(ISC)² CAP (Certification and Accreditation Professional)

TallDarknFuglyTallDarknFugly Member Posts: 15 ■□□□□□□□□□
I see no worthwhile threads on CAP in these forums and understandably so, because up until last month it didn't seem like a worthwhile enough venture to pursue. I know most are not familiar with the certification so I'll go ahead and summarize in a few sentences before commencing.

Federal Information Security Management Act (FISMA), the E-Government Act (Public Law 107-347) mandates Information Technology asset and data security be upheld according to certain standards. These standards demand periodic Risk Assesments, proper Info Sec policies and procedures, contingency planning, auditing, security awareness training, etc.

The above measures have to be met through the implementation of fed standards such as NIACAP (National Information Assurance Certification and Accreditation Process), DITSCAP (Defense Information Technology Systems Certification and Accreditation Process) or NIST (National Institute of Standards and Technology). These Certification and Accreditation methodologies are guidelines for meeting FISMA requirements which make up the foundation for testing organizations for FISMA compliance.

Professionals who enforce these Certification and Accreditation inspections typically conduct penetration tests, vulnerability assessments, risk assessments, policy and procedure evaluations, etc.

Well, the (ISC)² CAP, even though its been out for a couple of years hasn't been too popular but it looks like that's about to change. The CAP certification just qualified under (DoD) 8570.1 Mandate, meaning "This mandate requires that all DoD information assurance workers obtain a professional certification accredited under the global ANSI/ISO/IEC Standard 17024". (ISC)² Security Transcends Technology

What does this mean to you? I'm thinking I need to get hot on this certification, ASAP. Thoughts?

Comments

  • veritas_libertasveritas_libertas CISSP, GIAC x5, CompTIA x5 Greenville, SC USAMember Posts: 5,735 ■■■■■■■■■■
    So is the CAP basically the equivalent of the CISA?
    Currently working on: Linux and Python
  • GAngelGAngel Member Posts: 708
    So is the basically the equivalent of the CISA?

    No CISA/CISM need 5 years experience this is only 2. I'd rather write SSCP than waste money on a cert no one has ever heard of and looks to hold very little real world relevance. Pardon my french but peau jaillet au toilet.

    Understanding the Purpose of Certification
    Initiation of the System Authorization Process
    Certification Phase
    Accreditation Phase
    Continuous Monitoring Phase

    If that's a pen test related cert have I got a bridge to sell you...
  • TallDarknFuglyTallDarknFugly Member Posts: 15 ■□□□□□□□□□
    So is the basically the equivalent of the CISA?

    While both certs are approved under the same DOD mandate, the CAP seems much more geared towards Certification and Accreditation, while the CISA leans more towards auditing. There are still so many similarities and overlaps between both from what I can see, but for anyone getting into C&A, I would imagine CAP would be the heavier cert sooner or later...

    Everything I'm saying here is pure speculation on my part. Although the CAP has been out for a while its still under-documented and unpopular. I just think with this new development it may become a standard soon...


    @ Gangel-
    It's not a pen test cert per se, but that could be part of the C&A process.
  • GAngelGAngel Member Posts: 708
    While both certs are approved under the same DOD mandate, the CAP seems much more geared towards Certification and Accreditation, while the CISA leans more towards auditing. There are still so many similarities and overlaps between both from what I can see, but for anyone getting into C&A, I would imagine CAP would be the heavier cert sooner or later...

    Everything I'm saying here is pure speculation on my part. Although the CAP has been out for a while its still under-documented and unpopular. I just think with this new development it may become a standard soon...


    @ Gangel-
    It's not a pen test cert per se, but that could be part of the C&A process.

    The government employing people to do risk assessments with 2 years experience is laughable. By the time someone lands a heavy position in security they should be able to do CISSP,CISM,CISA which is the whole point. Why they would waste time on this expensive nothing cert is beyond me.
  • TallDarknFuglyTallDarknFugly Member Posts: 15 ■□□□□□□□□□
    GAngel wrote: »
    The government employing people to do risk assessments with 2 years experience is laughable. By the time someone lands a heavy position in security they should be able to do CISSP,CISM,CISA which is the whole point. Why they would waste time on this expensive nothing cert is beyond me.

    Good point... I'm not sure if I meet the reqs for CISA or CISM though, even though I'm CISSP and have at least 9yrs experience in the industry. So for me, the CAP helps push me further into the C&P field if I decide to delve there in the future. I would imagine there's a handful of others with the same background
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,890 Admin
    The CAP is for people that have already been in the information systems certification and accreditation business for years. It's not something you get when you want to just break into the business.
  • eMeSeMeS Member Posts: 1,875
    GAngel wrote: »
    Pardon my french but peau jaillet au toilet.

    Yeah, pardon mine too...M. Dynamik est une sallop.

