The NIST process was designed for unclassified information, more commonly known as Sensitive But Unclassified (SBU) information. The framework for the NIST C&A methodology is described in a publication known as NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems. A copy of it is available online at http://csrc.nist. gov/publications/nistpubs/800-37/SP800-37-final.pdf.

Both NIST and NIACAP establish a framework to provide accountability for those people tasked with responsibility of the system. Both processes stipulate definitions and requirements for system characterization, risk assessment, veri- fication and validation of security controls, and testing. Certification recommendations and accrediting decisions are also called for by both processes.

Some civilian federal agencies use the NIACAP process, however the current trend is for agencies to move away from the NIACAP process and instead use the NIST process. However, to be sure, the NIACAP and NIST models are very similar and if their own internal oversight authority allows it, an agency can use a combination-hybrid of the NIACAP and NIST models. Both the NIACAP and NIST models describe the C&A process being done in four phases.

The four phases of the NIACAP are:

1. Definition

2. Verification

3. Validation

4. Post Accreditation

The four phases of the NIST model are:

1. Initiation

2. Certification

3. Accreditation

4. Continuous Monitoring

Agencies who are working on refining their C&A process by updating and revising their process guidelines should not get hung up on the names used for the phases. Whether you call the first phase Definition, Initiation, or something of your own making is not going to affect how well the process works, and whether or not you receive an A or a B on the annual Federal Computer Security Report Card.The important thing is to make sure that whatever terminology is being used is well defined, understood by all, and is consistent throughout all the other agency C&A documents. Keep in mind that the goal of creating a C&A process is to create a well-defined repeatable process.

NIACAP and NIST Compared

The NIACAP methodology is six years old and CNSS is currently in the process of being updated. NIACAP guidelines are described in a document known as NSTISSI No. 1000, which is available at www.cnss.gov/ Assets/pdf/nstissi_1000.pdf.

The NIST methodology was last released in May of 2004. Prior to updating their guidelines, NIST goes to a lot of trouble to solicit review and comments from both public and private industry, which greatly enhances the quality of their publications.

The NIST guidance is well written and easy to follow. However, it is only a 69-page document, and is just a framework—following it won’t solve all your C&A problems because it leaves a lot of gray areas open to interpretation. Agencies and bureaus that embrace the NIST model use NIST Special Publication 800-37 as a guide to write their own internal C&A process and handbook customized for their own unique requirements.

In essence, NIST Special Publication 800-37 is a call to action and gives agencies a “to do” list for actions, plans, policies, procedures, training, and methodologies that need to be put into place. Putting into place the items that the NIST C&A process proposes that agencies include (without putting together any Certification Packages) is a huge undertaking in itself.

Some of the C&A guidance for NIACAP, DITSCAP, and DCID is publicly available. However, because these methodologies are related to national security systems, defense systems, and intelligence systems, it is possible that they could be made unavailable to the general public at any time. The NIST model is very current, and NIST solicits and receives feedback from a much larger community of experts. Of all four C&A methodologies, the NIST model is more “open source” than the others—if you can call a methodology open source.