CAP Certification Exam

«« Previous
Next »»

Prove Your Security Expertise Within the Risk Management Framework (RMF)

You’re constantly on the lookout for system risks and vulnerabilities. Take your commitment to security assessment and authorization to a new level with the CAP certification. This leading information security certification proves you’re an expert aligning information systems with the Risk Management Framework (RMF).

The CAP certification covers the RMF at an extensive level. And it’s the only certification under the DoD8570 Mandate that aligns to each of the RMF steps.

The CAP shows you have the knowledge, skills and abilities to authorize and maintain information systems within the RMF. Specifically, it validates that you know how to formalize processes to assess risk and establish security documentation throughout the entire lifecycle of a system.

Start on the path to your CAP today.

1. Steps to Certification

1.1 Get the Needed Experience

To qualify for the CAP certification, you must have:

◈ A minimum of two years cumulative, paid, full-time work experience
◈ In one or more of the seven domains of the CAP Common Body of Knowledge (CBK)

Don’t have enough work experience yet? You can take and pass the CAP exam to earn an Associate of (ISC)2 designation. Then, you’ll have up to three years to earn your required work experience for the CAP.

1.2 Create an Account at Pearson VUE and Schedule Your Exam

To schedule an exam, you must create an account at Pearson VUE.

Pearson VUE is the leading provider of global, computer-based testing for certification and licensure exams. You can find details on testing locations, policies, accommodations and more on their website.

Once you’ve set up your account and are ready to register, you’ll need to:

◈ Complete the Examination Agreement. You agree to the truth of your assertions regarding professional experience. You also legally commit to the adherence of the (ISC)² Code of Ethics.
◈ Review the Candidate Background Questions.
◈ Pay the exam fee.

1.3 Pass the Exam

This is the day to show your greatness! You’ll have three hours to complete the 125 exam questions.

Recommended CAP Online Practice Exams with EDUSUM.COM

You must pass the exam with a scaled score of 700 points or greater.

1.4 Subscribe to the (ISC)² Code of Ethics and Get Endorsed

Let’s say you pass the exam. Then what?

Before this cybersecurity certification can be awarded, you have to:

◈ Subscribe to the (ISC)² Code of Ethics.
◈ Have your application endorsed.

Your endorsement form must be completed and signed by an (ISC)² certified professional. He or she needs to be an active member who can confirm your professional experience.

(ISC)² can endorse you if you can’t find a certified individual.

You have nine months from the date of the exam to complete these steps. If you don’t, you have to retake the exam to get certified.

2. Why Become a CAP

Whether you’re in DoD cybersecurity or you protect a private company, there are a number of reasons to earn your CAP certification:

◈ Credibility and marketability. Earning the CAP is a powerful way to validate your knowledge. It shows you thoroughly understand information security and risk management processes and procedures. You’ll stand out and be more competitive.
◈ Better opportunities. Holding the CAP certification makes you more versatile. It can help you move up and advance your career. If you’re a contractor, it can lead to better choice in assignments.
◈ Growth and learning. From exam prep to continuing education, the CAP offers many ways to expand your knowledge. You can stay up-to-date with new technologies and risks.
◈ Increased compensation. While pay practices vary, many CAPs find that this certification leads to increases in salary.

What the Industry Is Saying About the CAP

◈ Listed on the Certification Salary Survey 75 list with an annual salary of USD$124,610 in 2016 — Certification Magazine

The CAP is ANSI-Accredited

The CAP certification is accredited by the American National Standards Institute (ANSI). This means it complies with the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) 17024 Standards. Why is accreditation important when choosing a certification program? Visit the Institute for Credentialing Excellence website for details.

