Top of Page
 

Certified Authorization Professional

 

Prove Your Security Expertise Within the Risk Management Framework (RMF)

You’re constantly on the lookout for system risks and vulnerabilities. Take your commitment to security assessment and authorization to a new level with the CAP certification. This leading information security certification proves you’re an expert aligning information systems with the Risk Management Framework (RMF).

The CAP certification covers the RMF at an extensive level. And it’s the only certification under the DoD8570 Mandate that aligns to each of the RMF steps.

The CAP shows you have the knowledge, skills and abilities to authorize and maintain information systems within the RMF. Specifically, it validates that you know how to formalize processes to assess risk and establish security documentation throughout the entire lifecycle of a system.

Start on the path to your CAP today.

Steps to Certification

  1. Step 1
  2. Step 2
  3. Step 3
  4. Step 4

Get the Needed Experience

To qualify for the CAP certification, you must have:

  • A minimum of two years cumulative, paid, full-time work experience
  • In one or more of the seven domains of the CAP Common Body of Knowledge (CBK)

Don’t have enough work experience yet? You can take and pass the CAP exam to earn an Associate of (ISC)2 designation. Then, you’ll have up to three years to earn your required work experience for the CAP.

Create an Account at Pearson VUE and Schedule Your Exam

To schedule an exam, you must create an account at Pearson VUE.

Pearson VUE is the leading provider of global, computer-based testing for certification and licensure exams. You can find details on testing locations, policies, accommodations and more on their website.

Once you’ve set up your account and are ready to register, you’ll need to:

Pass the Exam

This is the day to show your greatness! You’ll have three hours to complete the 125 exam questions.

You must pass the exam with a scaled score of 700 points or greater.

Want more details? Read our exam scoring FAQs.

Subscribe to the (ISC)² Code of Ethics and Get Endorsed

Let’s say you pass the exam. Then what?

Before this cybersecurity certification can be awarded, you have to:

  • Subscribe to the (ISC)² Code of Ethics.
  • Have your application endorsed.

Your endorsement form must be completed and signed by an (ISC)² certified professional. He or she needs to be an active member who can confirm your professional experience.

(ISC)² can endorse you if you can’t find a certified individual.

You have nine months from the date of the exam to complete these steps. If you don’t, you have to retake the exam to get certified.

Want to learn more? Read our endorsement assistance guidelines.

Get to Know the CAP

  • Why Become a CAP Why Become a CAP

    Whether you’re in DoD cybersecurity or you protect a private company, there are a number of reasons to earn your CAP certification:

    • Credibility and marketability. Earning the CAP is a powerful way to validate your knowledge. It shows you thoroughly understand information security and risk management processes and procedures. You’ll stand out and be more competitive.
    • Better opportunities. Holding the CAP certification makes you more versatile. It can help you move up and advance your career. If you’re a contractor, it can lead to better choice in assignments.
    • Growth and learning. From exam prep to continuing education, the CAP offers many ways to expand your knowledge. You can stay up-to-date with new technologies and risks.
    • Increased compensation. While pay practices vary, many CAPs find that this certification leads to increases in salary.

    What the Industry Is Saying About the CAP

    The CAP is ANSI-Accredited
    The CAP certification is accredited by the American National Standards Institute (ANSI). This means it complies with the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) 17024 Standards. Why is accreditation important when choosing a certification program? Visit the Institute for Credentialing Excellence website for details.

  • Should You Pursue the CAP Should You Pursue the CAP

    The CAP is ideal for IT, information security and information assurance practitioners and contractors who use the RMF in:

    • The U.S. federal government, such as the U.S. Department of State or the Department of Defense (DoD)
    • The military
    • Civilian roles, such as federal contractors
    • Local governments
    • Private sector organizations

    Earning your CAP is an excellent step if you need to:

    • Understand the RMF process in detail — including how to apply it in your organization. Or, you need to fill gaps in your knowledge. No other certification is as comprehensive!
    • Validate your knowledge, so you can move up within your organization or get better choices in projects.
    • Meet your organization’s information security certification requirements. For example, you’re moving to a new position that has DoD cybersecurity mandates.
    • Keep your knowledge fresh about new technologies and threats.

