Hillary Clinton

(this is DCID 6/3 which was implemented shortly after he took office ~May 2000)

"Compliance assessments should minimally include the following:
a. Check individual systems for configuration vulnerabilities; file ownership and
permissions, signs of hackers (e.g., sniffing, suspicious files), Trojan horse
programs; and for incorrect version or unauthorized modification of critical
system files.

b. Check network for default accounts and easy passwords (e.g., dictionary words,
passwords under eight characters); check for unprotected machines (e.g., print
servers), and for improperly configured and otherwise vulnerable services.


DCID 6/2 (which went into place in 1999, replacing DCID 1/22 and (NSDD) 145 was even more vague, the entire text of each is barely two pages long. The threats as we now know them, simply didn't exist to the same extent that they do now.

(This is the relevant section in IDC 503, which took effect in ~Sept 2008 replacing DCID 6/5 and DCID 6/9, before she took office)

UNCLASSIFIED

a. The principal goal of an IC element's information technology risk management
process shall be to protect the element's ability to perform its mission, not just its information
assets. Therefore, IC elements shall consider risk management an essential management
function, and shall ensure that it is tightly woven into the system development life cycle.

b. Because risk cannot be eliminated entirely, the risk management process must allow
decision makers to consider the operational and economic costs of protective measures weighed
against requirements for mission accomplishment. For example, a very high level of security
may reduce risk to a very low level, but can be extremely expensive, and may unacceptably
impede essential operations.

(1) In determining the level of acceptable risk associated with the operation of an
information technology system at a particular level of security, IC elements shall give
appropriate weight to the often competing equities of mission and security requirements, budget consequences, operational performance efficiencies, schedule requirements, counterintelligence concerns, civil liberties and privacy protection, and other relevant policy requirements.

(2) Elements of the IC shall weigh the potential costs of protective measures against
security benefits gained, ensuring that security measures adopted and applied allow mission
capabilities at acceptable risk levels.

(3) Elements of the IC shall consider information sharing and collaboration across
the IC and with appropriate foreign partners as essential mission capabilities.

c. Elements of the IC shall determine the level of security required for an information
system by considering the sensitivity of the information contained within the system, and by
evaluating the system's ability to permit information sharing and collaboration across the Ie.

d. Many IC information systems are interconnected. Therefore, the risk accepted by one
element is effectively accepted by all, just as security limitations imposed by one are effectively imposed upon all. To promote interoperability and efficiency across the IC information technology enterprise, and to provide a sound basis for trust and reciprocal acceptance of individual element certification and accreditation across the enterprise, IC elements shall apply common standards and follow a common process to manage risk for their systems.

e. Elements of the IC shall apply standards for information technology risk management
established, published, issued, and promulgated by the IC CIO. Information technology risk
management standards published, issued, and promulgated for the IC by the IC CIO may include
standards, policies and guidelines approved by either or both NIST and the Committee on
National Security Systems (CNSS).

2

UNCLASSIFIED

leD 503

2. Accreditation

a. Accreditation decisions are official management decisions that explicitly accept a
defined level of risk associated with the operation of an information technology system at a
particular level of security in a specific environment on behalf of an IC element.

b. By accrediting an information system, an IC element approves it for operation at a
particular level of security in a particular environment, and thus establishes the level of risk associated with operating the system and the associated implications for operations, assets, or individuals.

c. In determining the level of acceptable risk associated with the operation of an
information technology system, IC elements shall make decisions on accreditation in accordance with the policy for risk management described in this Directive and in any standards that may be subsequently issued pursuant to the authorities granted herein.

d. Accreditation by IC elements shall ensure that risk is mitigated to the extent possible,
commensurate with the sensitivity of the information in a system. Elements shall ensure that
accreditation of their systems permits IC-wide collaboration and information sharing sufficient to ensure both element and IC-wide mission accomplishment. In accrediting any system over which it has accreditation authority as described below, an element shall accept only the minimum degree of risk required to ensure that the information system effectively supports mission accomplishment while appropriately protecting the information in the system.

e. The head of each IC element may designate one or more Authorizing Officials to
make accreditation decisions on behalf of the element head. The element head shall retain
ultimate responsibility for all accreditation and associated risk management decisions made on his or her behalf.

(1) An Authorizing Official shall be accountable to the element head for the
accreditation and associated risk management decision, for which the element head is ultimately responsible and accountable.

(2) An Authorizing Official has inherent U.S. Government authority and, as such,
must be a government employee.

(3) An Authorizing Official shall have a broad and strategic understanding of the IC
and of his or her particular IC element and its place and role in the overall Ie. An Authorizing Official shall use this knowledge to assign appropriate weight to the often competing equities of mission and security requirements, budget consequences, operational performance efficiencies, schedule requirements, counterintelligence concerns, information sharing, civil liberties and privacy protection, and other relevant policy requirements. Then, in light of these factors, the Authorizing Official will determine the level of risk deemed acceptable for an accredited system.

(4) An Authorizing Official should normally be the agency or element CIO. For IC
elements without a CIO, an Authorizing Official shall be an executive of sufficient seniority to execute the decision-making and approval responsibilities described above on behalf of the element.

3
UNCLASSIFIED

ICD 503

(5) An IC element Authorizing Official shall accredit or reaccredit systems the
element funds, operates, or manages, as well as any operated by the element as an executive
agent on behalf of the Ie enterprise.

(6) An Authorizing Official's accreditation decision shall articulate the supporting
rationale for the decision, provide an explanation of any terms and conditions for the
authorization, and explain any limitations or restrictions imposed on the operation of the system and the reasons for those limitations or restrictions. An Authorizing Official shall state, in the accreditation decision documentation, whether the system is accredited, accredited with conditions, or not accredited.

f. An Authorizing Official may appoint one or more Delegated Authorizing Officials to
expedite accreditation approval of designated systems, and provide mission support.

(1) A Delegated Authorizing Official has inherent U.S. Government authority and, as
such, must be a government employee.

(2) Like an Authorizing Official, a Delegated Authorizing Official shall have a broad
and strategic understanding of the IC and of his or her particular IC element and its place and role in the overall IC. A Delegated Authorizing Official shall use this knowledge to assign appropriate weight to the often competing equities of mission and security requirements, budget consequences, operational performance efficiencies, schedule requirements, counterintelligence concerns, civil liberty and privacy protection, and other relevant policy requirements, and then in light of these factors, to detennine the level of risk deemed acceptable for an accredited system.

g. In detennining which particular information systems may be accredited by a
Delegated Authorizing Official, an Authorizing Official shall consider the potential impact on organizations or individuals should there be a breach of security of a particular system such that a loss of information confidentiality, integrity or availability results.

(1) Confidentiality means the preservation of authorized restrictions on information
access and disclosure, including means for protecting personal privacy, proprietary information, and classified information. A loss of confidentiality is the unauthorized disclosure of information.

(2) Integrity means the prevention of improper modification or destruction of
information and includes ensuring information non-repudiation and authenticity. A loss of
integrity is the unauthorized modification or destruction of information.

(3) Availability means ensuring timely and reliable access to and use of information.
A loss of availability is the disruption of access to or use of information in an information
system.

h. A Delegated Authorizing Official shall only accredit an information system if the
Authorizing Official determines that a breach of security of that information system would result in no more than a low to moderate potential impact on organizations or individuals. In no case shall a Delegated Authorizing Official make an accreditation decision for a system when an Authorizing Official deems a breach of security of that information system would result in a high potential impact on organizations or individuals.