The Dual-Classification Problem Every Defense CISO Faces
Every defense agency operates at least two classification levels simultaneously. Unclassified CUI on NIPRNet. Classified SECRET on SIPRNet. Often a third – coalition or partner networks with their own classification boundaries. Each network requires remote access, file sharing, vendor connectivity, and session recording. Each has its own compliance framework, its own ATO, and historically, its own security stack.
The default assumption – one that defense CISOs have operated under for decades – is that classified and unclassified networks require separate platforms. Separate vendors. Separate procurement cycles. Separate ATOs. Separate training. Separate audit trails. The logic seems sound: classified data demands fundamentally different protections, so it must require fundamentally different products.
That logic is wrong.
The architectural requirements for Zero Trust are identical across classification levels. Identity verification per session. Application-level access instead of network-level VPN. Per-operation file transfer controls with content inspection. Session recording for all privileged access. Zero inbound firewall ports. What differs is not the architecture – it is the data path. Where the traffic flows. Where the encryption terminates. Where the audit logs reside. Which personnel can administer the system.
DTM 25-003, issued in July 2025, made this explicit: DoD Components must achieve Target Level Zero Trust across all unclassified AND classified systems, including national security systems. Not “unclassified first, classified later.” All systems. The same Zero Trust principles. The same maturity targets. The architectural approach that satisfies both – from a single platform with classification-appropriate deployment modes – eliminates the vendor sprawl, audit fragmentation, and procurement delays that separate platforms create.
This article provides defense CISOs a practical framework for deploying a single Zero Trust connectivity platform across dual-classification environments – with specific guidance on data path separation, Impact Level alignment, ATO streamlining, and the architectural controls that satisfy both IL5 and IL6 requirements from one platform.
What DoD Impact Levels Actually Require from a Connectivity Platform
Before evaluating dual-deployment architectures, defense CISOs must understand what each Impact Level demands – and where the requirements converge.
The Impact Level Framework
Impact Level | Data Classification | Examples | Key Requirements |
IL2 | Public / non-critical | Administrative data, internal comms | FedRAMP Moderate baseline |
IL4 | CUI (non-NSS) | FOUO, PII, PHI, export-controlled | FedRAMP High + DoD-specific controls. US facilities. NIPRNet connectivity. Background checks + NDAs |
IL5 | Higher-sensitivity CUI + NSS | Mission-critical unclassified, unclassified NSS | All IL4 controls + 9 additional. US citizens only. Physical/logical separation from non-government |
IL6 | Classified (SECRET) | Operational plans, military intelligence | Full NIST 800-53 + 94 CNSSI controls. US-controlled facilities. SECRET clearance for all personnel. SIPRNet connectivity |
Where IL5 and IL6 Requirements Converge
The security controls that IL5 and IL6 share are more numerous than those that differ:
Shared requirements (IL5 AND IL6):
- US citizens only for personnel access
- US-controlled facilities for all infrastructure
- Physical/logical separation from non-government tenants
- Full NIST 800-53 control baseline
- Continuous monitoring and audit
- Encryption at rest and in transit
- Multi-factor authentication
- Zero Trust architecture (per DTM 25-003)
- Session recording for privileged access
- SIEM integration for centralized logging
IL6-specific additions:
- 94 additional CNSSI controls for classified facilities
- SECRET clearance for all personnel with system access
- SIPRNet connectivity (not NIPRNet)
- DISA STIG compliance for all components
- Potential CSfC (Commercial Solutions for Classified) requirements
- Physical separation requirements more stringent than IL5
The convergence is significant. A platform designed to meet IL5 requirements already satisfies approximately 85% of IL6 control requirements. The remaining 15% are classification-specific controls related to personnel clearances, physical facility requirements, and classified network connectivity – not architectural differences in the platform itself.
This is the foundation of the dual-deployment model: one platform architecture that satisfies both levels, deployed in two separate instances with classification-appropriate data paths.
The Single-Platform, Dual-Deployment Architecture
The dual-deployment model places identical platform instances on each classification level’s network – with zero cross-boundary data flow between them. Each instance is self-contained. Each produces its own audit trail. Each connects only to the identity infrastructure and SIEM on its own classification level. The two instances share architecture and configuration methodology, but share no data, no network connectivity, and no administrative access.
