Just wanted to clarify something because based on what I’ve seen in online video tutorial chats and posts in various discussion forums regarding the new RMF, resulting from NIST SP 800-37 Rev 2 and 800-53 Rev 5, people seem to think that the “Prepare Step” in official NIST pubs is the same as “Domain 1” in the new CAP course outline. They are not. However, the subsequent steps in either of these outlines are generally a reflection of each other (e.g. Categorization to Monitoring/Continuous Monitoring). Both the new CAP outline for 2021 and 800-37 Rev 2 have seven total steps for RMF; however, NIST calls the first step “Prepare” while CAP uses “Information Security Risk Management Program”.
In 800-37 Rev 2, the Prepare Step is broken down by two sections with numerous tasks:
1. Organization Level (7 tasks/outcomes, P-1 to P-7)
2. System Level (11 tasks/outcomes, P-8 to P-18)
The new CAP outline’s “Information Security Risk Management Program” step is broken down by three sections:
1.1 Understand the foundation of an organization information security risk
management program
1.2 Understand risk management program processes
1.3 Understand regulatory and legal requirements
As you can see above, they are not the same.
*For the following step, NIST SP 800-37 Rev 2 still uses “Categorize”. CAP re-named this step to “Scope” though it’s still the same concept as scope and categorization of the information system are used in either case.
*Categorization, Selection, Implementation Steps – Generally the same for both CAP and 800-37 Rev 2.
*Assessment Step – Mostly the same, but CAP uses “Assessment and Audit Reports” as the terms replacing “Security Assessment Reports (SAR)”. 800-37 Rev 2 uses “Security and Privacy Assessment Reports”. In addition, 800-37 Rev 2 includes completion of the POAM which is not stated in the CAP outline for this step.
*Monitor Step – Mostly the same, but CAP incorporates Supply Chain Risk monitoring and revising the monitoring process as a whole as necessary due to environmental, legal/regulatory, supply chain, and security/privacy procedural updates.
Thank you and good luck to those taking the new CAP exam which becomes effective later in the year.
Good, bad, or indifferent, the CAP has predominately become a knowledge test of the NIST RMF process. I like the inclusion of Information Security Risk Management to get back to testing basic risk principles.
Correct. But even though the CAP outline (or any exam outline) may define a summary of what an upcoming exam could entail, I personally would study both initial steps, both meaning the Prepare step as defined in 800-37 Rev 2 and the Info Security Risk Management Program step as defined in the CAP exam outline.
Again, both of the above steps are the "initial" steps of the seven steps (or domains). The rest of the six domains are more or less the same, and it's important, in my opinion, to know those differences as well.