How to Protect IL4 Data with Okta

The Federal Risk and Authorization Management Program is an assessment and authorization process that US government agencies use to ensure their cloud-based applications are appropriately secure. Under FedRAMP Moderate or FedRAMP+, cloud service providers (CSPs) must meet an extensive set of controls—up to 363—to be granted an Authority to Operate (ATO) within the network of government agencies.

In our previous posts, we discussed:

Here, we’ll address how organizations can protect high-stakes data—as defined by the US Department of Defence (DoD)—when working with critical government agencies.

The challenge: Protecting IL4 data

With a keen focus on securing vital data, the DoD has outlined unique information protection requirements for CSPs interested in delivering cloud products and services to the DoD and its affiliates. Using FedRAMP requirements as a foundation, the US DoD created additional cloud computing security and compliance controls in its Cloud Computing Security Requirements Guide (SRG).

The DoD SRG controls are based on FedRAMP’s moderate baseline, which a CSP must meet in order to obtain a DoD authorization. In fact, all CSPs granted with FedRAMP Moderate authorizations are automatically awarded a DoD SRG authorization of Impact Level 2 (IL2), which offers the same allowances as the former.

However, for organizations interested in working specifically for the DoD, they must meet IL4 requirements at a minimum. DoD’s SRG IL4 (also known as FedRAMP+) is intended for controlled unclassified information or other mission-critical information. It includes a total of 363 controls, up from 325 under FedRAMP Moderate and DoD SRG IL2.

How to meet IL4 requirements

To achieve the IL4 accreditation, businesses need to go through an authorized assessment that covers the following:

  • Specific IL4 controls
  • FedRAMP Moderate controls
  • General readiness (GR) controls
  • DoD parameters (this has been changed to a more stringent requirement)
  • Computer network defense (CND) controls

The result of this assessment is a security assessment report (SAR) that is then submitted to the DoD’s Defense Information Systems Agency (DISA) representative for package review. This review process is extensive and detailed, as DISA will scrutinize all the materials that have been submitted for the FedRAMP environment.

Of note, Okta is in the process of requesting its IL4 authorization. We have reviewed the list of controls and provided responses on how we can meet them in this whitepaper.

Where to start

While Okta is still a FedRAMP Moderate organization, customers that are looking to securely handle IL4 data can still use Okta as the identity layer.

When you use Okta as the identity layer in your application, it performs authentication and authorization, sending a token to the application or “client” with an identity assertion. It’s your application’s responsibility to properly assign and manage privilege to the user based on this token

This approach creates a boundary between Okta and the data stored in your application. In other words, Okta doesn’t have access to any sensitive information stored within your application. It only returns an authentication token to your application and is not exposed to sensitive data stored inside. The only thing that Okta handles is the authenticator information, making it a secure option for organizations sensitive IL4 data.

The impact

Okta provides a secure and powerful identity and access management platform that allows you to streamline the secure adoption of your web-based applications. It provides a complete solution that can accelerate your product’s path to market while at the same time addressing the needs of your team, freeing up their time to concentrate on their core mission.

By leveraging Okta’s services, you can significantly improve the security and ease of managing your applications, including Platform as a Service (PaaS), Software as a Service (SaaS), and other cloud-based and on-prem applications.

Learn more

To learn more about how you can configure Okta for FedRAMP compliance and how you can use Okta to Protect IL4 (FedRAMP), read our FedRAMP resources: