The only agency with the kind of relationship with the
DIACAP that you're talking about is DISA.
So, the answer you are looking for is DISA, or the "Defense Information Systems Agency".They are the primary source of DIACAP resources and knowledge services.
The risk management structure is based around the following steps as outlined and implemented by the NSA and other defense and security agencies:
- System Identification Profile
- DIACAP Implementation Plan
- Validation
- Certification Determination
- DIACAP Scorecard
- POA&M
- Authorization to Operate Decision
- Residual Risk Acceptance
You can find out more about the this branch of the US Defense service here: //business.blurtit.com/3117711/our-source-for-diacap-resources-and-knowledge-services-can-be-discovered-through-our
And here: