The Eight Roles of DCID 6/3

Only five short of a baker’s dozen, there are eight roles provided in Director of Central Intelligence Directive (DCID) 6/3 “Protecting Sensitive Compartmented Information Within Information Systems”.

(pdf) (doc)

  1. Principal Accrediting Authority — responsibility for all intelligence systems within their respective purviews, are the DCI, EXDIR/CIA, AS/DOS (Intelligence & Research), DIRNSA, DIRDIA, ADIC/FBI (National Security Div), D/Office of Intelligence/DOE, SAS/Treasury (National Security), D/NIMA, and the D/NRO
  2. Data Owner — final statutory and operational authority for specified information
  3. Designated Accrediting Authority — authority to assume formal responsibility for operating a system at an acceptable level of risk based on the implementation of an approved set of technical, managerial, and procedural safeguards
  4. Designated Accrediting Authority Representative (DAA Rep) — technical expert responsible to the DAA for ensuring that security is integrated into and implemented throughout the life cycle of a system
  5. Information System Security Manager (ISSM) — responsible for an organization’s IS security program
  6. Information System Security Officer (ISSO) — responsible to the ISSM for ensuring that operational security is maintained for a specific IS
  7. Privileged Users — access to system control, monitoring, or administration functions
  8. General Users — can receive information from, input information to, or modify information on, a system without a reliable human review

They provide a good exercise in defining relationships with compartmentalised information; it’s fun to try and make a diagram that shows the connections and overlap.

DCID 6/3 in 1999 superseded DCID 1/16, which had the much more fun title of “Security Policy for Uniform Protection of Intelligence Processed in Automated Information Systems and Networks“.

DCID 1/16 was from 1988 and superseded DCID 1/16 of 1983 — a time of great US government concern about outsider attacks and NSA’s first attempt to wrestle control of the Internet away from NIST.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.