To provide some background, I have been an IT program manager for the fast fourteen years. Having been certified as an MCSE (NT 4.0 and Win2K) and CCNA earlier in my career I let both certs lapse as they were no longer directly relevant for my career. I also picked up the PMP several years ago which I continue to maintain.
During the past couple of years I have developed a strong affinity for Risk Management especially with regards to the IT security program I manage. Having passed the CISSP in early 2017, I decided the the CAP with its focus on the NIST Risk Management Framework would be a good next step.
Unlike the CISSP (or any other exam I have taken) there is very little in the way of published study guides and virtually no practice tests banks that I found useful. I rented the "Official (ISC)2 Guide to the CAP CBK" 2nd edition and read it in its entirety, but honestly found the freely available NIST 800 series (800-39, 800-37, 800-30, 800-53 & 53A etc..) as well as the FIPS 199 & 200 to be the best source of information. In addition, I found a few very good lectures on the NIST RMF provided by NIST on YouTube.
As for the exam, it consists of 125 questions and you are permitted three hours to finish. A sage piece of advice that I was given for the CISSP, "you need to think your way through the test" is equally applicable to the CAP. All 125 questions for multiple choice with only one answer. That said many were of the "best our of four poor choices" variety. Like the CISSP this is very much a management level exam, albeit with a much narrower focus. Unlike the CISSP there were no false "technical" answers to tempt you.
The best advise I can give anybody looking to take on the CAP is be very familiar with the NIST Risk Management Framework and how it map to the System Development Lifecycle. Roles & Responsibilities as well as vocabulary are critically important as well. Always remember that "plans" happen before "reports" and it is "Reports" that contain information on your implementation. When given a choice between multiple more or less correct answers, choose the one that is the most "all encompassing". For example if you are having trouble deciding between "Threat Sources" and "Vulnerabilities", choose "Risk Factors" as threat sources and vulnerabilities are both risk factors. When in doubt about who the responsibility belongs to, it is probably the "System Owner"
This post probably adds another 25% to the total amount of direct feedback I was able to find online about this exam, but I must say of all the exams I have taken, this one has the most direct applicability to my daily on-the-job responsibilities.
Should you decide to tackle the CAP, Good Luck, hope this information is helpful!
I passed my CAP exam today. I just wanted to say thank you for posting your insight on the test. I only had a week to study for the test and like you said, i had a hard time finding study material. I followed your suggestions and studied the NIST documentation and watched a few YouTube videos and that was enough for me.
I have been involved in RMF for 3 years now so my experienced played a large part in being able to absorb the marital quickly. The only thing I would add to your great suggestions is for those looking to take the test is to make sure to study Contingency Planning (NIST SP 800-34) and be familiar with some of the tools the SCAs use to asses information systems.
Koba, congratulations on passing the test!
Thank you for sharing your success with me. I am very happy that you found my suggestions helpful. I shared your post with a few colleagues of mine who are planning to take the exam this month. they found your success encouraging. Best of luck in your future endeavors!
I had a colleague take and pass the CAP exam last week. I asked him about his experience and thought I would provide an update.
as I suggested in the initial post on this thread, the primary document to study is NIST SP 800-37.
as my colleague pointed out most of the questions are “situational” requiring you to use the knowledge from the NIST 800 series and think your way through the questions and answers
The bottom line is this test is about the RMF system authorization process. That info is well documented in the NIST 800-37, k ow that inside out and be prepared to think your way through the exam and you will do fine.
Please can you assist with the context of the questions for the exam? I have bought online a revision kit consisting of many questions concentrating on Risk Analysis with hardly any reference to the RMF and the roles involved: CIO, SISO, CISO, Information Owner etc. Other online revision sites have the same set of questions which makes me think that we are being duped.
It seems the questions are from the same source and they don't relate whatsoever to the CAP Book of Knowledge or the RMF and SDLC. Is there a source with more relevant questions?
Thanks in advance
I didn't find any prep questions. I studied as much of the NIST documentation as time would allow. I only took a week to study (I didn't have a choice) and being very familiar with the NIST documentation concerning RMF and the SDLC is what got me through. There were a few questions there were not straight from NIST, but that's where my experience as a security engineer, and a SCA-V came into play. If you're already familiar with RMF, studying the documentation already mentioned in this thread should be more than enough. Hope this helps.
Many thanks for that. If I'm not mistaken it's just the NIST-800 series right? I think I'll just get onto that. As a last question was there a lot of reference to DIACAP AND NIACAP in there?
Of course, congrats first and well done! From a basic perspective, do you think it is worth going for the CAP if a person already has a CISSP? I understand they are focused on two different aspaects, but wasn't sure if having a CISSP would "cover" someone, for lack of a better term, for the CAP certification.
My gut tells me they are two distinct certs with two different focuses, so going after both would not be a bad idea.....thoughts?
The CAP and CISSP are very different credentials with different purposes. The CISSP is very broadly scoped covering the full spectrum of information security. The CAP on the other hand is very narrow in its focus dealing exclusively in the NIST Risk Management Framework and system authorization process. If you are currently working in the US Federal Systems or other government information security space or are trying to break into that segment of the Industry the CAP can really help you stand out from the crowd.
If however you are working in other areas on the industry, Commercial Industry, Healthcare, etc.. that do not use the NIST RMF or system authorization process, the CAP may have very limited applicability or "name recognition"
I will say that for my day to day activities, the CAP CBK has the most direct impact on my daily activities than any other cert I currently hold.