3. Should You Pursue the CAP

The CAP is ideal for IT, information security and information assurance practitioners and contractors who use the RMF in:

◈ The U.S. federal government, such as the U.S. Department of State or the Department of Defense (DoD)
◈ The military
◈ Civilian roles, such as federal contractors
◈ Local governments
◈ Private sector organizations

Earning your CAP is an excellent step if you need to:

◈ Understand the RMF process in detail — including how to apply it in your organization. Or, you need to fill gaps in your knowledge. No other certification is as comprehensive!
◈ Validate your knowledge, so you can move up within your organization or get better choices in projects.
◈ Meet your organization’s information security certification requirements. For example, you’re moving to a new position that has DoD cybersecurity mandates.
◈ Keep your knowledge fresh about new technologies and threats.

Many who pursue the CAP are:

◈ ISSOs, ISSMs and other infosec/information assurance practitioners who are focused on security assessment and authorization (traditional C&A) and continuous monitoring issues.
◈ Executives who must "sign off" on Authority to Operate (ATO).
◈ Inspector generals (IGs) and auditors who perform independent reviews.
◈ Program managers who develop or maintain IT systems.
◈ IT professionals interested in improving cybersecurity and learning more about the importance of lifecycle cybersecurity risk management.

4. Mastering the Domains on the Exam

The CAP exam tests your skills in seven domains. Think of the domains as specific knowledge areas you need to know based on your experience and education.

The domains draw from a range of information security topics within the (ISC)² Common Body of Knowledge (CBK).

Here’s a closer look at the CAP domains and how they’re weighted on the exam:

Domains Weight 
1. Risk Management Framework (RMF) 20%
2. Categorization of Information Systems  8% 
3. Selection of Security Controls  13% 
4. Security Control Implementation  10% 
5. Security Control Assessment  19% 
6. Information System Authorization  13%
7. Monitoring of Security Controls  17%
Total  100% 

Risk Management Framework (RMF)

◈ Describe the RMF
◈ Describe and distinguish between the RMF steps
◈ Identify roles and define responsibilities
◈ Understand and describe how the RMF process relates to the organizational structure
◈ Understand the relationship between the RMF and System Development Life Cycle (SDLC)
◈ Understand legal, regulatory and other security requirements

Categorization of Information Systems

◈ Categorize the system
◈ Describe the information system (including the security authorization boundaries)
◈ Register the system

Selection of Security Controls

◈ Identify and document (inheritable) controls
◈ Select, tailor and document security controls
◈ Develop security control monitoring strategy
◈ Review and approve security plan

Security Control Implementation

◈ Implement selected security controls
◈ Document security control implementation

Security Control Assessment

◈ Prepare for security control assessment
◈ Develop security control assessment plan
◈ Assess security control effectiveness
◈ Develop initial security assessment report (SAR)
◈ Review interim SAR and perform initial remediation actions
◈ Develop final SAR and optional addendum

Information System Authorization 

◈ Develop plan of action and milestones (POAM) (e.g., resources, schedule, requirements)
◈ Assemble security authorization package
◈ Determine risk
◈ Determine the acceptability of risk
◈ Obtain security authorization decision

Monitoring of Security Controls

◈ Determine security impact of changes to system and environment
◈ Perform ongoing security control assessments (e.g., continuous monitoring, internal and external assessments)
◈ Conduct ongoing remediation actions (resulting from incidents, vulnerability scans, audits, vendor updates, etc.)
◈ Update key documentation (e.g., SP, SAR, POAM)
◈ Perform periodic security status reporting
◈ Perform ongoing risk determination and acceptanc
◈ Decommission and remove system


5. Getting CAP Training That’s Right for You

Prepare for your CAP exam through a combination of training courses and individual study. And learn from (ISC)2 — the creator of the CAP CBK!

Simply choose the best training format for your schedule, needs and learning style.

In-Person Training Seminars

CAP Certification Exam
Classroom-Based Training

◈ Ideal for hands-on learners. The most thorough review of the CAP CBK, industry concepts and best practices.
◈ Five-day training events delivered in a classroom setting. Eight hours a day.
◈ Available at (ISC)2 facilities and through (ISC)2 Official Training Providers worldwide.
◈ Led by authorized instructors.

