Intelligence Community Directive (ICD) 503

  • Artikel
  • 2 menit untuk membaca

ICD 503 overview

In 2008, the Director of National Intelligence signed the Intelligence Community Directive 503 Intelligence Community Information Technology Systems Security Risk Management, Certification and Accreditation. It was intended to provide guidance to the Intelligence Community (IC) for risk management and certification of information systems across the IC. As stated in the Directive, "information technology risk management standards published, issued, and promulgated for the IC by the IC CIO may include standards, policies, and guidelines approved by either or both the National Institute of Standards and Technology (NIST) and the Committee on National Security Systems (CNSS)". In 2015, ICD 503 was amended to replace legacy certification and accreditation terminology with current security control assessment and authorization terminology.

ICD 503 establishes IC guidelines across the following domains:

  • Risk management
  • Security authorization
  • Security assessment
  • Reciprocity
  • Interconnection

ICD 503 is closely related to the NIST Risk Management Framework (RMF), and it enables the IC to use NIST and CNSS standards for security assessment. It also allows the IC to accept a security assessment of an information system conducted by non-IC agencies of the Federal Government if that security assessment is based on standards compatible with those established for the IC, for example, NIST and CNSS standards issued for the IC by the IC CIO.

Azure and ICD 503

Azure Government Secret and Azure Government Top Secret maintain ICD 503 Authorizations to Operate (ATO) with facilities authorized according to ICD 705.

Azure Government Secret was developed using the same principles and architecture as Azure commercial cloud. It enables fast access to sensitive, mission-critical information while maintaining the security and integrity of classified Secret workloads. It is available from three dedicated regions located over 500 miles apart. Azure Government Secret operates on secure, native connections to classified networks with options for ExpressRoute and ExpressRoute Direct for private, resilient, high-bandwidth connectivity.

Azure Government Top Secret serves the national security mission and empowers leaders across the Intelligence Community (IC), Department of Defense (DoD), and Federal Civilian agencies to process national security workloads classified at the US Top Secret level. Azure regions for Top Secret classified data expand the ability of our national security customers to achieve greater agility, cost savings, and speed to innovation.

Applicability

  • Azure Government Secret
  • Azure Government Top Secret

Services in scope

For a list of Microsoft online services in scope for the ICD 503 ATO in Azure Government Secret or Azure Government Top Secret, contact your Microsoft account representative.

Attestation documents

Contact your Microsoft account representative for assistance.

Frequently asked questions

What Azure services are covered by ICD 503 Authorization to Operate (ATO)?
For a list of Microsoft online services in scope for the ICD 503 ATO in Azure Government Secret or Azure Government Top Secret, contact your Microsoft account representative.

Resources