As you recall, the NIACAP C&A model was developed by the CNSS, and its intent is to be used as guidance for the C&A of national security systems.

National Security Systems are systems that contain National Security Information (NSI). Classified NSI includes information determined to be either “Top Secret,”“Secret,” or “Confidential” under Executive order 12958,4 which was released by the White House office of the Press Secretary in April 1995. However, NSI may also include Sensitive But Unclassified (SBU) information. The NIACAP C&A model was developed for auditing National security systems. National security systems are those systems related to intelligence activities, equipment that is an integral part of a weapon system, command and control of military forces, cryptologic activities related to national security, or equipment that is critical to the direct fulfillment of military of intelligence missions. NIST clarified the definition of National Security Systems in August 2003 when it released, NIST SP 800-59, Guideline for Identifying an Information System as a National Security System.

Recall that the NIACAP process is described in NSTISSI No. 1000. NSTISSI No. 1000 describes tasks, activities, and a recommended management structure to use for your C&A process.The similarities between

NIACAP and NIST arise in part because NSTISSI No. 1000 recommends that C&A activities take the NIST guidance into consideration stating, While developed for national security systems, the NIACAP may, at an agency’s discretion, be adapted to any type of IS and any computing environment and mission subject to the policies found in OMB Circular A-130, Appendix III and the standards and guidance issued by the National Institute of Standards and Technology (NIST).

The NIACAP is endorsed by the U.S. National Security Agency and was last updated in April of 2000.Though originally intended for national security systems, any federal agency (or private enterprise) can adopt and use the NIACAP process as long as their oversight authority allows it. However, as of this writing, systems that are classified as national security systems are still required to follow the NIACAP methodology.