How It Works
Unclassified Instance (IL4/IL5 – NIPRNet):
- Deployed within agency NIPRNet infrastructure
- Connects to unclassified Active Directory / IdP
- PIV authentication for civilian personnel
- CAC authentication for military personnel
- Serves: CUI remote access, unclassified vendor connections, unclassified file transfers, contractor access to IL4/IL5 systems
- Audit logs → unclassified SIEM
- ATO scope: NIPRNet boundary
Classified Instance (IL6 – SIPRNet):
- Deployed within agency SIPRNet infrastructure
- Connects to classified Active Directory
- CAC + classified token authentication
- Serves: classified remote access, classified inter-agency connectivity, classified file transfers, cleared contractor access to IL6 systems
- Audit logs → classified SIEM
- ATO scope: SIPRNet boundary
What connects them: Nothing. The two instances are physically and logically separate. No cross-domain solution. No data replication. No shared administration. The architecture is identical; the deployments are independent.
For defense agencies evaluating how this approach maps to NSA Zero Trust pillar requirements, the pillar alignment is identical across both instances – the same User Pillar controls, Device Pillar checks, Network Pillar segmentation, Application Pillar access, and Data Pillar protection apply at both classification levels.
Why This Is Better Than Two Different Platforms
Dimension | Two Separate Platforms | One Platform, Two Deployment Modes |
Procurement cycles | 2 separate procurements, 2 contract vehicles, 2 vendor evaluations | 1 procurement, 1 contract, 1 vendor relationship |
ATO processes | 2 completely independent ATOs with different architectures | 2 ATOs with identical architecture – SSP, configuration baselines, and control mappings transfer directly |
Training | 2 training programs, 2 sets of operational procedures | 1 training program. Operators who learn the unclassified instance can operate the classified instance |
Operational procedures | Different consoles, different workflows, different troubleshooting | Identical consoles, identical workflows. Classification-specific policies, not classification-specific operations |
Audit trail | 2 different log formats, 2 SIEM integration efforts | Identical log format. SIEM integration developed once, deployed twice |
Patch management | 2 different patch cycles, 2 testing processes | Patches tested on unclassified instance first, then applied to classified after validation |
Policy consistency | Policies diverge over time as platforms evolve independently | Policies developed on one instance, adapted for classification-specific requirements, deployed to both |
Vendor expertise | Agency maintains expertise on 2 different products | Deep expertise on 1 product applied across both environments |
Total cost | 2x licensing, 2x training, 2x integration, 2x maintenance | ~1.3x licensing (two instances), 1x training, 1x integration methodology, ~1.3x maintenance |
The cost reduction is substantial but the operational benefit is larger. Defense agencies that operate two different connectivity platforms at two classification levels report that operational divergence – the gradual drift between how the two platforms are configured, patched, and operated – creates security gaps. Policies that are enforced on the unclassified side may not exist on the classified side, or vice versa. The single-platform model eliminates this drift by design.
The ATO Acceleration: How Dual-Deployment Streamlines Authorization
The Authority to Operate process is the longest lead-time item in any government technology deployment. For defense agencies, dual-classification deployments traditionally require two completely independent ATOs – each with its own System Security Plan, its own control assessment, its own authorization package, and its own AO review.
The single-platform dual-deployment model compresses this process significantly.
The Reuse Framework
Step 1: Achieve ATO on the unclassified instance first.
The unclassified deployment (IL4/IL5) typically has a faster ATO timeline because the authorization environment is more established, IL5 assessment methodologies are well-documented, and DISA SNAP registration is procedurally straightforward. Target: 8–16 weeks from deployment to ATO.
Step 2: Reuse the unclassified SSP as the foundation for classified ATO.
The System Security Plan for the unclassified instance documents every architectural component, every configuration baseline, every control implementation. Because the classified instance uses identical architecture, 85–90% of the SSP transfers directly. The classified SSP adds:
- CNSSI controls specific to IL6
- Personnel clearance documentation
- Physical facility security documentation
- SIPRNet connectivity documentation
- Classification-specific handling procedures
Step 3: Classified assessment leverages unclassified findings.
