cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Newcomer I

Re: Don't be afraid of Government Regulations! Take the CAP!

I’m studying now for the CAP. I basically printed the over 100+ plus pages of the NIST SP 800 37 and that all I’m using. It that enough?
Viewer II

Re: Don't be afraid of Government Regulations! Take the CAP!

Congratulations, please can you share some past questions?
Viewer III

Re: Don't be afraid of Government Regulations! Take the CAP!

If your a Federal Government employee there is a CAP course out on https://fedvte.usalearning.gov you can take.  It has a 50 question test at the end.  The CAP CBK if I remember right has about 40 sample questions.  

 

I took the CAP test yesterday and was trying to figure out how ISC2 was going to come up with 125 questions since the CAP CBK domains are covered in less than 300 pages.  I have to say I enjoy the ISC2 tests at least the traditional tests (haven't had the pleasure of taking one of their adaptive tests yet) and think they do a great job of assessing knowledge.  I'd like to see the CAP test become a requirement for all federal government ISSOs. 

Highlighted
Newcomer I

Re: Don't be afraid of Government Regulations! Take the CAP!

Hi Pat,

 

You mentioned the Reference Mgmt Framework, and I have never heard of that. I thought the CAP was about applying RMF, the Risk Mgmt Framework. I am evaluating my interest in the CAP exam, and looking for study materials. Can you help?

Newcomer I

Re: Don't be afraid of Government Regulations! Take the CAP!

There isn’t a lot of materials on CAP out there. NIST SP 800-37r1 Is the most all inclusive document for the CAP exams. You can supplement it with other NIST publications like FIPS 199,200: SP 800-60,-18,-53,-53A, -137. Good luck!!
Advocate II

Re: Don't be afraid of Government Regulations! Take the CAP!


@Stpn2me wrote:

Leaning about how the Reference Managment Framework aligns with the Systems Development LifeCycle was a hoot!


I believe you mean the Risk Management Framework, as described in NIST Special Publications (SP) 800-30, 800-37, 800-53, 800-53A, etc. 

 

A bit of (ISC)2 history: The CAP certification and exam grew out of a request from the U.S. State Department that (ISC)2 develop an exam to be sure information security specialists taking part in the certification & accreditation (C&A)  of departmental information systems knew what they were doing. The C&A process was required by provisions in the Federal Information Systems Management Act of 2002 (FISMA). 

 

While at one time there were various C&A processes in use across the U.S. government, a multi-agency Task Force led by NIST consolidated the process into the Risk Management Framework as we see it today. It has taken many years for each department or agency to convert to the RMF in accordance with the SPs listed above, but that work is moving forward. The process has also changed in response to the Federal Information Systems Modernization Act (FISMA II) of 2014. 

 

Of special note, what had been the C&A process prior to the RMF is replaced by the assessment and authorization (A&A) process. A significant part of the shift from C&A to A&A is the expected shift from a compliance review and enforcement approach to a risk assessment and management approach. How well that change in philosophy from compliance to management is working is still up for grabs.

 

As a side comment, I was told several years ago that all knowledge required to pass the CAP exam is also an integral part of the RMF knowledge essential to passing he CISSP-ISSEP concentration exam. While I have not confirmed it personally, the advice was to take the CAP exam right after passing the CISSP-ISSEP exam.

 

 

Dr. D. Cragin Shelton, CISSP
Dr.Cragin@iCloud.com
https://CraginS.blogspot.com/
My Community Profile
My LinkedIn Profile
Newcomer I

Re: Don't be afraid of Government Regulations! Take the CAP!

Excellent suggestion, thank you!

Newcomer II

Re: Don't be afraid of Government Regulations! Take the CAP!

The Certified Authorization Professional (CAP) is an information security practitioner who champions system security commensurate with an organization's mission and risk tolerance, while meeting legal and regulatory requirements.

Tags (1)