Sign In

Sign In here to pay AMFs, submit CPEs, update profile settings, review transactions, and more.

(Training and Education)

Official (ISC)²® CBK Training Seminars for the CAP®

CAP Training Straight from the Source

Prepared by CAP credential holders and conducted by (ISC)² Authorized Instructors, each of whom is an expert in the CAP CBK (Common Body of Knowledge), the (ISC)² CAP CBK Training Seminar is the most comprehensive review of information systems security concepts and industry best practices, and the only training endorsed by (ISC)².

CAP Course Description

The Certified Authorization Professional (CAP) course is designed for the information security practitioner who champions system security commensurate with an organization's mission and risk tolerance, while meeting legal and regulatory requirements. The CAP certification course conceptually mirrors the NIST system authorization process in compliance with the Office of Management and Budget (OMB) Circular A-130, Appendix III. This 5-day program is comprised of a total of seven domains. The modular format is designed to organize and chunk information in order to assist with learning retention as participants are guided through the CAP course materials. Each module/domain includes one or more of the following design approaches to support knowledge retention and transfer:

  • Presentation - The facilitator explains content to participants using PowerPoint to guide the presentation. Multiple examples are used to clarify points.
  • Short Lecture/Discussion - The facilitator engages participants in conversation by asking questions and encouraging them to respond. Participants are encouraged to provide examples from their experience.
  • Group Activity - Participants work in small teams of three or four. The facilitator debriefs the entire class at the end of the activity.
  • Individual Activity - Individuals work on their own to complete an action plan, worksheet, or evaluation.

Course Objectives

Completing this workshop will:

  • Provide the learner with the background information related to how the federal Risk Management Framework (RMF) was developed, the expectations set by Congress and OMB, as well as the manner in which the RMF integrates with other information and business processes.
  • Provide the learner with the specific requirements and processes required to appropriately categorize an information system, including the federal mandates, requisite inputs, tasks, and related processes.
  • Provide the learner with the specific requirements and processes required to appropriately select security controls for an information system, including the federal mandates, requisite inputs, tasks, and related processes.
  • Provide the learner with the specific requirements and processes required to implement security controls for an information system, including the federal mandates, requisite inputs, tasks, and related processes. 
  • Provide the learner with the specific requirements and processes required to appropriately assess the security controls for an information system, including the federal mandates, requisite inputs, tasks, and related processes.
  • Provide the learner with the specific requirements and processes required to appropriately authorize an information system, including the federal mandates, requisite inputs, tasks, and related processes.
  • Provide the learner with the specific requirements and processes required to conduct continuous monitoring of an information system, including the federal mandates, requisite inputs, tasks, and related processes.  This includes the two primary objectives of near real-time risk management and ongoing security authorization.

Course Outline

Domain 1 - Describe the Risk Management Framework (RMF)

  • Module 1: Domain Introduction
  • Module 2: Domain Terminology and References
  • Module 3: Historical and Current Perspective of Authorization
  • Module 4: Introducing the Examples Systems
  • Module 5: Introduction to the Risk Management Framework (RMF)
  • Module 6: The RMF Roles and Responsibilities
  • Module 7: The RMF Relationship to Other Processes
  • Module 8: Example System Considerations
  • Module 9: End of Domain Review and Questions

Domain 2 - RMF Step 1: Categorize Information Systems

  • Module 1: Domain Introduction
  • Module 2: Domain Terminology and References
  • Module 3: RMF Step 1 - Roles and Responsibilities
  • Module 4: Preparing to Categorize an Information System
  • Module 5: Categorize the Information System
  • Module 6: Categorizing the Examples System
  • Module 7: Describe the Information System and Authorization Boundary
  • Module 8: Register the Information System
  • Module 9: RMF Step 1 Milestones, Key Activities and Dependencies
  • Module 10: End of Domain Review and Questions

