Released 30 June 2026
The Department of War’s (DoW) Cloud Computing Security Requirements Guide (CC SRG) has been updated to Version 1, Release 7, and the headline change affects background investigation tiers for personnel who support DoD/DoW-authorized cloud offerings. If your organization holds a Provisional Authorization (PA) at Impact Level 4, 5, or 6, this update changes what you need to document — and in some cases, what you need to resubmit.
At a Glance: How Personnel Screening Changes by Impact Level
| Impact Level | V1R6 Minimum Investigation Tier | V1R7 Minimum Investigation Tier | Citizenship Requirement |
| IL4 | Tier 2 | Tier 3 | No change: US Citizen/National/Person; reinforced no foreign national access |
| IL5 | Tier 2 or Tier 4 | Tier 3 | No change: US Citizen/National/Person; reinforced no foreign national access |
| IL6 | Tier 3 or Tier 5 | Tier 3, with access to classified | No change: US Citizen |
The pattern is consistent across IL4 and IL5: V1R7 consolidates prior tiering options into a single Tier 3 requirement. IL6 keeps Tier 3 as its floor but now explicitly ties it to classified access.
Background on the Investigation Tiers
To understand the operational impact of the change, it helps to distinguish what each investigation tier requires, which form it uses, and what it costs.
Tier 2 (formerly Moderate Background Investigation, or Level 5B) is a public trust position designation. It uses Form SF-85P, reinvestigated every 5 years. Initial investigation runs $735–$794, with reinvestigation at $690–$745.
Tier 3 (formerly NACLC/ANACI, or Level 2) is a non-critical sensitive national security position; this is the tier that makes a staff member eligible for a secret clearance. It uses Form SF-86, reinvestigated every 10 years. Initial cost is $735, reinvestigation is $690.
Tier 4 (formerly Background Investigation, or Level 6) is another public trust designation, one step up from Tier 2. It uses Form SF-85P, reinvestigated every 5 years. This is considerably more expensive: $4,810–$5,195 initially and $3,105–$3,353 for reinvestigation.
Tier 5 (formerly Single Scope Background Investigation, or Level 3) is a critical sensitive national security position, making the individual eligible for a top-secret clearance. This tier uses Form SF-86, reinvestigated every 7 years. It is also the most expensive tier: $6,240–$6,739 initial, $3,580–$3,866 for reinvestigation.
(Tier definitions sourced from NIH’s Office of Research Services; cost figures from DCSA’s published investigation billing rates.)
What This Actually Means for CSPs with a DoD PA
A few practical implications fall out of this update:
- Everyone with access is now an “Administrator.” Regardless of actual assigned privilege level, the CSP SRG (section 5.5.2) now considers all CSP personnel with access to the offering to be Administrators for screening purposes. This applies across all Impact Levels.
- Cleared Personnel are not required for IL4/IL5. Tier 3 does NOT equate to a clearance: It is a vetting scope and does not automatically grant the investigated person a secret clearance.
- IL4/IL5 CSPs need to update documentation and practice. Personnel screening requirements have to be reflected both in your compliance documentation and in how you’re actually screening existing and incoming staff assigned to the offering.
- IL4/IL5: cost is flat, but paperwork isn’t. Moving from Tier 2 to Tier 3 doesn’t change the price tag, but it does require a brand-new investigation submission; the SF form and investigation type are both different, so an existing Tier 2 investigation doesn’t carry over.
- IL5 specifically: this can save money, with a catch. For personnel previously investigated at Tier 4, moving to Tier 3 actually reduces cost. But just like the Tier 2 → 3 shift, a new submission is still required, there’s no way to convert an existing investigation in place.
- IL6 CSPs largely see no change. If your offering already required only Tier 3 investigations, V1R7 doesn’t add new burden here. However, IL6 still requires key cyber individuals to undergo a Tier 5 investigation, with no minimum number of Tier 5 personnel identified.
(Upgrading/downgrading requirements sourced from DCSA’s Personnel Vetting page)
Bottom Line
For IL4 and IL5 cloud service providers, V1R7 requires more than a documentation update. Review personnel screening records against the new Tier 3 baseline, update the SSP and related artifacts to reflect section 5.5.2’s treatment of all personnel with access as Administrators for screening purposes, and identify where new investigation submissions are required.
Even when the investigation cost remains the same, the transition may still require new forms, new submissions, and additional lead time.
IL6 providers already meeting the Tier 3 baseline may see less operational impact, but should still confirm that their documentation and Tier 5 requirements for key cyber personnel remain aligned with V1R7.



