DAAG vs DAAPM and The Transition to DAAG

BLUF

• The DAAG officially replaces the DAAPM, but this is more of a modernization and restructuring effort than a full overhaul. Most current ATOs remain valid, and NIST 800-53 Rev 4 controls are still in place.
• The biggest impact for contractors is documentation: organizations need to update outdated DAAPM citations, align policies to the new NCSO structure, and fully rewrite areas like WAN/ISA documentation, Cloud policies, and Shared/Comingled Systems guidance.
• Through 2026, expect inconsistent DCSA assessment expectations as the transition continues. The best approach is to start DAAG alignment now, refresh governance documents proactively, and prepare for future Rev 5 changes without rushing into unnecessary rewrites.

After more than a decade living inside DAAPM 2.2, cleared industry has a new rulebook: the DCSA Assessment and Authorization Guide (DAAG, Version 1.1, dated 31 August 2025).  It is also still being refined, per DCSA. Rev 5 and DAAG requirements remain a work in progress through 2026. Translation: the destination is set, the road is being paved as we drive on it, and nobody loves driving on fresh asphalt.

The good news: this is not a “rewrite everything” event. The not-so-good news: the parts that do change happen to be the exact areas where most contractors already have the weakest documentation.

What is the DAAG?

Picture your old NISP rulebook as a printed road atlas. It was accurate the day you bought it, but it will be dated by next quarter, and good luck if a bridge goes out. That was the DAAPM. The DAAG is GPS: same roads, same destinations, but the routing updates as construction, detours, and traffic change. A master guide (NCSO 1800.00) plus a constellation of standing orders (NCSO 1800.01 through 1820.00) that DCSA can update one at a time without reissuing the whole map.

The DAAG officially superseded the DAAPM on 31 August 2025. Going forward, NCSO references replace DAAPM appendix references throughout DCSA’s guidance ecosystem.

What This Means for Industry

Your existing ATO is fine. Active authorizations don’t evaporate and the control catalog hasn’t changed. DAAG §1.1 confirms Rev 4 remains the baseline, with Rev 5 staged for future release. That means your SSP control implementation statements remain accurate. What’s outdated is your citations: every “per DAAPM Appendix [X]” in your governance library now points to a document DCSA has officially retired.

Your 2026 and 2027 ATO submissions are where it gets interesting. Across SecureStrux engagements through Q1 2026, we are seeing Field IS Reps assess against DAAPM expectations in some cases and DAAG expectations in others, depending on the office and how recently anyone’s been retrained. New packages should reference the DAAG, with Rev 4 controls. “Expect mixed messages” is the actual operating reality through 2026 and it is exactly the kind of moment where having someone in the room who lives in this every day pays for itself.

Your policy and procedure documents fall into three buckets. Most need a citation refresh, such as editorial work. But if you have a mature governance library, it’s never “just five documents.” A handful need targeted content updates: Configuration Management, Mobility, Data Transfer. And three areas need real rewrites: WAN and ISA documentation against the new C2G/C2C taxonomy (NCSO 1804.01), Cloud Policy as net-new ground (NCSO 1804.02), and Shared/Comingled System documentation when NCSO 1812.03 finalizes. None of those three are find-and-replace exercises.

SecureStrux Recommendations

1. Don’t panic. Also, don’t wait. Current ATOs are valid. New 2026 and 2027 submissions should already be DAAG-aligned. Doing the work now means you aren’t scrambling at renewal.
2. Do the citation crosswalk first. It’s editorial, but it’s also the kind of editorial that takes a senior team member three weeks of nights and weekends if they go it alone.
3. Take the substantive rewrites seriously. WAN, Cloud, and Shared/Comingled aren’t citation refreshes. They’re new policy ground that requires DCSA fluency to write defensibly.
4. Watch NCSO 1812.03 (Shared and Comingled Systems). Still in draft. The most consequential remaining piece for any contractor running multi-tenant classified environments.
5. Plan for Rev 5 — don’t preemptively rewrite. When DCSA flips the switch, your SSP control statements will need real work. The teams that fare best are the ones that mapped Rev 4 to Rev 5 during the calm.

The DAAG is the new authoritative guidance

The DAAG is the new authoritative guidance. The substance hasn’t changed; the architecture, citations, and a few targeted areas have. The right posture is measured: refresh citations now, rewrite where DCSA actually changed something, and don’t panic-rewrite for Rev 5 yet.

Because the best DCSA inspections are the boring ones.

Key questions this article answers

• What does the transition from DAAPM to DAAG actually mean for cleared contractors and existing ATOs?
• Which policies, procedures, and documentation areas require simple updates versus complete rewrites under the new DAAG/NCSO structure?
• How should organizations prepare for ongoing DCSA changes, mixed assessment expectations, and the eventual move to NIST 800-53 Rev 5

About the Author

Sayngeun Phou amkha is a Lead CMMC Certified Assessor and Senior Cybersecurity Program Leader at SecureStrux, where he serves as the designated subject matter expert for SIPRNet accreditation under the National Industrial Security Program. CISSP, CCSP, PMP, SecurityX/CASP+, Lead CCA. MBA in Computer and Information Systems Security. 20+ years of cybersecurity experience across DoD, federal agencies, and the defense industrial base. Before he was an assessor, he was an Iraq War veteran maintaining a 660-node classified network at the busiest combat support hospital in Baghdad. He understands what it means when security isn’t theoretical.