise flags for another.

We've sat through enough Technical Exchange Meetings to know the patterns. Connectivity questions from NIC. Identity concerns from PKI. Boundary questions from CAO. We prepare your team for each voice at the table.

Validation Support Includes:

  • Technical Exchange Meeting preparation and participation
  • JVT comment triage and response coordination
  • Evidence clarification and supplementation
  • Sponsor analyst relationship management
  • IATT coordination for BCAP onboarding

Technical Exchange Meetings reveal whether your package preparation was sufficient. Teams that stumble here face extended timelines, expanded evidence requests, and credibility damage that follows them through the rest of the process. Teams that perform well build confidence with the JVT that pays dividends when findings inevitably surface. We prepare your team to perform well, and when findings do surface, we help you respond with the speed and precision that maintains JVT confidence rather than eroding it.

Assessment & Authorization:

Your 3PAO assesses against both FedRAMP baselines and DoD IL requirements simultaneously. The JVT doesn't duplicate that work. They scrutinize what the 3PAO produced, probe architectural decisions, and validate that CC SRG-specific requirements received adequate attention. Think of it as defense-in-depth applied to the authorization process itself.

This dual-layer review catches things single-process authorizations miss. It also means evidence packages face examination from assessors with different priorities and different questions. We manage both relationships, ensuring your 3PAO understands DoD expectations and your JVT responses reflect assessment realities.

  • 3PAO coordination and evidence management
  • JVT scrutiny response and clarification
  • DSAWG briefing preparation
  • Interview support across both review layers
  • PA memo review and closeout

The 3PAO delivers their assessment. The JVT delivers their validation. DSAWG reviews the complete picture. Only when all three align does the Authorizing Official sign the PA memo. We stay embedded with your team through every stage, managing the communication threads, resolving conflicts between reviewer expectations, and keeping the package moving toward authorization rather than cycling through endless comment resolution.

Authorized.

The PA unlocks the mission. Maintenance keeps it.

You're provisionally authorized. DoD components can leverage your PA for their agency ATOs. The defense market is open.

But DoD authorization comes with operational commitments that exceed FedRAMP: monthly ConMon submissions to DISA, vulnerability remediation windows of 30/90/180 days with no exceptions, annual reassessments, and eMASS package maintenance that never pauses.

What comes next:

  • DoD · ConMon Advisory Services Periodic engagement for POA&M management, affirmation preparation, and reassessment readiness. Your team handles daily operations with our oversight.
  • DoD · bladeRAMP Managed Services We operate your compliance program. Security monitoring, vulnerability management, POA&M lifecycle, and annual affirmations handled by the team that built your program.
  • DoD · Bitstream Merc Engineering Support Services Bitstream Merc engagements for specific technical needs. Remediation projects, architecture changes, or security tool deployments.
Forge Your Certification

Ready to discuss your path to PA?

No sales pitch. A technical conversation with engineers who understand DoD authorization at the implementation level—sponsor dynamics, JVT expectations, and what actually gets packages through DISA.