Get details on Classroom-Based Training.

CAP Certification Exam
Private On-Site Training

◈ A cost-effective and convenient training solution if your organization has 10 or more employees taking the exam.
◈ Tailored to your team’s schedule, budget and certification requirements.
◈ Conveniently taught in your office space or a local venue.
◈ Led by authorized instructors.

Get details on Private On-Site Training.

Online Training Seminars

CAP Certification Exam
Instructor-Led Training

◈ Participate from the convenience of your computer. This saves you travel time and expense.
◈ Weekday, weekend and evening options to fit your busy schedule. 
◈ Comprehensive review of the CBK, so you’re ready for this software security certification. 
◈ Led by authorized instructors.

CAP Training Course Overview

Our training helps you fully prepare for this cybersecurity certification. You will:

◈ Review, refresh and expand your knowledge.
◈ Identify areas you need to study for the CAP exam.

You can expect an in-depth review of the seven domains of the CAP CBK — including discussion of industry best practices and timely security concepts.

(ISC)² authorized instructors lead all our training. You’re learning from industry experts who understand you. They know how to make the content highly relatable. And they go through a rigorous process to teach to our CBK.

Plus, we use proven adult learning techniques to reinforce topics. This approach increases how much information you retain. Our techniques are highly interactive. They focus on real-world learning activities and scenarios, so you get the most out of training.

Self-Study Tools

In addition to training, we offer resources to help you with self-study. Our resources include the:

6. Taking Your CAP Exam

Length of exam Up to 3 hours
Number of questions 125 questions 
Question format Multiple choice
Passing grade A passing score is 700 out of 1000 points 
Exam Language  English 
Testing Center Pearson Vue Testing Center 

7. Maintaining or Regaining CAP Certification

Once you’ve earned this RMF certification, you become a member of (ISC)². You enter one of the largest communities of information security professionals in the world. You gain access to unparalleled global resources and networking.

Quite simply, you have endless opportunities to grow and refine your craft.

But certification is a privilege that must be earned and maintained.

To remain in good standing with your CAP, you need to:

◈ Abide by the (ISC)² Code of Ethics.
◈ Earn and post Continuing Professional Education (CPE) credits.
◈ Pay your Annual Maintenance Fee (AMF).

Here’s a closer look at each.

Abiding by the (ISC)² Code of Ethics
You agree to fully support and follow the (ISC)² Code of Ethics.

Earning and Posting CPE Credits
Cybersecurity is constantly changing. (You know this well!) You need to earn CPE hours to stay well-rounded and keep up your expertise.

For the CAP, you need to earn and post a minimum of 20 CPE credits per year. You need to do so before your certification annual anniversary date.

CPEs may sound like a big task. However, (ISC)² makes it easy for you to earn your CPE credits on a regular basis.

We offer access to:

◈ Live educational events around the world.
◈ Online seminars that can be taken in the comfort of your home or office. They’re available exclusively to (ISC)² members.
◈ And many more learning opportunities.

Paying Annual Maintenance Fees (AMFs)
Once you earn this RMF certification, you must pay USD$65 each year of your three-year certification cycle. Your payment is due before your certification or recertification annual anniversary date.

Your payments help ensure that (ISC)² has the financial resources to:

◈ Be a functional, dynamic entity for leading information security and IT professionals (like you) far into the future.
◈ Develop more CPE opportunities.
◈ Continue to meet the certification needs and requirements of information security professionals.
◈ Maintain member records.

How to Regain Membership if Your CAP Ends

If you wish to regain membership, you’ll need to:

◈ Pay any outstanding AMF payments. (This needs to take place before you sit for the exam.)
◈ Retake and pass the exam to become certified again.
◈ Contact Member Services to reactivate your certification after you pass the exam.

«« Previous
Next »»


Post a Comment