I passed my CAP exam today. I just wanted to say thank you for posting your insight on the test. I only had a week to study for the test and like you said, i had a hard time finding study material. I followed your suggestions and studied the NIST documentation and watched a few YouTube videos and that was enough for me.
I have been involved in RMF for 3 years now so my experienced played a large part in being able to absorb the marital quickly. The only thing I would add to your great suggestions is for those looking to take the test is to make sure to study Contingency Planning (NIST SP 800-34) and be familiar with some of the tools the SCAs use to asses information systems.
Koba, congratulations on passing the test!
Thank you for sharing your success with me. I am very happy that you found my suggestions helpful. I shared your post with a few colleagues of mine who are planning to take the exam this month. they found your success encouraging. Best of luck in your future endeavors!
I had a colleague take and pass the CAP exam last week. I asked him about his experience and thought I would provide an update.
as I suggested in the initial post on this thread, the primary document to study is NIST SP 800-37.
as my colleague pointed out most of the questions are “situational” requiring you to use the knowledge from the NIST 800 series and think your way through the questions and answers
The bottom line is this test is about the RMF system authorization process. That info is well documented in the NIST 800-37, k ow that inside out and be prepared to think your way through the exam and you will do fine.
Please can you assist with the context of the questions for the exam? I have bought online a revision kit consisting of many questions concentrating on Risk Analysis with hardly any reference to the RMF and the roles involved: CIO, SISO, CISO, Information Owner etc. Other online revision sites have the same set of questions which makes me think that we are being duped.
It seems the questions are from the same source and they don't relate whatsoever to the CAP Book of Knowledge or the RMF and SDLC. Is there a source with more relevant questions?
Thanks in advance
I didn't find any prep questions. I studied as much of the NIST documentation as time would allow. I only took a week to study (I didn't have a choice) and being very familiar with the NIST documentation concerning RMF and the SDLC is what got me through. There were a few questions there were not straight from NIST, but that's where my experience as a security engineer, and a SCA-V came into play. If you're already familiar with RMF, studying the documentation already mentioned in this thread should be more than enough. Hope this helps.
Many thanks for that. If I'm not mistaken it's just the NIST-800 series right? I think I'll just get onto that. As a last question was there a lot of reference to DIACAP AND NIACAP in there?
Of course, congrats first and well done! From a basic perspective, do you think it is worth going for the CAP if a person already has a CISSP? I understand they are focused on two different aspaects, but wasn't sure if having a CISSP would "cover" someone, for lack of a better term, for the CAP certification.
My gut tells me they are two distinct certs with two different focuses, so going after both would not be a bad idea.....thoughts?
The CAP and CISSP are very different credentials with different purposes. The CISSP is very broadly scoped covering the full spectrum of information security. The CAP on the other hand is very narrow in its focus dealing exclusively in the NIST Risk Management Framework and system authorization process. If you are currently working in the US Federal Systems or other government information security space or are trying to break into that segment of the Industry the CAP can really help you stand out from the crowd.
If however you are working in other areas on the industry, Commercial Industry, Healthcare, etc.. that do not use the NIST RMF or system authorization process, the CAP may have very limited applicability or "name recognition"
I will say that for my day to day activities, the CAP CBK has the most direct impact on my daily activities than any other cert I currently hold.