Skip to content
GOVERN Admin

Impact Level Configuration

GOVERN Federal supports IL2 through IL6 configurations via Helm values overlays. Each impact level adds incrementally stricter controls.

Impact Level Overview

LevelClassificationTypical Use Case
IL2UnclassifiedPublic-facing DoD AI systems
IL4CUIDoD internal AI systems handling CUI
IL5CUI + National SecurityDoD Mission Systems
IL6SecretClassified AI workloads (SIPR)

IL2 Configuration

IL2 is the baseline. Standard FedRAMP Moderate controls apply.

Terminal window
helm install govern govern/govern \
  -f values-federal.yaml \
  -f values-il2.yaml \
  --set global.impactLevel=il2

Key IL2 settings:

values-il2.yaml
security:
  classification: unclassified
  dataHandling:
    maxClassification: "CUI//FOUO"
  cloudProvider:
    regions: [us-gov-east-1, us-gov-west-1]  # AWS GovCloud
audit:
  retention: 180  # days

IL4 Configuration

IL4 adds CUI protection requirements and stricter access controls.

Terminal window
helm install govern govern/govern \
  -f values-federal.yaml \
  -f values-il4.yaml \
  --set global.impactLevel=il4

Key IL4 additions:

values-il4.yaml
security:
  classification: cui
  dataHandling:
    maxClassification: "CUI//SP-CTI"
    dlp:
      enabled: true
      patterns: [ssn, ein, dod-id, pii, phi]
  network:
    privateEndpointsOnly: true
    vpcIsolation: true
auth:
  clearanceValidation:
    enabled: true
    provider: JPAS  # or DISS
  mfa:
    methods: [cac, piv]
    usbRequired: true
audit:
  retention: 365
  tamperProof: true

IL5 Configuration

IL5 covers NSS (National Security Systems) and classified mission systems.

Terminal window
helm install govern govern/govern \
  -f values-federal.yaml \
  -f values-il5.yaml \
  --set global.impactLevel=il5

Key IL5 additions:

values-il5.yaml
security:
  classification: secret-nss
  fips:
    mode: strict
    enforceAtBoot: true
  hardening:
    stig:
      enabled: true
      profile: DoD-STIG-RHEL9
    selinux:
      mode: enforcing
  airgap:
    capable: true
    requireApproval: true
network:
  isolation:
    crossDomainSolution: true
    dataGuard: enabled

IL6 Configuration

IL6 is for Secret classification. Air-gap is required. GovCloud east/west are the only authorized regions.

Terminal window
# IL6 deployments are typically air-gapped
helm install govern charts/govern-2.x.x.tgz \
  -f values-federal.yaml \
  -f values-il6.yaml \
  --set global.impactLevel=il6 \
  --set global.airgap=true

Key IL6 additions:

values-il6.yaml
security:
  classification: secret
  dataHandling:
    maxClassification: "SECRET//NOFORN"
    minimumClearance: SECRET
  airgap:
    required: true
    approvedMedia: [removable-encrypted-drive]
  physicalSecurity:
    scifRequired: true
    tempestRequired: true
auth:
  clearanceRequired: SECRET
  needToKnow:
    enforcement: strict
  sessionBinding:
    workstation: true  # Bind sessions to specific workstations
network:
  sipr: true  # SIPRNet connectivity
  noOutbound: true  # No outbound connections permitted
compliance:
  cnss1253:
    enabled: true
    overlay: classified-systems
  icsap:
    enabled: true

Upgrading Impact Levels

Upgrading from a lower to a higher IL requires:

  1. Security assessment of data already in the system
  2. Updated ATO covering the new IL
  3. Network reconfiguration (more restrictive)
  4. Additional personnel clearance validation
  5. Helm upgrade with new values overlay:
Terminal window
helm upgrade govern govern/govern \
  -f values-federal.yaml \
  -f values-il4.yaml \  # upgrading from IL2 to IL4
  --set global.impactLevel=il4 \
  --reuse-values