Business, Certification, Data security, Technology

NIST and NIACAP phases

NIST phases

NIST and NIACAP are two frameworks providing accountability for people involved in the security of the information system. They refer to verification and validation of security controls, system characterization and risk assessment as well as accrediting decisions and certification recommendations. NIST is a process designed to deal with unclassified information commonly known as SBU (Sensitive But Unclassified). The NIST methodology can be downloaded from: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf

Evan though the NIST and NIACAP are very similar, the NIACAP methodology is somehow deprecated, some federal agencies are still using it but the trend is to switch to NIST.

Describing the C&A process, NIST and NIACAP have four phases (NIACAP phases are the same as DITSCAP phases):

The NIST phases:

1. Initiation

2. Certification

3. Accreditation

4. Monitoring

The NIACAP phases:

1. Definition

2. Verification

3. Validation

4. Post-accreditation

As I previously said, both NIST and NIACAP are very similar but let’s see which are the differences.

NIST was released in May 2004. Published as a 69 pages document, NIST is easy to follow and well written. Companies using the NIST model use the Special Publication 800-37 for guidance and C&A requirements. The 800-37 specifies plans, procedures, actions and policies that companies have to put in practice. As I mentioned before you can download the NIST documentation from here: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf

NIACAP is twelve years old and its guidelines are defined in a document called NSTISSI 1000 that can be downloaded from here: http://www.cnss.gov/Assets/pdf/nstissi_1000.pdf

If you have any questions, please ask below!