The Committee on National Security Systems (CNSS) Policy (CNSSP) No. 22 dated January 2012 cancelled CNSS Policy No. 6, “National Policy on Certification and Accreditation of National Security Systems,” dated October 2005, and National Security Telecommunications and Information Systems Security Instruction (NSTISSI) 1000, “National Information Assurance Certification and Accreditation Process (NIACAP),” dated April 2000. CNSSP No. 22 also states that "The CNSS intends to adopt National Institute of Standards and Technology (NIST) issuances where applicable. Additional CNSS issuances will occur only when the needs of NSS are not sufficiently addressed in a NIST document. Annex B identifies the guidance documents, which includes NIST Special Publications (SP), for establishing an organization-wide risk management program." It directs the organization to make use of NIST Special Publication 800-37, which implies that the Risk management framework (RMF) STEP 6 – AUTHORIZE INFORMATION SYSTEM replaces the Certification and Accreditation process for National Security Systems, just as it did for all other areas of the Federal government who fall under SP 800-37 Rev. 1.
JOINT TASK FORCE TRANSFORMATION INITIATIVE (2010), NIST Special Publication 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, Washington, D.C.: Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, U.S. Department of Commerce, doi:10.6028/NIST.SP.800-37r1
