ISSEP C&A Confusion
I took the ISSEP exam last month and got a 680 
The few questions that I believe sunk me dealt with C&A processes and who uses them. I am hoping that some more seasoned ISSEPs can chime in and set me straight. All of my study materials describe DIACAP as being used by DoD and NIACAP as being used by everyone else. What I cannot seem to find a definitive answer on is who uses the SP800-37 RMF process. What is also confusing to me is the fact that the test is possibly a little outdated with regard to C&A. I know DoD is moving towards updating with something similar to the RMF, but they are not there yet. So should I be taking this test assuming that it is still stuck on the older processes?
My Current Understanding:
DIACAP - used by DoD both agencies and contractors
NIACAP - used by all other agencies, IRS for example
SP800-37/RMF - New Process, not currently required to be used by federal agencies but perhaps being used in the private sector....?
Thank You for any help you can provided. I'm re-taking monday 2/16/15..... Wish me luck!
The few questions that I believe sunk me dealt with C&A processes and who uses them. I am hoping that some more seasoned ISSEPs can chime in and set me straight. All of my study materials describe DIACAP as being used by DoD and NIACAP as being used by everyone else. What I cannot seem to find a definitive answer on is who uses the SP800-37 RMF process. What is also confusing to me is the fact that the test is possibly a little outdated with regard to C&A. I know DoD is moving towards updating with something similar to the RMF, but they are not there yet. So should I be taking this test assuming that it is still stuck on the older processes?
My Current Understanding:
DIACAP - used by DoD both agencies and contractors
NIACAP - used by all other agencies, IRS for example
SP800-37/RMF - New Process, not currently required to be used by federal agencies but perhaps being used in the private sector....?
Thank You for any help you can provided. I'm re-taking monday 2/16/15..... Wish me luck!
Comments
As for your question, DIACAP is the DOD based C&A for all non National Security Systems (NSS). NIACAP is controlled by the CNSS and used for all NSS systems. The RMF is used by federal civilian agencies, but a lot are in the process of moving to the RMF. The RMF is more important to know; however, there were a fair share of DIACAP/NIACAP on the exam. Hope that helps.
"The internet is a great way to get on the net." --Bob Dole
http://www.sans.org/reading-room/whitepapers/standards/introduction-certification-accreditation-1259
I appreciate your response, however I am reading a paper from the SANS institute right now that states the exact opposite of what you just posted. I tried to post a link here, but it seems that results in my post being marked as SPAM. If you google SANS Introduction to Certification and Accreditation, you'll see what I mean. This is why I am so confused.
Could possibly be because the SANS paper was written in 2003, so it's outdated....
I took a boot camp from InfoSec Institute and then took a few months after that to do some self-studying. I used the course book from InfoSec institute, IATF chapter 3, and read through some of the NIST SP's. I also took the ISSEP FEDVTE course and printed out the class notes. Although I had the CBK book, I did not use it. I have worked in the C&A field for a while, in particular the RMF, so that helped. I had no IATF experience, limited technical project management experience, and some experience in U.S. Government Information Assurance Related Policies and Issuances (although it wasn't my strong point) . You need to make best friends with the IATF, in particular chapter 3. Make flashcards for the Policies/Issuances domain.
I did not think the exam was that hard as long as you knew your stuff. It was fair. I would actually argue that it's slightly easier than the CISSP because there are less topics (4 domains vs 10 domains). I know a lot say it is the hardest test, but before I submitted I was actually very confident I passed. Hope this helps.
"The internet is a great way to get on the net." --Bob Dole
I took the official ISC2 boot CAMP in July 2014.
My study materials to date:
Books and Flash cards I received in the boot camp.
The Official ISSEP CBK guide by Susan Hansche (Yellow and Green book)
I purchased the ucertify ISSEP testing solution. It is very outdated and you will not pass relying on this alone (ask me how I know). My company covered the $120 so I don't care, but I would not waste my own money on it. All it really does is mentally prepare me to memorize and take a CBT type exam.
READ THE ACTUAL DOCUMENTS! trust me, it's worth it and I think it's the reason I failed the first time.
And I have already taken the test once, which I think gives me an edge on what I missed the first time around.
Good Luck, this test sucks and I'll be glad when I finally pass....