Azure Gov IL5 Compliance Readiness Checklist: 25 Technical Controls to Validate

Why Azure Gov IL5 Compliance Demands a Disciplined Technical Validation Process

Impact Level 5 is not a checkbox exercise. When the Department of Defense authorizes cloud workloads at IL5, it is permitting the processing of Controlled Unclassified Information that is particularly sensitive — information that, if disclosed, could cause serious harm to national security. Azure Government is one of the few cloud platforms with a DoD Provisional Authorization at IL5, but a platform authorization does not equate to your organization's authorization. The controls your environment inherits from Microsoft and the controls you are responsible for implementing yourself are two very different things.

Every compliance manager supporting a DoD mission owner or defense contractor operating in Azure Government needs a structured way to verify that their side of the shared responsibility model is actually built, configured, and documented. The checklist below addresses the 25 technical controls that most commonly surface gaps during IL5 readiness reviews. If you are also evaluating the broader Azure Government environment, our post on the Azure Government compliance framework for defense contractors is a useful starting point before working through this list.

Understanding the IL5 Shared Responsibility Model Before You Start

Azure Government's DoD IL5 Provisional Authorization covers infrastructure, physical security, hypervisor controls, and certain platform services. Your organization is responsible for identity configuration, workload architecture, data handling, network segmentation, logging, and a significant body of operational controls. Treating inherited controls as implemented without validating your configuration choices is the single most common failure mode in IL5 readiness reviews.

IL5 workloads must comply with NIST SP 800-53 Revision 5 at the Moderate and High baseline, with DoD-specific overlays. If you want a plain-language comparison of how NIST SP 800-171 and NIST SP 800-53 differ in scope and applicability, our post on the essential differences between NIST SP 800-171 and NIST SP 800-53 breaks that down clearly.

The 25 Technical Controls to Validate for Azure Gov IL5 Compliance

Identity and Access Management

1. Azure Active Directory (Entra ID) Tenant Isolation: Confirm your tenant is provisioned in the Azure Government environment, not commercial Azure. Verify tenant boundaries prevent data co-mingling with non-IL5 workloads.
2. Multi-Factor Authentication Enforcement: Validate that MFA is enforced for all user accounts, service accounts with interactive login capability, and privileged roles. Conditional Access policies must cover every authentication path, including legacy protocols — which should be blocked entirely.
3. Privileged Identity Management (PIM) Configuration: Just-in-time privileged access must be activated and scoped. Permanent Global Administrator assignments are a common finding. Verify that all privileged role assignments require justification, approval workflow, and time-bound activation.
4. Role-Based Access Control Scoping: Audit RBAC assignments at the subscription, resource group, and resource level. Over-permissioned service principals and broad Owner assignments outside of breakglass accounts are routine gaps.
5. Foreign National Access Controls: IL5 requires that U.S. persons control access to covered data. Validate that your tenant configuration, group membership policies, and access review processes prevent unauthorized foreign national access to IL5 workloads.

Network Architecture and Segmentation

1. Virtual Network Segmentation: IL5 workloads must be isolated within dedicated virtual networks. Confirm there is no direct peering to commercial Azure environments or non-IL5 workloads without compensating controls.
2. Network Security Group Rule Auditing: Export and review all NSG rules. Deny-all-inbound defaults should be enforced, with explicit allow rules documented and justified. Overly permissive rules allowing broad internet ingress are a perennial finding.
3. Azure Firewall or Third-Party NGFW Deployment: Verify that east-west traffic between subnets and north-south traffic to and from the internet passes through an inspecting firewall. Confirm threat intelligence-based filtering is enabled.
4. Private Endpoints for PaaS Services: Azure Storage, Key Vault, SQL, and other PaaS services used in IL5 workloads must be accessible only via private endpoints. Public endpoint access should be disabled and validated through configuration, not just policy.
5. ExpressRoute or VPN Gateway Configuration: If hybrid connectivity is in scope, validate that encryption standards, BGP route filtering, and failover configurations meet DoD requirements. Confirm that on-premises segments connecting to IL5 workloads are adequately scoped.

Data Protection and Encryption

1. Encryption at Rest — Customer-Managed Keys: Validate that IL5 data stored in Azure Storage, SQL Database, and other persistent services uses Customer-Managed Keys (CMK) stored in Azure Key Vault in the Government region. Microsoft-managed keys alone may not satisfy IL5 data sensitivity requirements for the most sensitive workloads.
2. Encryption in Transit: Confirm TLS 1.2 minimum is enforced across all service endpoints. Audit App Service, API Management, Storage Account, and load balancer configurations for TLS downgrade exposure.
3. Key Vault Access Policies and Auditing: Verify Key Vault access is limited to workload identities and explicitly authorized administrators. Confirm diagnostic logs are enabled and key operations are captured in your SIEM.
4. Data Loss Prevention Policy Configuration: If you are using Microsoft Purview or equivalent DLP capabilities, validate that sensitive information types associated with CUI categories are included in active policies. Our post on understanding data loss prevention covers the foundational concepts compliance teams should understand before configuring these policies.
5. Backup Encryption and Access Controls: Verify that Azure Backup or third-party backup solutions protecting IL5 workloads encrypt backup data at rest with CMK and restrict restore access to authorized personnel only.

