Introduction

There are four primary C&A models that agencies use as a basis to architect their standardized C&A process. The four C&A models are the National Information Assurance Certification and Accreditation Process (NIACAP) model, the National Institute of Standards and Technology (NIST) model, the Defense Information Technology Systems Certification and Accreditation Process (DITSCAP) model, and the DCID 6/3 model.

The NIACAP model is based on a process published by the Committee on National Security Systems that documents its methodology in the National Security Telecommunications and Information System Security Instructions, ^[1] otherwise known as NSTISSI No. 1000. The NIST model is described in a publication known as NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems. ^[2] In the past, many civilian federal agencies have used either the NIACAP or NIST s previous models; however in recent years, the trend has been to abandon the NIACAP model and adopt the NIST model. The NIST specifications are more up to date, and include a vast amount of supporting documents that complement the foundational guidelines. The DITSCAP ^[3] model is used primarily by defense agencies, though civilian agencies have the option of adopting any DITSCAP principles that they feel may complement their own unique C&A program. The...