top of page



CD 503 was issued by the DNI (Director of National Intelligence) in 2008. DCID 6/3 was effectively “rescinded and replaced” almost in its entirety. Since that time, the transition from DCID 6/3 to the RMF (Risk Management Framework) and or JAFAN 6/3 has begun and training is required. The ICD 503 RMF for Practitioners Course (RMFSPP) provides Security Professionals and Practitioners with skills to accomplish or oversee the implementation of Intelligence Community Directive (ICD) 503 -Intelligence Community Information Technology Systems Security Risk Management, Certification and Accreditation. Students gain insights into the Federal Government’s Certification & Accreditation transformation by examining the concepts of commonality, reuse and risk management from an enterprise perspective. Students learn the Risk Management Framework (RMF) and gain a comprehension of the key RMF roles and responsibilities.

Instruction includes stepping through and understanding the reasoning for the 6 Steps of the Risk Management Framework including:

  • Step 1 – categorizing information and information systems

  • Step 2 – security control families; common, hybrid, and system-specific security controls; tailoring and the identification of control enhancements

  • Step 3 – considerations for implementing security controls in the System Development Life- Cycle (SDLC)

  • Step 4 – resources and references to assess and test security controls

  • Step 5 – the Body of Evidence to achieve authorization (accreditation)

  • Step 6 – considerations for continuous monitoring.


The course provides a detailed walk-through of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 and NIST SP 800-53; and the Committee for National Security Systems (CNSS) Instruction 1253. Because most security professionals still encounter Director of Central Intelligence (DCID) 6/3 in the workplace as organizations gradually transition to ICD 503, this course provides a high-level overview of the DCID and highlights the most distinct differences between it and ICD 503.


Security personnel who are responsible for system certification and accreditation (assessment and authorization) to include but not limited to: (Information Assurance (IA) and Information System Security Managers (ISSMs), Information Systems Security Engineers (ISSEs), and Information Systems Security Officers (ISSOs), Security Control Assessors (SCA), Information System Owners (ISO), etc.


  • Gain a thorough understanding of the new national policy (RMF) relative to systems certification and accreditation.

  • Explore new concepts and approaches to using newly established and existing policy from across various components of the US government.

bottom of page