Logging, Monitoring, and Incident Response

1. Azure Monitor Diagnostic Settings — Full Coverage: Every resource in scope — virtual machines, storage accounts, key vaults, network security groups, firewalls, and identity services — must have diagnostic settings enabled and logs routed to a centralized Log Analytics workspace.
2. Microsoft Sentinel or Equivalent SIEM Deployment: Validate that security event correlation, alerting, and incident response workflows are operational. IL5 requires continuous monitoring. A Log Analytics workspace with no active alert rules does not satisfy this requirement.
3. Audit Log Retention: DoD requirements specify audit log retention periods that frequently exceed Azure's default settings. Validate that retention policies are configured for the required duration and that logs are immutable once written.
4. Incident Response Plan — Cloud-Specific Procedures: Your incident response plan must include procedures specific to Azure Government workloads, including how to isolate compromised resources, engage Microsoft's government support channel, and meet DoD cyber incident reporting timelines under DFARS 252.204-7012.
5. Vulnerability Scanning Integration: Confirm Microsoft Defender for Cloud is enabled at the appropriate tier for IL5 workloads, vulnerability assessment is configured for virtual machines and containers, and findings are being triaged and tracked to remediation.

Endpoint, Compute, and Configuration Hardening

1. Guest OS Hardening Baselines: Virtual machines must be configured against a DoD STIG or equivalent hardening baseline. Validate that Azure Policy initiatives enforcing OS configuration requirements are assigned to IL5 subscriptions and that non-compliant resources are remediated, not just flagged.
2. Defender for Endpoint Integration: Confirm that Microsoft Defender for Endpoint is deployed to all virtual machines in scope and that alerts are flowing to your SIEM. Verify that auto-remediation policies are scoped appropriately for the environment.
3. Azure Policy Compliance Posture: Audit your Azure Policy assignment coverage. Gaps in policy assignment at the subscription or management group level are one of the most common IL5 readiness findings. The DoD IL5 built-in policy initiative is a useful baseline, but it is not exhaustive.
4. Patch Management and Update Compliance: Validate that Azure Update Manager or an equivalent solution is actively managing OS and application patching for all IL5 compute resources. Confirm that patch compliance reporting is available and reviewed on a defined cycle.
5. System Security Plan (SSP) Accuracy: Your SSP must accurately reflect the current state of your Azure Government environment, including the boundary, data flows, inheritance statements for Microsoft's controls, and your implemented controls. An outdated SSP is not a minor documentation issue — it is an authorization risk. Our post on SSP and POA&M as critical security program components explains why these documents need to be living artifacts, not one-time deliverables.

Common Gaps We See in IL5 Readiness Reviews

Across our engagements with defense contractors and DoD mission owners pursuing Azure Gov IL5 compliance, the same categories of deficiencies surface repeatedly. Conditional Access policies with exclusions that create exploitable gaps. PaaS services with public endpoints that were enabled during development and never disabled before the workload went into production. Diagnostic settings applied to new resources but not consistently enforced via policy. And SSPs that describe the intended architecture rather than the deployed one.

These are not exotic failures. They are the predictable result of moving quickly through cloud migrations without a structured validation process anchored to the specific requirements of IL5. If your organization is also navigating CMMC obligations alongside your IL5 workloads — which is common for defense contractors — our CMMC, CUI, and DFARS compliance services are designed to address both frameworks in an integrated way.

Integrating This Checklist Into Your Authorization Process

This checklist is a readiness tool, not a substitute for a formal assessment. Use it to identify gaps before you engage an assessor, prioritize remediation effort, and brief your leadership on the current state of your IL5 posture. If you are working toward a formal Authorization to Operate, your Authorizing Official will require documented evidence for each control — not just a checkbox indicating it is in place.

For organizations that need structured support working through these controls, our Federal and SLED risk assessment services include cloud environment reviews scoped to DoD impact levels. We also offer ongoing regulatory vCISO services for organizations that need continuous compliance leadership without the cost of a full-time hire.

Take the Next Step Toward IL5 Authorization Readiness

Azure Gov IL5 compliance is achievable, but it requires methodical execution and a clear-eyed understanding of where your organization's responsibilities begin and end. If you want an expert assessment of your current Azure Government posture against IL5 requirements, Cleared Systems is ready to help. Request a quote to start the conversation with our team, or explore our engagement models to find the right structure for your organization's needs.