With the United States intelligence community gradually shifting all of its efforts over to the ICD 503, one thing is glaringly missing – a primer on how the heck to make the change from DCID 6/3 And JAFAN 6/3 in plain language.
Well, that’s what this site is about. I am here to help you to understand why the ICD 503 is important and what you can do to easily learn and implement the concepts of the directive quickly, and easily.
So what the heck is the ICD 503 and why is it different than previous certification and accreditation requirements in the Intelligence community? Well, that’s a great question.
You see, the old way of protecting information systems, while great at the time, left a lot to be desired with the ever-changing growth of technology. Not only that, new business practices and strategic needs were not easily supported in the old methodology. We’ll get more into this later.
The old system
Change is hard, and the shift over to the ICD 503 is no exception. The DCID 6/3 and the JAFAN 6/3 were relatively easy to follow in that they were rigid in what requirements were necessary in order to comply with government regulations when it came to certifying and accrediting an information system. In other words, all you had to do was follow the guide and go section by section making sure that the information system was doing but the manual said to do depending on the protection levels and the levels of concern of the system.
While that was easy, it was not flexible. Often the data owners didn’t have a strategic view of what their information system was providing for the overall mission of the program it’s supported. All that mattered was that the system met the requirements called out in the manual. The problem with this is that although the information system was secure, often it would lead to inefficiencies in budget, and in the actual support of the mission it was intended to help.
Certification and accreditation as a strategic goal
Because of the changing needs economically and defensively, the intelligence community recognized that it needed a better and more flexible way of certifying and accrediting information systems that support the strategic goals of United States and its allies. No longer couldn’t rely on strict compliance, in order to be more efficient in all aspects of information security intelligence community needed a risk management approach.
The intelligence community realized that you’re always gonna have risk when securing systems however rather than the goal being absolute security, understanding the business, mission need, and needs of other agencies has come into the forefront. You often hear the phrase acceptable risk while working with the ICD 503.
Enabling commonality between agencies
For over a decade intelligence community has been trying very hard to implement reciprocity. Even with past compliance, the idea has always been have a common standard in which all agencies and military branches, could easily agree on in order to interconnect systems while still maintaining proper security. Unfortunately, even though the idea was great, it never worked.
Now, it is almost essential for the community to have some sort of reciprocity, and the ICD 503 is hell-bent on making that happen.
Optimizing security costs
Ultimately, with everything that you will learn about the ICD 503 one thing will always be constant in that is decreasing the cost of security while increasing its effectiveness. Whether it’s reciprocity, flexibility, strategic view of information security, and so on, the fundamental need for all of this is to maintain national security while still being able to innovate and create new ways to secure the interests of the United States and its allies.
So, hopefully you like this intro to the ICD 503. Like I said, I want to provide a resource that is helpful as well as easy to understand.