    Many who pursue the CAP are:

    • ISSOs, ISSMs and other infosec/information assurance practitioners who are focused on security assessment and authorization (traditional C&A) and continuous monitoring issues.
    • Executives who must "sign off" on Authority to Operate (ATO).
    • Inspector generals (IGs) and auditors who perform independent reviews.
    • Program managers who develop or maintain IT systems.
    • IT professionals interested in improving cybersecurity and learning more about the importance of lifecycle cybersecurity risk management.

  • Mastering the Domains on the Exam Mastering the Domains on the Exam

    The CAP exam tests your skills in seven domains. Think of the domains as specific knowledge areas you need to know based on your experience and education.

    The domains draw from a range of information security topics within the (ISC)² Common Body of Knowledge (CBK).

    Here’s a closer look at the CAP domains and how they’re weighted on the exam:

    Domains Weight
    1. Risk Management Framework (RMF) 20%
    2. Categorization of Information Systems 8%
    3. Selection of Security Controls 13%
    4. Security Control Implementation 10%
    5. Security Control Assessment 19%
    6. Information System Authorization 13%
    7. Monitoring of Security Controls 17%
    Total 100%

     Risk Management Framework (RMF)

    • Describe the RMF
    • Describe and distinguish between the RMF steps
    • Identify roles and define responsibilities
    • Understand and describe how the RMF process relates to the organizational structure
    • Understand the relationship between the RMF and System Development Life Cycle (SDLC)
    • Understand legal, regulatory and other security requirements

    Categorization of Information Systems

    • Categorize the system
    • Describe the information system (including the security authorization boundaries)
    • Register the system

    Selection of Security Controls

    • Identify and document (inheritable) controls
    • Select, tailor and document security controls
    • Develop security control monitoring strategy
    • Review and approve security plan

    Security Control Implementation

    • Implement selected security controls
    • Document security control implementation

    Security Control Assessment

    • Prepare for security control assessment
    • Develop security control assessment plan
    • Assess security control effectiveness
    • Develop initial security assessment report (SAR)
    • Review interim SAR and perform initial remediation actions
    • Develop final SAR and optional addendum

    Information System Authorization 

    • Develop plan of action and milestones (POAM) (e.g., resources, schedule, requirements)
    • Assemble security authorization package
    • Determine risk
    • Determine the acceptability of risk
    • Obtain security authorization decision

    Monitoring of Security Controls

    • Determine security impact of changes to system and environment
    • Perform ongoing security control assessments (e.g., continuous monitoring, internal and external assessments)
    • Conduct ongoing remediation actions (resulting from incidents, vulnerability scans, audits, vendor updates, etc.)
    • Update key documentation (e.g., SP, SAR, POAM)
    • Perform periodic security status reporting
    • Perform ongoing risk determination and acceptanc
    • Decommission and remove system
  • Getting CAP Training That’s Right for You Getting CAP Training That’s Right for You

    Prepare for your CAP exam through a combination of training courses and individual study. And learn from (ISC)2 — the creator of the CAP CBK!

    Simply choose the best training format for your schedule, needs and learning style.

    Classroom-Icon

    Classroom-Based Training

    • Ideal for hands-on learners. The most thorough review of the CAP CBK, industry concepts and best practices.
    • Five-day training events delivered in a classroom setting. Eight hours a day.
    • Available at (ISC)2 facilities and through (ISC)2 Official Training Providers worldwide.
    • Led by authorized instructors.

     

    Get details on Classroom-Based Training.


    School-Icon

    Private On-Site Training

    • A cost-effective and convenient training solution if your organization has 10 or more employees taking the exam.
    • Tailored to your team’s schedule, budget and certification requirements.
    • Conveniently taught in your office space or a local venue.
    • Led by authorized instructors.

