Standing for “Director of Central Intelligence Directive section 6, part 3”, DCID 6/3 represents the C&A (certification and accreditation) methodology used on intelligence projects by federal agencies like the C.I.A. Anyone working on such projects must have SCI clearance (SCI stands for Sensitive Compartmentalized Information). Before DCID 6/3 come to life, another accreditation process was in use-the DCID 1/16.
Dealing with classified information only (as opposed to NIST), DCID 6/3 is based on C&A performed on information systems that use Protection Levels and defines 5 such levels. They are based on an information system's assessed level of concern. They are ranged from PL1 to PL5 in accordance with the level of concern ranging from low to high.
The DCID methodology ensures only cleared, authorized individuals have access to the classified information. Even though DCID is intended to work with classified information only, any company, organization or private agency can actually customize and implement it while is publicly available on the Internet. For anybody interested in the DCID 6/3 documentation, it can be found on the FAS (Federation of American Scientists) website at-www.fas.org/irp/offdocs/dcid-6-3-manual.pdf
In order to implement the DCID certification and accreditation standards, a company must comply with the implementation policy. This is also publicly available on the Internet: www.fas.org/irp/offdocs/DCID_6-3_20Policy.htm. The implementation policy of DCID 6/3 focuses on data encryption and physical security of the information. Is this what really sets apart the C&A under DCID from other forms of accreditation and certification.