Intelligence Community Directive (ICD) 503

ICD 503 overview

In 2008, the Director of National Intelligence signed the Intelligence Community Directive 503 Intelligence Community Information Technology Systems Security Risk Management, Certification and Accreditation. It was intended to provide guidance to the Intelligence Community (IC) for risk management and certification of information systems across the IC. As stated in the Directive, "information technology risk management standards published, issued, and promulgated for the IC by the IC CIO may include standards, policies, and guidelines approved by either or both the National Institute of Standards and Technology (NIST) and the Committee on National Security Systems (CNSS)". In 2015, ICD 503 was amended to replace legacy certification and accreditation terminology with current security control assessment and authorization terminology.

ICD 503 establishes IC guidelines across the following domains:

• Risk management
• Security authorization
• Security assessment
• Reciprocity
• Interconnection

ICD 503 is closely related to the NIST Risk Management Framework (RMF), and it enables the Intelligence Community to use NIST and CNSS standards for security assessment. It also allows the IC to accept a security assessment of an information system conducted by non-IC agencies of the Federal Government if that security assessment is based on standards compatible with those established for the IC, for example, NIST and CNSS standards issued for the IC by the IC CIO.

Azure and ICD 503

Azure Government Top Secret maintains an ICD 503 Authorizations to Operate (ATO) with facilities authorized according to ICD 705.

Azure Government Top Secret serves the national security mission and empowers leaders across the Intelligence Community (IC), Department of Defense (DoD), and Federal Civilian agencies to process national security workloads classified at the US Top Secret level. Azure regions for Top Secret classified data expand the ability of our national security customers to achieve greater agility, cost savings, and speed to innovation.

Applicability

• Azure Government Top Secret

Services in scope

For a list of Microsoft cloud services in scope for the ICD 503 ATO in Azure Government Top Secret, contact your Microsoft account representative.

Attestation documents

Contact your Microsoft account representative for assistance.

Frequently asked questions

What Azure services are covered by ICD 503 Authorization to Operate (ATO)?
For a list of Microsoft online services in scope for the ICD 503 ATO in Azure Government Top Secret, contact your Microsoft account representative.

Resources

• Azure compliance documentation
• Azure enables a world of compliance
• Microsoft 365 compliance offerings
• Compliance on the Microsoft Trust Center
• Azure for US Government
• Azure Government Top Secret
• NIST SP 800-37 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
• NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations
• NIST SP 800-59 Guideline for Identifying an Information System as a National Security System
• CNSSI 1253 Security Categorization and Control Selection for National Security Systems
• Intelligence Community Directive (ICD) 503 Intelligence Community Information Technology Systems Security Risk Management
• Intelligence Community Directive (ICD) 705 Sensitive Compartmented Information Facilities
• IC Tech Spec - for ICD/ICS 705, version 1.5 Technical Specification for Construction and Management of Sensitive Compartmented Information Facilities