ISSEP C&A Confusion

prix03gtprix03gt Member Posts: 6 ■□□□□□□□□□
I took the ISSEP exam last month and got a 680 icon_sad.gif

The few questions that I believe sunk me dealt with C&A processes and who uses them. I am hoping that some more seasoned ISSEPs can chime in and set me straight. All of my study materials describe DIACAP as being used by DoD and NIACAP as being used by everyone else. What I cannot seem to find a definitive answer on is who uses the SP800-37 RMF process. What is also confusing to me is the fact that the test is possibly a little outdated with regard to C&A. I know DoD is moving towards updating with something similar to the RMF, but they are not there yet. So should I be taking this test assuming that it is still stuck on the older processes?

My Current Understanding:

DIACAP - used by DoD both agencies and contractors
NIACAP - used by all other agencies, IRS for example
SP800-37/RMF - New Process, not currently required to be used by federal agencies but perhaps being used in the private sector....?

Thank You for any help you can provided. I'm re-taking monday 2/16/15..... Wish me luck!

Comments

  • mog27mog27 Member Posts: 302
    I took and passed the ISSEP a few weeks ago; just waiting for the official resume review.

    As for your question, DIACAP is the DOD based C&A for all non National Security Systems (NSS). NIACAP is controlled by the CNSS and used for all NSS systems. The RMF is used by federal civilian agencies, but a lot are in the process of moving to the RMF. The RMF is more important to know; however, there were a fair share of DIACAP/NIACAP on the exam. Hope that helps.
    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Ben Franklin

    "The internet is a great way to get on the net." --Bob Dole
  • prix03gtprix03gt Member Posts: 6 ■□□□□□□□□□
    Congrats on the pass. Unfortunately, your reply only leaves me with more questions. The link below is from the SANS institute, which basically states the complete opposite of what you just stated....

    http://www.sans.org/reading-room/whitepapers/standards/introduction-certification-accreditation-1259
  • prix03gtprix03gt Member Posts: 6 ■□□□□□□□□□
    Congrats on the pass. I hope to be in the same boat after Monday.
    I appreciate your response, however I am reading a paper from the SANS institute right now that states the exact opposite of what you just posted. I tried to post a link here, but it seems that results in my post being marked as SPAM. If you google SANS Introduction to Certification and Accreditation, you'll see what I mean. This is why I am so confused.

    Could possibly be because the SANS paper was written in 2003, so it's outdated....
  • DarxtarDarxtar Member Posts: 30 ■□□□□□□□□□
    In the DOD in eMASS you have the option of using DIACAP or RMF. RMF is preferred, using DIACAP will result in receiving a ATO of less than 3 years for navy submissions. However, I doubt the ISSEP test reflects this and probably wants DIACAP for DOD.
    Ph.D. in Information Systems Security
  • zxbanezxbane Member Posts: 740 ■■■■□□□□□□
    To OP prix03gt and mog27 do you guys mind sharing what your study materials were and how long you prepared for/how much related experience you have? Best of luck on the next attempt OP, a 680 on this exam is still impressive, from what everyone says it is the most difficult CISSP concentration by far!
  • mog27mog27 Member Posts: 302
    zxbane wrote: »
    To OP prix03gt and mog27 do you guys mind sharing what your study materials were and how long you prepared for/how much related experience you have? Best of luck on the next attempt OP, a 680 on this exam is still impressive, from what everyone says it is the most difficult CISSP concentration by far!

    I took a boot camp from InfoSec Institute and then took a few months after that to do some self-studying. I used the course book from InfoSec institute, IATF chapter 3, and read through some of the NIST SP's. I also took the ISSEP FEDVTE course and printed out the class notes. Although I had the CBK book, I did not use it. I have worked in the C&A field for a while, in particular the RMF, so that helped. I had no IATF experience, limited technical project management experience, and some experience in U.S. Government Information Assurance Related Policies and Issuances (although it wasn't my strong point) . You need to make best friends with the IATF, in particular chapter 3. Make flashcards for the Policies/Issuances domain.

    I did not think the exam was that hard as long as you knew your stuff. It was fair. I would actually argue that it's slightly easier than the CISSP because there are less topics (4 domains vs 10 domains). I know a lot say it is the hardest test, but before I submitted I was actually very confident I passed. Hope this helps.
    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Ben Franklin

    "The internet is a great way to get on the net." --Bob Dole
  • prix03gtprix03gt Member Posts: 6 ■□□□□□□□□□
    I've been working as an ISSE for DoD for about 5 years, but I have very little real world experience with C&A from end to end.
    I took the official ISC2 boot CAMP in July 2014.
    My study materials to date:
    Books and Flash cards I received in the boot camp.
    The Official ISSEP CBK guide by Susan Hansche (Yellow and Green book)
    I purchased the ucertify ISSEP testing solution. It is very outdated and you will not pass relying on this alone (ask me how I know). My company covered the $120 so I don't care, but I would not waste my own money on it. All it really does is mentally prepare me to memorize and take a CBT type exam.
    READ THE ACTUAL DOCUMENTS! trust me, it's worth it and I think it's the reason I failed the first time.

    And I have already taken the test once, which I think gives me an edge on what I missed the first time around.

    Good Luck, this test sucks and I'll be glad when I finally pass....
Sign In or Register to comment.