NIST and NIACAP are two frameworks providing accountability for people involved in the security of the information system. They refer to verification and validation of security controls, system characterization and risk assessment as well as accrediting decisions and certification recommendations. NIST is a process designed to deal with unclassified information commonly known as SBU (Sensitive But Unclassified). The NIST methodology can be downloaded from: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf
Evan though the NIST and NIACAP are very similar, the NIACAP methodology is somehow deprecated, some federal agencies are still using it but the trend is to switch to NIST.
Describing the C&A process, NIST and NIACAP have four phases (NIACAP phases are the same as DITSCAP phases):
The NIST phases:
1. Initiation
2. Certification
3. Accreditation
4. Monitoring
The NIACAP phases:
1. Definition
2. Verification
3. Validation
4. Post-accreditation
As I previously said, both NIST and NIACAP are very similar but let’s see which are the differences.
NIST was released in May 2004. Published as a 69 pages document, NIST is easy to follow and well written. Companies using the NIST model use the Special Publication 800-37 for guidance and C&A requirements. The 800-37 specifies plans, procedures, actions and policies that companies have to put in practice. As I mentioned before you can download the NIST documentation from here: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf
NIACAP is twelve years old and its guidelines are defined in a document called NSTISSI 1000 that can be downloaded from here: http://www.cnss.gov/Assets/pdf/nstissi_1000.pdf