In: Categories » Business » Branding and certification » NIACAP and NIST Phases Differences and Similarities
| The NIST process was designed for unclassified information, more commonly known as Sensitive But Unclassified (SBU) information. The framework for the NIST C&A methodology is described in a publication known as NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems. A copy of it is available online at http://csrc.nist. gov/publications/nistpubs/800-37/SP800-37-final.pdf. Both NIST and NIACAP establish a framework to provide accountability for those people tasked with responsibility of the system. Both processes stipulate definitions and requirements for system characterization, risk assessment, veri- fication and validation of security controls, and testing. Certification recommendations and accrediting decisions are also called for by both processes. Some civilian federal agencies use the NIACAP process, however the current trend is for agencies to move away from the NIACAP process and instead use the NIST process. However, to be sure, the NIACAP and NIST models are very similar and if their own internal oversight authority allows it, an agency can use a combination-hybrid of the NIACAP and NIST models. Both the NIACAP and NIST models describe the C&A process being done in four phases. The four phases of the NIACAP are: 1. Definition 2. Verification 3. Validation 4. Post Accreditation The four phases of the NIST model are: 1. Initiation 2. Certification 3. Accreditation 4. Continuous Monitoring Agencies who are working on refining their C&A process by updating and revising their process guidelines should not get hung up on the names used for the phases. Whether you call the first phase Definition, Initiation, or something of your own making is not going to affect how well the process works, and whether or not you receive an A or a B on the annual Federal Computer Security Report Card.The important thing is to make sure that whatever terminology is being used is well defined, understood by all, and is consistent throughout all the other agency C&A documents. Keep in mind that the goal of creating a C&A process is to create a well-defined repeatable process. NIACAP and NIST ComparedThe NIACAP methodology is six years old and CNSS is currently in the process of being updated. NIACAP guidelines are described in a document known as NSTISSI No. 1000, which is available at www.cnss.gov/ Assets/pdf/nstissi_1000.pdf. The NIST methodology was last released in May of 2004. Prior to updating their guidelines, NIST goes to a lot of trouble to solicit review and comments from both public and private industry, which greatly enhances the quality of their publications. The NIST guidance is well written and easy to follow. However, it is only a 69-page document, and is just a framework—following it won’t solve all your C&A problems because it leaves a lot of gray areas open to interpretation. Agencies and bureaus that embrace the NIST model use NIST Special Publication 800-37 as a guide to write their own internal C&A process and handbook customized for their own unique requirements. In essence, NIST Special Publication 800-37 is a call to action and gives agencies a “to do” list for actions, plans, policies, procedures, training, and methodologies that need to be put into place. Putting into place the items that the NIST C&A process proposes that agencies include (without putting together any Certification Packages) is a huge undertaking in itself. Some of the C&A guidance for NIACAP, DITSCAP, and DCID is publicly available. However, because these methodologies are related to national security systems, defense systems, and intelligence systems, it is possible that they could be made unavailable to the general public at any time. The NIST model is very current, and NIST solicits and receives feedback from a much larger community of experts. Of all four C&A methodologies, the NIST model is more “open source” than the others—if you can call a methodology open source.
|
legal disclaimer
1) Our website is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringements, please read the Terms of service and contact us to investigate the problem.
2) The E-articles directory team is not responsible for inaccuracies, falsehoods, or any other types of misinformation this tutorial may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. Please read the Terms of service
Useful tools and features
If you like this article (tutorial), please link to it from your web page using the information above. Linking to this page, this is the only way to help us improve our service, the same time providing your visitors with a way to improve their online experience.
related articles
Even those who have learned that a brand is a symbol, often fall into error by failing to understand that a brand can only arise from two sources. The first is as a result of product success. Most brand identities spring from this source. For example, Proctor & Gamble transformed Crest from just another contender to America's leading toothpaste for decades after persuading the American Dental Association that Crest really did help prevent cavities. For a time, Crest was the only toothpaste able to make this claim, and the m...
2. The Nature of Brands
To ensure a sojourn at the branding altar free from sin, it's vital to understand what a brand is. First, it is not, nor can it ever be, a product or service. This is a concept difficult for many marketers to grasp. Yes, you can buy a company. And you can buy its brands. However, you can never sell these brands to the customer. All you can ever sell is products or services. This basic fact was ignored time and again during the dot-com and application service provider (ASP) boom of the late 1990s. Branding exercises ...
3. Designing a self assessment Survey
Before you start to design a self-assessment survey, check to see if your agency has a self-assessment template that already exists that they would like you to use. Since you’re probably under a deadline, don’t recreate a brand-new self-assessment survey if a pretty good one already exists at your agency. Also, it may be against the agency security policies to use a survey that is different than the one they provide. If your agency does not have a self-assessment survey template, you will need to develop one before you can...
4. How to Develop a Certification Package
Before you’ll be able to start putting together a Certification Package, you’ll need to acquire as much information as possible about the systems or applications you’ll be certifying.You need to be a good detective, and not lose faith when the details appear unclear.The more information you gather the clearer the details will become.You are about to put together an information technology jigsaw puzzle. Initiating Your C&A Project When you begin your C&A project, don&rs...
5. DCID 6.3
DCID 6/3 is the certification and accreditation process used by federal agencies working on intelligence projects (e.g., the CIA). Specifically, information technology projects that require that anyone working on them has a Top Secret, Sensitive Compartmentalized Information (SCI) clearance use the DCID 6/3 process. DCID stands for Director of Central Intelligence Directive and 6/3 refers to the process described in section 6, part 3 of the compendious Director of Central Intelligence Directives.5 The certification ...
6. Creditation and Acreditation Handbook Development
In developing the program, you’ll need to write a C&A Handbook that instructs your agency or bureau on how to prepare a Certification Package. The idea is to standardize the development of all Certification Packages that are submitted for evaluation.Without a handbook and a specified process, the Certification Packages will have a different look and feel. If 50 different Certification Packages all have the right information in it, but in different formats, it is going to be very difficult for the...
7. Criteria to Use for Determining the Certification and Accreditation Levels
In order to determine the level at which your information should be certified and accredited, there are seven criteria you should take into consideration: ■ Confidentiality ■ Integrity ■ Availability ■ Interconnection State ■ Processing State ■ Complexity State ■ Mission Criticality I am going to show you how to assign risk and impact ...
8. What Is Certification and Accreditation
Certification and Accreditation is a process that ensures that systems and major applications adhere to formal and established security requirements that are well documented and authorized. Informally known as C&A, Certification and Accreditation is required by the Federal Information Security Management Act (FISMA) of 2002. All systems and applications that reside on U.S. government networks must go through a formal C&A before being put into production, and every three years thereafter. Since accredit...
9. The NIACAP Process
As you recall, the NIACAP C&A model was developed by the CNSS, and its intent is to be used as guidance for the C&A of national security systems. National Security Systems are systems that contain National Security Information (NSI). Classified NSI includes information determined to be either “Top Secret,”“Secret,” or “Confidential” under Executive order 12958,4 which was released by the White House office of the Press Secretary in April 1995. However, NSI may also inc...