    Get details on Private On-Site Training.

    Instructor-Icon

    Instructor-Led Training

    • Participate from the convenience of your computer. This saves you travel time and expense.
    • Weekday, weekend and evening options to fit your busy schedule. 
    • Comprehensive review of the CBK, so you’re ready for this software security certification. 
    • Led by authorized instructors.

    Get details on Instructor-Led Seminars.


    CAP Training Course Overview

    Our training helps you fully prepare for this cybersecurity certification. You will:

    • Review, refresh and expand your knowledge.
    • Identify areas you need to study for the CAP exam.

    You can expect an in-depth review of the seven domains of the CAP CBK — including discussion of industry best practices and timely security concepts.

    (ISC)² authorized instructors lead all our training. You’re learning from industry experts who understand you. They know how to make the content highly relatable. And they go through a rigorous process to teach to our CBK.

    Plus, we use proven adult learning techniques to reinforce topics. This approach increases how much information you retain. Our techniques are highly interactive. They focus on real-world learning activities and scenarios, so you get the most out of training.

    Self-Study Tools

    In addition to training, we offer resources to help you with self-study. Our resources include the:

  • Taking Your CAP Exam Taking Your CAP Exam
    Length of exam

    Up to 3 hours

    Number of questions

    125 questions

    Question format

    Multiple choice

    Passing grade

    A passing score is 700 out of 1000 points

    Exam Language

    English

    Testing Center

    Pearson Vue Testing Center

    Ready to sign up for the exam? Visit the Pearson VUE website to create an account and book your exam.

  • Maintaining or Regaining CAP Certification Maintaining or Regaining CAP Certification

    Once you’ve earned this RMF certification, you become a member of (ISC)². You enter one of the largest communities of information security professionals in the world. You gain access to unparalleled global resources and networking.

    Quite simply, you have endless opportunities to grow and refine your craft.

    But certification is a privilege that must be earned and maintained.

    To remain in good standing with your CAP, you need to:

    • Abide by the (ISC)² Code of Ethics.
    • Earn and post Continuing Professional Education (CPE) credits.
    • Pay your Annual Maintenance Fee (AMF).

    Here’s a closer look at each.

    Abiding by the (ISC)² Code of Ethics
    You agree to fully support and follow the (ISC)² Code of Ethics.

    Earning and Posting CPE Credits
    Cybersecurity is constantly changing. (You know this well!) You need to earn CPE hours to stay well-rounded and keep up your expertise.

    For the CAP, you need to earn and post a minimum of 20 CPE credits per year. You need to do so before your certification annual anniversary date.

    CPEs may sound like a big task. However, (ISC)² makes it easy for you to earn your CPE credits on a regular basis.

    We offer access to:

    • Live educational events around the world.
    • Online seminars that can be taken in the comfort of your home or office. They’re available exclusively to (ISC)² members.
    • And many more learning opportunities.

    Paying Annual Maintenance Fees (AMFs)
    Once you earn this RMF certification, you must pay USD$65 each year of your three-year certification cycle. Your payment is due before your certification or recertification annual anniversary date.

    Your payments help ensure that (ISC)² has the financial resources to:

    • Be a functional, dynamic entity for leading information security and IT professionals (like you) far into the future.
    • Develop more CPE opportunities.
    • Continue to meet the certification needs and requirements of information security professionals.
    • Maintain member records.

    How to Regain Membership if Your CAP Ends
    If you wish to regain membership, you’ll need to:

    • Pay any outstanding AMF payments. (This needs to take place before you sit for the exam.)
    • Retake and pass the exam to become certified again.
    • Contact Member Services to reactivate your certification after you pass the exam.

    Do you have questions about maintaining your CAP certification? Ask Member Services.

Free CAP Exam Outline

Get Started Today

Prove Your Security Expertise Within the RMF.

Download Your Free CAP Exam Outline