Only five short of a baker’s dozen, there are eight roles provided in Director of Central Intelligence Directive (DCID) 6/3 “Protecting Sensitive Compartmented Information Within Information Systems”.
- Principal Accrediting Authority — responsibility for all intelligence systems within their respective purviews, are the DCI, EXDIR/CIA, AS/DOS (Intelligence & Research), DIRNSA, DIRDIA, ADIC/FBI (National Security Div), D/Office of Intelligence/DOE, SAS/Treasury (National Security), D/NIMA, and the D/NRO
- Data Owner — final statutory and operational authority for specified information
- Designated Accrediting Authority — authority to assume formal responsibility for operating a system at an acceptable level of risk based on the implementation of an approved set of technical, managerial, and procedural safeguards
- Designated Accrediting Authority Representative (DAA Rep) — technical expert responsible to the DAA for ensuring that security is integrated into and implemented throughout the life cycle of a system
- Information System Security Manager (ISSM) — responsible for an organization’s IS security program
- Information System Security Officer (ISSO) — responsible to the ISSM for ensuring that operational security is maintained for a specific IS
- Privileged Users — access to system control, monitoring, or administration functions
- General Users — can receive information from, input information to, or modify information on, a system without a reliable human review
They provide a good exercise in defining relationships with compartmentalised information; it’s fun to try and make a diagram that shows the connections and overlap.
DCID 6/3 in 1999 superseded DCID 1/16, which had the much more fun title of “Security Policy for Uniform Protection of Intelligence Processed in Automated Information Systems and Networks“.
DCID 1/16 was from 1988 and superseded DCID 1/16 of 1983 — a time of great US government concern about outsider attacks and NSA’s first attempt to wrestle control of the Internet away from NIST.