cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Community Champion

Re: Don't be afraid of Government Regulations! Take the CAP!


@Stpn2me wrote:

Leaning about how the Reference Managment Framework aligns with the Systems Development LifeCycle was a hoot!


I believe you mean the Risk Management Framework, as described in NIST Special Publications (SP) 800-30, 800-37, 800-53, 800-53A, etc. 

 

A bit of (ISC)2 history: The CAP certification and exam grew out of a request from the U.S. State Department that (ISC)2 develop an exam to be sure information security specialists taking part in the certification & accreditation (C&A)  of departmental information systems knew what they were doing. The C&A process was required by provisions in the Federal Information Systems Management Act of 2002 (FISMA). 

 

While at one time there were various C&A processes in use across the U.S. government, a multi-agency Task Force led by NIST consolidated the process into the Risk Management Framework as we see it today. It has taken many years for each department or agency to convert to the RMF in accordance with the SPs listed above, but that work is moving forward. The process has also changed in response to the Federal Information Systems Modernization Act (FISMA II) of 2014. 

 

Of special note, what had been the C&A process prior to the RMF is replaced by the assessment and authorization (A&A) process. A significant part of the shift from C&A to A&A is the expected shift from a compliance review and enforcement approach to a risk assessment and management approach. How well that change in philosophy from compliance to management is working is still up for grabs.

 

As a side comment, I was told several years ago that all knowledge required to pass the CAP exam is also an integral part of the RMF knowledge essential to passing he CISSP-ISSEP concentration exam. While I have not confirmed it personally, the advice was to take the CAP exam right after passing the CISSP-ISSEP exam.

 

 

Dr. D. Cragin Shelton, CISSP
Dr.Cragin@iCloud.com
https://CraginS.blogspot.com/
My Community Profile
My LinkedIn Profile
href="Not Passing a Cert Exam is Not the Same as Failing" target="new";;https://cragins.blogspot.com/2018/08/pass-rates-for-professional-exams.html
Highlighted
Newcomer I

Re: Don't be afraid of Government Regulations! Take the CAP!

Excellent suggestion, thank you!

Highlighted
Newcomer II

Re: Don't be afraid of Government Regulations! Take the CAP!

The Certified Authorization Professional (CAP) is an information security practitioner who champions system security commensurate with an organization's mission and risk tolerance, while meeting legal and regulatory requirements.

Tags (1)