Blog

DoD SRG Latest Guidance Released: What’s the Impact?

By: Tony Brunetti
August 13, 2025
Glowing white "Regulatory Compliance" text on a dark futuristic background with pink hexagonal patterns and blue cube

A new Department of Defense Cloud Service Provider (CSP) Security Requirements Guide (SRG) has been released this week. It is Version 1, Release 3 dated July 2, 2025.  Below are the key takeaways to help CSPs assess the effort needed to meet DoD security testing requirements.

Impact Level 4 (IL4)

  • IL4 can now be FedRAMP Moderate or FedRAMP High with the addition of the FedRAMP+ controls for IL4 and the General Readiness (GR) controls.
  • This change adds 22 additional controls and 8 parameter changes to the FedRAMP Moderate baseline. This change also adds 19 additional controls and 11 parameter changes to the FedRAMP High baseline.

Impact Level 5 (IL5)

  • IL5 can no longer be non-National Security System (NSS). This is a big change that impacts all current DoD IL5 authorized CSPs.
  • IL5 can now ONLY be IL5-NSS, which includes FedRAMP High controls, FedRAMP+ controls for IL5, and CNSSI 1253 controls.
  • This change adds 178 new NSS-specific controls and 122 parameter changes to the FedRAMP High baseline.
  • These controls and parameter changes must be implemented/assessed as part of the CSP’s next annual assessment, or if the CSP is undergoing an initial assessment, it must be implemented/assessed as part of that effort in order to obtain an ATO.

Impact Level 6 (IL6)

  • IL6 requirements have not changed in this new version of the SRG.

The key takeaway is that the updated SRG significantly increases the number of controls and parameter changes required for CSPs to achieve or maintain compliance with DoD standards. The greatest impact falls on CSPs at IL5, which must now implement NSS-specific controls to remain at that level.

Please message Fortreum at info@fortreum.com to learn more and be prepared for the DoD SRG changes that are now officially published.

Fortreum is an independent firm specializing in audit, advisory, and technical testing services, delivering cybersecurity expertise in highly regulated industries. Our mission is to simplify cloud and cybersecurity challenges for our clients. With nearly 25 years of combined experience in both the public and private sectors, Fortreum is dedicated to addressing our customers’ complex cloud and cybersecurity needs.

For more information, visit the Fortreum website or follow the company on LinkedIn at LinkedIn.com/company/fortreum.

Should you have questions about your PCI, FedRAMP, XRAMP, cloud and cybersecurity readiness, please reach out to us at Info@fortreum.com or Contact Us at https://fortreum.com/contact/

CSPs, DoD Cloud Service Provider Security Requirements, DoD-SRG, fedramp, General Readiness
About the Author
Tony Brunetti
More about this author
Back to Blog
Related Content
View all
Abstract digital illustration of interconnected gears and technical schematics with colorful light accents on a white
Blog
September 24, 2025

RFC-0016: The Days of Collaboration

Read More
FedRAMP logo beside the U.S. Capitol dome with digital data overlays representing federal cloud security compliance.
Blog
September 15, 2025

FedRAMP’s New Vulnerability Detection and Response Standard

Read More
Cybersecurity concept with glowing padlock icons and warning symbols overlaid on a dark digital cityscape network.
Blog
August 15, 2025

A Major Shift in Continuous Vulnerability Management Standards

Read More

©2026 Fortreum. All Rights Reserved.  |  Privacy Policy