The 3PAO or assessment team reviewing the classified instance can reference the unclassified assessment results for all controls that are architecturally identical. They focus assessment effort on the IL6-specific additions – which is approximately 15% of the total control set rather than 100%.
Step 4: AO review benefits from precedent.
The Authorizing Official reviewing the classified ATO sees an identical architecture that has already received authorization at a lower classification level. This is not a novel deployment – it is a proven architecture operating in a new classification context. The risk assessment benefits directly from the operational track record of the unclassified instance.
Timeline Impact
Phase | Two Different Platforms | Single Platform Dual-Deployment |
Unclassified ATO | 12–20 weeks | 8–16 weeks |
Classified ATO | 16–30 weeks (independent) | 8–14 weeks (SSP reuse + assessment leverage) |
Total elapsed time | 28–50 weeks (partially parallel) | 16–30 weeks (sequential, with reuse) |
Total assessment effort | 200% (two full assessments) | ~130% (full + partial) |
For agencies managing the broader consolidation of cross-network security into a single Zero Trust platform, the ATO acceleration extends beyond classification boundaries to every network boundary the agency operates – inter-agency connections, contractor networks, OT/SCADA boundaries, and coalition partner access.
The Five Connectivity Types That Span Both Classification Levels
Defense agencies require the same five connectivity types at both classification levels. Any Zero Trust platform that cannot deliver all five at both IL5 and IL6 forces supplementary products – and supplementary products at IL6 require their own ATOs.
Type 1: Interactive Application Access (RDP, SSH, HTTP, TCP)
Personnel need RDP to workstations, SSH to servers, HTTP to web applications, and TCP connections to legacy systems – at both classification levels. Each session requires per-session MFA, device posture verification, and application-level authorization. No network-level VPN access.
Type 2: Bidirectional File Transfer with Content Inspection
Firmware updates, configuration files, intelligence products, operational documents – all move between systems via file transfer. At both IL5 and IL6, every file must be scanned through Content Disarm and Reconstruction before reaching the destination. Standard SMB or SFTP with no content inspection fails this requirement at both classification levels.
Type 3: Session Recording (Video + Keystrokes + File Transfers)
OMB circulars, DoD DTM 25-003, and DISA STIGs require privileged session oversight. At IL6, the recording requirement extends to every session touching classified systems – not just administrative sessions. Session recordings must be stored, indexed, and searchable within the classification boundary.
Type 4: Vendor and Contractor Access
Cleared contractors access IL5 and IL6 systems for maintenance, development, and operations. Each vendor session requires named accounts (not shared credentials), per-session MFA, time-bounded access, and complete session recording. The vendor access controls must produce audit evidence that satisfies both the agency’s AO and the contractor’s DCSA oversight.
Type 5: Identity-Based Microsegmentation
DTM 25-003 requires Zero Trust segmentation at both classification levels. Per-device isolation prevents lateral movement – whether the movement occurs on NIPRNet or SIPRNet. The segmentation policies are classification-specific (different devices, different users, different access patterns), but the enforcement architecture is identical.
TerraZone’s solutions for state, federal, and defense agencies provide all five connectivity types from a single platform architecture – deployable at IL5 on NIPRNet and IL6 on SIPRNet with the same configuration methodology, the same policy engine, and the same audit trail format.
How truePass Gravity Enables Dual-Classification Deployment
TerraZone’s truePass Gravity is designed for exactly this deployment model. Its three-layer architecture – Reverse Access, Heimdall SMB Proxy with CDR, and Zero Trust Application Access with session recording – operates identically at any classification level because all processing occurs within the deployment boundary. No external dependencies. No cloud callbacks. No data that leaves the classified perimeter.
Layer 1 – Reverse Access Infrastructure. The Access Controller inside the protected network initiates outbound connections to the Access Gateway. No inbound ports. The architecture operates the same way on NIPRNet (outbound to NIPRNet Gateway) and SIPRNet (outbound to SIPRNet Gateway). The classified instance never communicates with the unclassified instance.
Layer 2 – Heimdall SMB Proxy with CDR. Every file transfer passes through Content Disarm and Reconstruction. On the unclassified instance, CDR scans files crossing between CUI zones. On the classified instance, CDR scans files crossing between classified compartments. Same scanning architecture. Different classification boundaries.
