SRG V1R7: What Every Cloud Service Provider Needs to Know Before Their Next Assessment
The DoD just tightened who is allowed to touch your IL4 and IL5 environment, and relaxed a few of the rules.
The Department of Defense released V1R7 of the Cloud Computing SRG, and if you are a CSP holding or pursuing a Provisional Authorization, this release changes your staffing model before it changes anything else.
There are three content changes in V1R7, plus a terminology sweep from DoD to DoW. That sounds small. It is not. One of those changes rewrites who counts as a privileged user, and it will send a meaningful number of providers back to their org chart.
What changed in V1R7
Before getting into consequences, here is the honest inventory. V1R7 is not a sprawling rewrite. It moves in two directions at once.

The tightening is concentrated in personnel. The simplification is spread across training, tiering, and expired transition language. Most coverage of this release will focus on the terminology change. The terminology change is the least important thing in it.
The change that matters: PS-3(04)
V1R7 adds a new PS-3(04) requirement for IL4, IL5, and IL6. It defines who is allowed to access a system processing, storing, or transmitting DoD information:
- Users must be U.S. citizens, U.S. nationals, or U.S. persons, or foreign personnel as allowed by current DoW policy with AO approval.
- Administrators must be U.S. citizens, U.S. nationals, or U.S. persons. No foreign personnel exception.
Then comes the sentence that changes the math:
VERBATIM FROM THE SRG:
ALL CSP PERSONNEL ARE CONSIDERED ADMINISTRATORS who have access to the information systems.
Read that carefully. The SRG is not defining administrators by permission level. It is defining them by access. If your employee can electronically reach the government information system, the SRG treats them as an administrator, and the administrator standard has no foreign personnel carve-out.
The new Table 5-1: Tier 3 at IL4 and IL5
V1R7 also throws out the old background investigation table. The previous five-tier structure (Tiers 1, 2, 4, and 5) collapses into a simpler two-category model, with a new Table 5-1 governing privileged personnel.

Impact Level 2 stays at a Tier 1 investigation with no citizenship restriction. IL4 and IL5 both now require a Tier 3 investigation and U.S. citizen, national, or person status. IL6 requires a Tier 3 with access to classified, restricted to U.S. citizens.
Non-privileged personnel are not exempt either. Staff without electronic access, such as janitorial or physical maintenance workers, must hold a Tier 3 investigation or always be escorted at IL4, IL5, and IL6.
Why this hits harder than it reads
Most CSPs will read PS-3(04) and Table 5-1 and conclude they are already compliant. They run background checks. They have a privileged access management program. The instinct is to map this requirement onto the small group of people who hold root and move on.
That instinct is exactly where the gap opens.

A privileged access management group is a permissions construct. The SRG’s definition is an access construct. It captures the platform engineer who deploys to the environment, the SRE who gets paged at two in the morning, the developer with a console login, the support analyst who can pull logs, and the contractor brought in for a six-week migration.
If they can reach the system electronically, they are in scope. At IL4 and IL5, that means Tier 3 and U.S. person status.
What this actually costs a CSP
It is a hiring constraint, not a control
A Tier 3 investigation is a government background investigation with a real queue and a real timeline. You cannot remediate it in a sprint. If your IL4 platform team includes engineers who do not hold a Tier 3, the finding is not a missing artifact. It is a staffing decision with a lead time you do not control.
The citizenship gate narrows the talent pool
U.S. citizen, national, or person status is a hard eligibility bar. For providers running offshore engineering, follow-the-sun support, or globally distributed SRE rotations, this can disqualify entire teams from touching an IL4 or IL5 environment. That is not a policy you rewrite. It is an architecture and workforce question, and the answer may be re-partitioning who can reach what.
Escorting is a cost, not a loophole
The escort provision for non-privileged personnel gets read as an easy alternative to vetting. In practice, always escorted means exactly that: it consumes a vetted employee’s time every time an unvetted person is on site. And it applies to physical presence. It does nothing for electronic access.
The good news buried in the same release
V1R7 is not purely additive burden. Several requirements got lighter, and if you are budgeting compliance effort, these matter.
- The old rule requiring at least five CSP personnel with a Tier 5 investigation to be available for senior government meetings is gone, with nothing replacing it. At IL6, only key cyber staff now need a Tier 5.
- Training flipped. Under V1R6, DoDM 8140.03 applied to DoD CSPs, Mission Owners, and all IL6 CSPs. Under V1R7, all commercial CSPs are exempt from DoDM 8140.03, even at IL6. Every CSP now needs AT-3 training, verified during FedRAMP and DoW PA reviews.
- The expired CY2025 transition bullet requiring IL5, IL6, and NSS systems to move to NIST SP 800-53 Rev 5 was removed, since the date has passed.
Read together, the message is that DoD is willing to simplify process burden in exchange for a harder line on personnel. That is a reasonable trade if you are staffed for it, and an expensive one if you are not.
If you are pursuing IL6, read this twice
V1R7 adds a facility clearance requirement in Section 5.5.1. To receive a DoW PA at Impact Level 6, a CSP must either hold a facility clearance with cleared personnel managing the CSO, including top-level corporate management, or demonstrate the ability to meet those requirements under the Industrial Personnel Security Clearance Process.
On-premises facilities and personnel clearances follow the same path as any other DoW contract requiring access to classified information. Off-premises facilities go through the contracting process like any other Defense Industrial Base contractor, under the purview of OUSD(I) and DCSA.
V1R7 also adds a new subsection requiring IL6 CSPs to follow all classified-information training rules per DD Form 254, 32 CFR Part 117 (NISPOM), and any related Executive Order or DoW policy.
The phrase to notice is top-level corporate management. This requirement reaches above your cloud team and into your executive suite.
What to do now
The providers who get caught by V1R7 will not be the ones who never read it. They will be the ones who scoped privileged personnel to their PAM group and stopped. Start with an honest inventory.
- Map every person with electronic access to the environment, not just the named privileged group. Engineers, SREs, support, on-call rotations, contractors, and vendors all count.
- Cross-reference that population against Tier 3 investigation status and U.S. citizen, national, or person eligibility.
- Identify everyone in that population who cannot meet the bar, and decide now whether the answer is vetting, reassignment, or re-architecting access boundaries.
- Confirm your non-privileged personnel are either Tier 3 investigated or genuinely escorted at all times, and that you can demonstrate it.
- Treat investigation timelines as a project schedule input, not a checkbox to clear the week before an assessment.
- If you are pursuing IL6, start the facility clearance conversation now, and confirm your executive leadership understands they are in scope.
THE POINT
V1R7’s personnel requirement is not hard to understand. It is hard to scope. Most CSPs will not fail here because they misread the table. They will fail because they drew the boundary of privileged personnel too narrowly, and only found out when an assessor drew it correctly.
Where Fortreum fits
Fortreum is a top 5 FedRAMP 3PAO and an accredited C3PAO. Personnel security is one of the most consistent sources of avoidable findings we see in DoD cloud environments, and the gap is almost never a missing policy. It is a population that was never counted.
If you are preparing an IL4 or IL5 environment for assessment, mapping your personnel against V1R7’s definition of privileged is the highest-leverage thing you can do before an assessor does it for you.
