AFPD 33-2 set in policy the use of the Security, Interoperability, Supportability, Sustainability and Usability (SISSU) as our system certification and accreditation (C&A) process. It is a process that is part of what the AF refers to as IT Lean which is far from lean.  There are four phases, Define Needs, Design, Build & Test, and Release & Support in each of the "ilities" and they must all be complete before you can move on to the next phase. The Security part of this uses DIACAP.  The idea behind this was so that from the very start of the C&A the AIS' would get buy in from all parties required to sign off and approve the package.  So, as far as I know no ones actually made it thru using the new DIACAP process yet.  To move from each phase you have to have it reviewed and validated and the organization doing the validating don't have the manpower to stay on top of all the releases going out.  I've been working one of my systems for almost a year and have yet to get out of design phase!  So, needless to say, it's extremely frustrating!