Domain 3 - RMF Step 2: Select Security Controls

  • Module 1: Domain Introduction
  • Module 2: Domain Terminology and References
  • Module 3: RMF Step 2 - Roles and Responsibilities
  • Module 4: Understanding FIPS 200
  • Module 5: Introducing SP 800-53
  • Module 6: The Fundamentals
  • Module 7: The Process
  • Module 8: Appendix D - Security Control Baselines
  • Module 9: Appendix E - Assurance and Trustworthiness
  • Module 10: Appendix F - Security Control Catalog
  • Module 11: Appendix G - Information Security Programs
  • Module 12: Appendix H - International Information Security Standards
  • Module 13: Appendix I - Overlay Template
  • Module 14: Appendix J - Privacy Control Catalog
  • Module 15: Identify and Document Common (Inherited) Controls
  • Module 16: System Specific Security Controls
  • Module 17: Continuous Monitoring Strategy
  • Module 18: Review and Approve Security Plan
  • Module 19: RMF Step 2 Milestone Checkpoint
  • Module 20: Example Information Systems
  • Module 21: End of Domain Review and Questions

Domain 4 - RMF Step 3: Implement Security Controls

  • Module 1: Domain Introduction
  • Module 2: Domain Terminology and References
  • Module 3: RMF Step 3 - Roles and Responsibilities
  • Module 4: Implement Selected Security Controls
  • Module 5: Contingency Planning
  • Module 6: Configuration, Patch and Vulnerability Management
  • Module 7: Firewalls and Firewall Policy Controls
  • Module 8: Interconnecting Information Technology Systems
  • Module 9: Computer Security Incident Handling
  • Module 10: Security Awareness and Training
  • Module 11: Security Considerations in the SDLC
  • Module 12: Malware Incident Prevention and Handling
  • Module 13: Computer Security Log Management
  • Module 14: Protecting Confidentiality of Personal Identifiable Information
  • Module 15: Continuous Monitoring
  • Module 16: Security Control Implementation
  • Module 17: Document Security Control Implementation
  • Module 18: RMF Step 3 Milestone Checkpoint
  • Module 19: End of Domain Review and Questions

Domain 5 - RMF Step 4: Assess Security Control

  • Module 1: Domain Introduction
  • Module 2: Domain Terminology and References
  • Module 3: RMF Step 4 - Roles and Responsibilities
  • Module 4: Understanding SP 800-115
  • Module 5: Understanding SP 800-53A
  • Module 6: Prepare for Security Control Assessment
  • Module 7: Develop Security Control Assessment Plan
  • Module 8: Assess Security Control Effectiveness
  • Module 9: Develop Initial Security Assessment Report (SAR)
  • Module 10: Review Interim SAR and Perform Initial Remediation Actions
  • Module 11: Develop Final SAR and Optional Addendums
  • Module 12: RMF Step 4 Milestone Checkpoint
  • Module 13: End of Domain Review and Questions

Domain 6 - RMF Step 5: Authorize Information System

  • Module 1: Domain Introduction
  • Module 2: Domain Terminology and References
  • Module 3: RMF Step 5 - Roles and Responsibilities
  • Module 4: Develop Plan of Action and Milestones (POAM)
  • Module 5: Assemble Security Authorization Package
  • Module 6: Determine Risk
  • Module 7: Determine the Acceptability of Risk
  • Module 8: Obtain Security Authorization Decision
  • Module 9: RMF Step 5 Milestone Checkpoint
  • Module 10: End of Domain Review and Questions

Domain 7 - RMF Step 6: Monitor Security Controls

  • Module 1: Introduction
  • Module 2: Domain Terminology and References
  • Module 3: RMF Step 6 - Roles and Responsibilities
  • Module 4: Understanding SP 800-137
  • Module 5: Determine Security Impact of Changes to System and Environment
  • Module 6: Perform Ongoing Security Control Assessment
  • Module 7: Conduct Ongoing Remediation Actions
  • Module 8: Update Key Documentation
  • Module 9: Perform Periodic Security Status Reporting
  • Module 10: Perform Ongoing Determination and Acceptance
  • Module 11: Decommission and Remove System
  • Module 12: RMF Step 6 Milestone Checkpoint
  • Module 13: End of Domain Review and Questions

Types of Activities

The CAP training course is divided into multiple topic levels. Each level identifies a specific agenda and learning objectives. Each chapter matches a domain title identified in the CIB. Within each chapter are modules, and within modules are agendas. Each preceding level identifies a more granular objective that supports the overall objectives.

