Not to worry, having a military background lets me know this will all change again in a couple of years and then I be lost like everone else.
Cheers!

The problem with DIACAP is that, while its lofty goals of weaving security through the enterprise, embedding it into the planning and development of our systems, and cutting out much of the fluff from the SSAA were truly overdue, the implementation of the DIACAP has been an absolute mess (at least from the ground level view). That is if you call putting DIACAP into effect, publishing some token documents and hosting the “figure it out amongst yourselves” forum on the DIACAP portal an implementation plan. With DITSCAP, I actually had more control over making my C&A package a true representation of my system. Now, because the Air Force has rolled up its Clinger-Cohen, FISMA, DIACAP IT Lean and countless other requirements into a single database, I have to repeatedly enter the same information about my system in different sections of the same database, despite the fact that most of the items being asked about do not apply to my system. SPAWAR had an good transition concept that combined the SIP and the new controls/RTM and DIACAP-relevant sections of the old SSAA. This may not have worked for an enterprise system but for a relatively simple system like the one I have, I could have directed my efforts to improving the documentation and applying more security to the system rather than filling out an endless series of “not applicable”.

It also duplicates some effort. If you change the DIACAP part, then you have to change the various pieces of the SSAA. Polyinstantiation means that you have started to write spaghetti code in the version of a security controls document.

Trick here is that you *can* use a requirements traceability matrix as your SSAA/SSP/$foo and that’s what the overall trend is going to. Hopefully the free-form text documents are on their way to an early grave. =)

Knowing IGs, they don’t like it because the presentation layer of the policy stack needs to be in a format that they are used to. In the long run, it’s easier to give them what they want than it is to educate them.

Knowing IA, all I really want is a brief description of the controls and where I can go for more information if I have a question.

I don’t know how your process works but, C & A packages are a lot of travel and work for me. We are currently in limbo on the use of DIACAP and DITSCAP. Paperwork wise, the only thing the DIACAP adds is a stripped down version of the SSAA. The cool thing about it is that it is all supposed to be online. So its the DITSCAP online (digital DITSCAP).