800-37 has been in release for a while, providing the basis for the C&A
process. My understanding is that C&A is evolving (and going the way of
the dinosaur) very soon as NIST works with CNSS/JTF on the next big
thing. I'm blanking on the rest of the details (not my space), but
pinging Mike Smith (
NIST has created a draft document entitled: Guide for applying risk
management framework to federal information systems: a security
lifecycle approach. Curious to know if anyone has identified gaps,
differences in opinion, etc between NIST and how either SAMM or BSIMM
would define the same?
***