Several types of activities are used throughout the course to reinforce topics and increase knowledge retention. These activities include open-ended questions from the instructor to the students, group assignments, matching and poll questions, group activities, open/closed questions, and group discussions. Each activity was developed to support the learning appropriate to the course topic.

Who should attend?

The course is intended for students who have at least one full year of experience using the federal Risk Management Framework (RMF) or comparable experience gained from the ongoing management of information system authorizations, such as ISO 27001.

The Certified Authorization Professional (CAP) certification is an objective measure of the knowledge, skills, and abilities required for personnel involved in the process of authorizing and maintaining information systems. Specifically, this credential applies to those responsible for formalizing processes used to assess risk and establish security requirements and documentation. Their decisions will ensure that information systems possess security commensurate with the level of exposure to potential risk and damage to assets or individuals.

The CAP credential is appropriate for commercial markets, civilian and local governments, and the U.S. Federal government, including the State Department and the Department of Defense (DoD). See CAP and DoD 8570. Job functions such as authorization officials, system owners, information owners, information system security officers, certifiers, and senior system managers are great fits as CAPs.

The ideal candidate should have the following experience, skills, or knowledge in:

  • IT security
  • Information assurance
  • Information risk management
  • Certification
  • Systems administration
  • One to two years of general technical experience
  • Two years of general systems experience
  • One to two years of database/systems development/network experience
  • Information security policy
  • Technical or auditing experience within government, the U.S. Department of Defense, the financial or health care industries, and/or auditing firms
  • Strong familiarity with NIST documentation

What can I take back to the workplace?

Each chapter/module/agenda is derived from the CAP CBK and updated by the results of the Job Task Analysis (JTA). The JTA topics are developed by a small group of subject matter experts (SMEs) who have a number of years of experience and are representative of various geographic regions, ethnicities, and practice settings. The entire membership group of the credential holders is asked to validate the survey based on their current day-to-day tasks. All topics covered during the class are literally the same tasks performed by current CAP credential holders.

After completing this course, the participant will be able to:

  • Describe the historical legal and business considerations that required the development of the RMF, including related mandates
  • Identify key terminology and associated definitions
  • Describe the Risk Management Framework components, including the starting point inputs (architectural description and organization inputs)
  • Describe the core roles defined by the RMF, including primary responsibilities and supporting roles for each RMF step
  • Describe the core federal statutes, OMB directives, information processing standards (FIPS) and Special Publications (SP),  and Department of Defense and Intelligence Community instructions that form the legal mandates and supporting guidance required to implement the RMF
  • Identify and understand the related processes integrated with the RMF
  • Identify key references related to RMF Step 1 - Categorize
  • Identify the roles, requirements, and processes to register an information system
  • Identify key references related to RMF Step 2 - Select
  • Identify requisites for establishing information system security controls
  • Identify key references related to RMF Step 3 - Implement
  • Identify key references related to RMF Step 4 - Assess
  • Identify key references related to RMF Step 5 - Authorize
  • Identify the roles, requirements and processes associated with conducting remediation and completing the final security assessment report
  • Identify key references related to RMF Step 6 - Authorize
  • Identify the roles, requirements, and processes associated with preparing the plan of action and milestones (POA&M) for an information system
  • Identify key references related to RMF Step 7 - Monitor
  • Identify the roles, requirements and processes to formally dispose of an information system
CAP

Official (ISC)² CBK Training Seminars for the CAP are offered in three convenient formats:

classroom based training icon Classroom-Based Training
Info orange arrow small Register orange arrow small

 

liveonline training icon Live OnLine Training
Info orange arrow small Register orange arrow small

 

private onsite training Private, On-Site Training
Info orange arrow small

 

Need help deciding which training option is right for you? Email (ISC)² Education  or call +1.866.462.4777.

 

orange line

 

practice tests app phoneGet CAP Practice Exam Questions On-the-Go  

Download the App for your iPhone download icon