Layer 3 – Zero Trust Application Access with Session Recording. Per-session RDP, SSH, HTTP, and TCP access with MFA, device posture verification, and integrated video + keystroke recording. On NIPRNet, sessions are recorded and stored within the NIPRNet boundary. On SIPRNet, sessions are recorded and stored within the SIPRNet boundary. Same recording architecture. Different storage boundaries.
The truePass platform requires no external cloud services, no vendor-hosted infrastructure, and no data path outside the deployment boundary – which is precisely what makes dual-classification deployment possible without architectural modification.
DISA STIG Alignment
Each truePass Gravity component is configurable against DISA STIG baselines. The STIG configuration developed for the unclassified instance transfers directly to the classified instance – with additions specific to IL6 STIG requirements. The STIG configuration is part of the ATO package and benefits from the same reuse framework that accelerates the classified ATO.
Common Objections to Single-Platform Dual-Deployment
Objection 1: “Classified and unclassified require fundamentally different architectures”
They require different data paths and different personnel controls. They do not require different architectures. Zero Trust principles – identity verification, application-level access, least privilege, continuous verification – apply identically at both classification levels. DTM 25-003 mandates the same Zero Trust maturity targets for both. A platform that meets Zero Trust requirements at IL5 meets the architectural requirements at IL6. The additions for IL6 are classification-management controls, not architectural changes.
Objection 2: “We can’t risk a vulnerability in the unclassified platform affecting classified”
The two instances share no data, no network connectivity, and no administrative access. A vulnerability in the unclassified instance has zero attack path to the classified instance. They are separate systems that happen to run the same software – like two separate agencies running the same operating system. A Windows vulnerability on NIPRNet does not propagate to SIPRNet because the networks are separate. The same principle applies to the Zero Trust platform.
Objection 3: “Our AO won’t accept an unclassified product for classified use”
The AO accepts the architecture, not the product label. When the classified SSP demonstrates that the architecture meets NIST 800-53 + CNSSI controls, that DISA STIGs are applied, that personnel meet clearance requirements, and that the deployment operates entirely within the classified boundary – the authorization is based on evidence, not on which network the same product was first deployed on. The unclassified ATO provides precedent, not permission. The classified ATO stands on its own evidence.
Objection 4: “What about cross-domain transfers between the two instances?”
The dual-deployment model does not provide cross-domain transfer. The two instances are separate. Cross-domain solutions (CDS) are separate accredited systems governed by DISA’s Cross Domain Enterprise Services. If the agency requires data movement between classification levels, a CDS sits between the two truePass instances – the CDR and policy controls on each side process files within their classification level, and the CDS handles the classification boundary crossing.
Objection 5: “We already have Citrix/VPN on both networks”
Many defense agencies operate Citrix NetScaler or legacy VPN on both NIPRNet and SIPRNet – and have experienced the same architectural vulnerabilities on both. CitrixBleed (CVE-2023-4966) affected every NetScaler configuration including those on classified networks. Replacing Citrix VPN with Zero Trust Application Access follows the same phased migration pattern at both classification levels – migrate vendors first, privileged users second, general workforce third, decommission VPN last.
Implementation Timeline for Dual-Classification Deployment
Phase | Duration | Activities | Deliverable |
1. Procurement | 6–10 weeks | Single contract covering both classification levels. Specify IL5 + IL6 deployment requirements. Include STIG configuration services | Signed contract |
2. Unclassified deployment | 4–6 weeks | Deploy on NIPRNet. Integrate with unclassified AD/IdP. Configure PIV/CAC. Connect to unclassified SIEM | Operational unclassified instance |
3. Unclassified ATO | 8–16 weeks | SSP development, control assessment, AO review, ATO issuance | Unclassified ATO granted |
4. Classified deployment | 4–6 weeks | Deploy on SIPRNet. Integrate with classified AD. Configure classified MFA. Connect to classified SIEM. Apply STIG baseline | Operational classified instance |
5. Classified ATO | 8–14 weeks | SSP (reuse 85–90% from unclassified). Assessment (focus on IL6-specific controls). AO review with unclassified precedent | Classified ATO granted |
6. User migration – both networks | 6–8 weeks | Phased migration: vendors → privileged → general workforce. Parallel VPN operation during validation | All users on ZT, both networks |
7. VPN decommission – both networks | 4 weeks | Block VPN access, monitor for stragglers, decommission appliances on both NIPRNet and SIPRNet | VPN attack surface eliminated |
Total: 40–64 weeks end-to-end. Compared to deploying two separate platforms with independent procurements, independent ATOs, and independent migrations – which typically takes 60–90+ weeks – the single-platform approach saves 5–7 months of elapsed time.
