cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
StevenJ6052
Newcomer III

Passed the CAP Exam This Morning: My Thoughts

To provide some background, I have been an IT program manager for the fast fourteen years. Having been certified as an MCSE (NT 4.0 and Win2K) and CCNA earlier in my career I let both certs lapse as they were no longer directly relevant for my career. I also picked up the PMP several years ago which I continue to maintain.

 

During the past couple of years I have developed a strong affinity for Risk Management  especially with regards to the IT security program I manage. Having passed the CISSP in early 2017, I decided the the CAP with its focus on the NIST Risk Management Framework would be a good next step.

 

Unlike the CISSP (or any other exam I have taken) there is very little in the way of published study guides and virtually no practice tests banks that I found useful. I rented the "Official (ISC)2 Guide to the CAP CBK" 2nd edition and read it in its entirety, but honestly found the freely available NIST 800 series (800-39, 800-37, 800-30, 800-53 & 53A etc..) as well as the FIPS 199 & 200 to be the best source of information. In addition, I found a few very good lectures on the NIST RMF provided by NIST on YouTube.

 

As for the exam, it consists of 125 questions and you are permitted three hours to finish. A sage piece of advice that I was given for the CISSP, "you need to think your way through the test" is equally applicable to the CAP. All 125 questions for multiple choice with only one answer. That said many were of the "best our of four poor choices" variety. Like the CISSP this is very much a management level exam, albeit with a much narrower focus. Unlike the CISSP there were no false "technical" answers to tempt you.

 

The best advise I can give anybody looking to take on the CAP is be very familiar with the NIST Risk Management Framework and how it map to the System Development Lifecycle. Roles & Responsibilities as well as vocabulary are critically important as well. Always remember that "plans" happen before "reports" and it is "Reports" that contain information on your implementation. When given a choice between multiple more or less correct answers, choose the one that is the most "all encompassing". For example if you are having trouble deciding between "Threat Sources" and "Vulnerabilities", choose "Risk Factors" as threat sources and vulnerabilities are both risk factors. When in doubt  about who the responsibility belongs to, it is probably the "System Owner"

 

This post probably adds another 25% to the total amount of direct feedback I was able to find online about this exam, but I must say of all the exams I have taken, this one has the most direct applicability to my daily on-the-job responsibilities. 

 

Should you decide to tackle the CAP, Good Luck, hope this information is helpful!

78 Replies
SilvanaRN
Viewer II

Hi Steven,
It was very usefull your comments.
Im account manager, working with cybersecurity, im looking for improve my knoledge on having more relevant and deep conversation with my costumer. And if I became good on it I may considered to change my carreer.
I tought in CAP for my firt step. What do you think ? Is it a good Start ? How long you spend study before get this certification ?
litchko
Newcomer I

Thank you for these insights.   I have several questions:

Where there any questions on DoD RMF?  Cybersecurity Framework?  FISMA? Past CAP Candidate Information Bulletin (CIB) OMB, CNSS and DHS References?  Or were the questions only related to the NIST Special Publication and FIPSs identified on the ISC2 site in September of 2018?

Where acronyms used or were all spelled out?

Where their any questions that used only the form of "SP800-37" and OMB M-02-01?

Thank you very much.  I look forward to your answers.  Jim

tingrum
Viewer II

Needing to know if the CAP cert is covering the most recent 2018 NIST 800-37 rev2 that was released in Dec.

tingrum
Viewer II

which revision of 800-37 1 or 2 (just released Dec 2018) has a lot of differences

litchko
Newcomer I

Currently, people who have taken the test recently have only had Rev 1 questions.  It takes 6-8 months to validate new questions by a third party group before they count, so with Rev 2 having been released in Dec 2018, I would guess that any questions on Rev 2 will not count for the final score until July 2019.  

bobby1
Viewer II

Steven,

Do you still have the flash cards you created to study for the CAP?

bizzle09
Newcomer I

Congratulations. Is the current CAP exam based on NIST 800-37 rev1 or NIST 800-37 rev 2.
bizzle09
Newcomer I

I was asking the same thing. I have a friend that called and was told to prepare with both materials. Well that is really confusing. The reason is that if the question is asking for a particular RMF step, these steps are totally different from both revisions. Categorization for example is Step 2 with rev 2 but Step 1 with rev 1. If you have a question that ask what step is Categorization for example and you have both Step 1 and Step 2 as options, how do you know what the correct answer is if you don’t know what version of RMF is being tested? Please is anyone has this information. Thanks.
kofi
Newcomer II

Hi Stevenj6052,

 

Thank you immensely for sharing your thoughts on the exams.

1.Can you please provide the complete list of the NIST 800 series docs needed for the exams? I took a brief look at some of the NIST 800 series you made mention of in your post and I found out that some of the publications are very dense. Should I read and know every bit of it?

2. I am planning on making flash cards, what should I pay particular attention to for the flash cards?

 

Thanks once again.

 

Kofi 

kofi
Newcomer II

Hi Pat,

 

what resources did you use besides the CBK book?

 

Thanks,

 

Kofi