Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Newcomer III

Don't be afraid of Government Regulations! Take the CAP!

Hello everyone! I just took and passed the Certified Authorization Professional exam. Leaning about how the Reference Managment Framework aligns with the Systems Development LifeCycle was a hoot! It's a good exam to take and one that's going to be really sought after as large companies and the Federal Govt decide how important it is to have security controls on your network. As me any question here and I will try to help!


Pat Hairston


17 Replies
Newcomer I

I’m studying now for the CAP. I basically printed the over 100+ plus pages of the NIST SP 800 37 and that all I’m using. It that enough?
Viewer II

Congratulations, please can you share some past questions?
Viewer III

If your a Federal Government employee there is a CAP course out on you can take.  It has a 50 question test at the end.  The CAP CBK if I remember right has about 40 sample questions.  


I took the CAP test yesterday and was trying to figure out how ISC2 was going to come up with 125 questions since the CAP CBK domains are covered in less than 300 pages.  I have to say I enjoy the ISC2 tests at least the traditional tests (haven't had the pleasure of taking one of their adaptive tests yet) and think they do a great job of assessing knowledge.  I'd like to see the CAP test become a requirement for all federal government ISSOs. 

Newcomer I

Hi Pat,


You mentioned the Reference Mgmt Framework, and I have never heard of that. I thought the CAP was about applying RMF, the Risk Mgmt Framework. I am evaluating my interest in the CAP exam, and looking for study materials. Can you help?

Newcomer I

There isn’t a lot of materials on CAP out there. NIST SP 800-37r1 Is the most all inclusive document for the CAP exams. You can supplement it with other NIST publications like FIPS 199,200: SP 800-60,-18,-53,-53A, -137. Good luck!!
Defender I

@Stpn2me wrote:

Leaning about how the Reference Managment Framework aligns with the Systems Development LifeCycle was a hoot!

I believe you mean the Risk Management Framework, as described in NIST Special Publications (SP) 800-30, 800-37, 800-53, 800-53A, etc. 


A bit of (ISC)2 history: The CAP certification and exam grew out of a request from the U.S. State Department that (ISC)2 develop an exam to be sure information security specialists taking part in the certification & accreditation (C&A)  of departmental information systems knew what they were doing. The C&A process was required by provisions in the Federal Information Systems Management Act of 2002 (FISMA). 


While at one time there were various C&A processes in use across the U.S. government, a multi-agency Task Force led by NIST consolidated the process into the Risk Management Framework as we see it today. It has taken many years for each department or agency to convert to the RMF in accordance with the SPs listed above, but that work is moving forward. The process has also changed in response to the Federal Information Systems Modernization Act (FISMA II) of 2014. 


Of special note, what had been the C&A process prior to the RMF is replaced by the assessment and authorization (A&A) process. A significant part of the shift from C&A to A&A is the expected shift from a compliance review and enforcement approach to a risk assessment and management approach. How well that change in philosophy from compliance to management is working is still up for grabs.


As a side comment, I was told several years ago that all knowledge required to pass the CAP exam is also an integral part of the RMF knowledge essential to passing he CISSP-ISSEP concentration exam. While I have not confirmed it personally, the advice was to take the CAP exam right after passing the CISSP-ISSEP exam.



D. Cragin Shelton, DSc
My Blog
My LinkeDin Profile
My Community Posts
Newcomer I

Excellent suggestion, thank you!

Newcomer II

The Certified Authorization Professional (CAP) is an information security practitioner who champions system security commensurate with an organization's mission and risk tolerance, while meeting legal and regulatory requirements.