For defense agencies evaluating this approach within the broader federal Zero Trust platform landscape, the dual-deployment capability is a distinguishing architectural feature that most commercial platforms cannot provide because their architectures depend on cloud services that cannot operate within classified boundaries.
Frequently Asked Questions
Can one Zero Trust platform really operate at both IL5 and IL6?
Yes – if the platform is designed for on-premises deployment with zero external dependencies. The platform operates as two separate instances, one per classification level. Each instance connects only to the identity infrastructure, SIEM, and network on its own classification level. The architecture is identical; the data paths are separate. IL6-specific requirements (CNSSI controls, SECRET clearances, SIPRNet connectivity) are classification-management additions, not architectural differences.
How does dual-deployment affect the ATO timeline?
It accelerates it. The unclassified ATO produces an SSP, configuration baselines, and assessment results that transfer directly to the classified ATO – approximately 85–90% reuse. The classified ATO focuses assessment effort on IL6-specific controls rather than reassessing the entire architecture. Typical timeline savings: 5–7 months compared to two independent ATOs for two different platforms.
What about the DoD Zero Trust FY2027 deadline?
DTM 25-003 requires Target Level Zero Trust across all unclassified and classified systems. The single-platform dual-deployment model addresses both with one architectural approach. Agencies deploying in 2026 can achieve Target Level maturity on both networks before FY2027 – instead of achieving it on unclassified first and starting classified deployment after. A comprehensive evaluation of Zero Trust platforms for government maps the specific CISA ZTMM and DoD ZTS requirements that the FY2027 deadline enforces.
Does this model work for Top Secret / SCI environments?
The architectural principle extends to any classification level. Top Secret / SCI environments add additional controls (SCIF requirements, TS clearances, JWICS connectivity), but the Zero Trust architecture remains identical. The platform instance deployed within the TS/SCI boundary operates the same way – with TS/SCI-specific policies, personnel, and physical controls.
What about coalition / partner network deployments?
Defense agencies operating coalition networks (Five Eyes, NATO, bilateral partners) can deploy additional platform instances on each partner network. Each instance is independent, operates within the partner’s classification boundary, and connects only to that network’s identity infrastructure. The operational familiarity transfers – operators trained on one instance can operate any instance.
How does this compare to using Microsoft Azure Government IL5 + IL6?
Azure Government provides IL5 cloud infrastructure in Gov regions and IL6 in DoD-specific regions. This works for SaaS and cloud-native workloads. However, agencies with on-premises applications, OT/SCADA environments, or requirements that prohibit commercial cloud for connectivity infrastructure need on-premises Zero Trust deployment. The dual-deployment model addresses exactly this scenario – agencies that cannot route classified (or unclassified OT) connectivity through commercial cloud infrastructure.
Conclusion
The assumption that classified and unclassified networks require separate Zero Trust platforms is an assumption – not a requirement. DTM 25-003 mandates the same Zero Trust maturity targets for both. The architectural requirements converge on identity verification, application-level access, session recording, content inspection, and zero inbound ports – controls that do not change based on classification level.
What changes is the data path. Where traffic flows. Where audit logs reside. Who administers the system. These are deployment parameters, not architectural differences.
A single platform deployed in two independent instances – one on NIPRNet, one on SIPRNet – provides identical architecture, identical operational procedures, and identical audit trail formats across both classification levels. The ATO for the second instance reuses 85–90% of the first. Training is learned once. Patches are tested once and deployed twice. Policy consistency is maintained by design, not by coordination between two different vendor teams.
The defense agencies that deploy Zero Trust across both classification levels from a single platform will meet the FY2027 deadline faster, at lower total cost, with better operational consistency, and with stronger security evidence than agencies that procure, deploy, authorize, train, and maintain two separate platforms for the same architectural requirement.
Same architecture. Different data paths. One ATO process – accelerated, not duplicated.
