DIACAP is transitioning from a Certification and Accreditation to a Risk Management Framework. Most of the new Risk Manager Framework is in the NIST Special Publication 800-37. The old NIST SP 800-37 was also based on Certification and Accreditation. After FISMA 2002, it adjusted to a Risk Management Framework in NIST SP 800-37 Rev 1, Guide for Applying the Risk Management Framework to Federal Information Systems.
NIST SP 800-37 to SP 800-37 rev 1 transformed from a Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF). The changes included:
- Revised process emphasizes
- Building information security capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controls
- Maintaining awareness of the security state of information systems on an ongoing basis though enhanced monitoring processes
- Providing essential information to senior leaders to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of information systems