    MS
  • colemiccolemic Member Posts: 1,568 ■■■■■■■□□□
    Good point... I'm not sure if I meet the reqs for CISA or CISM though, even though I'm CISSP and have at least 9yrs experience in the industry. So for me, the CAP helps push me further into the C&P field if I decide to delve there in the future. I would imagine there's a handful of others with the same background


    Same boat here... there is very little info out and little discussion on this cert but anyone involved with DoD IA is dealing with, or will be dealing with, DIACAP in the near future. This cert, to me, seems to be geared towards those in that arena.

    Has anyone gone for this yet? if so, have you found it to be useful/relevant? I would think that anyone who has been in IA for DoD for a couple of years would certainly have the required experience for it, and while I don't have that requirement met yet, I am up to my eyeballs in DIACAP and am wondering if it is a cert/process that would be beneficial in understanding the 'big picture' of DIACAP.
    Working on: CCSP, definitely, maybe. On the twitters: @mcole1008
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,890 Admin
    colemic wrote: »
    I am up to my eyeballs in DIACAP and am wondering if it is a cert/process that would be beneficial in understanding the 'big picture' of DIACAP.
    The CISSP-ISSEP is deep in DITSCAP, DIACAP, NIACAP, and DoD assurance practices. You should have a look at it and the books on it:

    Amazon.com: Official (ISC)2® Guide to the CISSP®-ISSEP® CBK® ((ISC)2 Press) (9780849323416): Susan Hansche CISSP, Susan Hansche: Books

    Amazon.com: The CISSP Prep Guide: Mastering the CISSP and ISSEP Exams, Second Edition (9780764559150): Ronald L. Krutz, Russell Dean Vines: Books
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    eMeS wrote: »
    Yeah, pardon mine too...M. Dynamik est une sallop
    Mine too... oui, dynamik est un batard laid
  • colemiccolemic Member Posts: 1,568 ■■■■■■■□□□
    JDMurray wrote: »


    Thanks, I have not really explored the ISSEP yet, but I definitely will now, and I will keep digging for stuff on the CAP as well... (ISC)² says there is a grand total of 600 people who have passed, and that ain't many... finding one is like lookng for Sasquatch. Is it just an obscure (for now) exam or is it just that hard?
    Working on: CCSP, definitely, maybe. On the twitters: @mcole1008
  • eMeSeMeS Member Posts: 1,875
    colemic wrote: »
    Thanks, I have not really explored the ISSEP yet, but I definitely will now, and I will keep digging for stuff on the CAP as well... (ISC)² says there is a grand total of 600 people who have passed, and that ain't many... finding one is like lookng for Sasquatch. Is it just an obscure (for now) exam or is it just that hard?

    Why have I heard DIACAP come up so much this week? Both here and elsewhere. That's rhetorical...

    I'm delivering an ITIL v3 Foundation class this week for a reasonably sized defense contractor. DIACAP seems high on their radar and it's come up several times during this class.

    MS
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,890 Admin
    colemic wrote: »
    Is it just an obscure (for now) exam or is it just that hard?
    It is both obscure and difficult, but I think the real reason is that it's not in demand by employers or organizations that award contracts. There are a lot of DoD people who work in the areas that the CISSP-ISSEP covers, but it's not a "must have" requirement.

    Funny how DoD primes and sub-primes will pay for DITSCAP/DIACAP training classes for their contractors and employees, but most won't spend a nickle on a certification for it. It's up to the individuals to spend the $$$ for the cert. Why bother doing that if no employers are asking for it?
  • colemiccolemic Member Posts: 1,568 ■■■■■■■□□□
    eMeS wrote: »
    Why have I heard DIACAP come up so much this week? Both here and elsewhere. That's rhetorical...

    I'm delivering an ITIL v3 Foundation class this week for a reasonably sized defense contractor. DIACAP seems high on their radar and it's come up several times during this class.

    MS


    Embrace it, because it's the future, man. icon_cool.gif Eventually all branches will adhere to it (from my limited knowledge, I believe AF is kinda resistant and still wanting to stay DITSCAP, but it was cancelled as an C&A process.)

    Business capture guys have a whiff of it and are seeing the dollar signs they can pick up.
    Working on: CCSP, definitely, maybe. On the twitters: @mcole1008
  • colemiccolemic Member Posts: 1,568 ■■■■■■■□□□
    JDMurray wrote: »
    Funny how DoD primes and sub-primes will pay for DITSCAP/DIACAP training classes for their contractors and employees, but most won't spend a nickle on a certification for it. It's up to the individuals to spend the $$$ for the cert. Why bother doing that if no employers are asking for it?


    Right, but that's partially because CAP has not been marketed as being the right tool. I may be wrong, but not one time in the CAP stuff on ISC's site is DIACAP mentioned, (ok maybe it is one time), but not how the cert can be leveraged for it.
    Working on: CCSP, definitely, maybe. On the twitters: @mcole1008
  • jimbalayajimbalaya Member Posts: 5 ■□□□□□□□□□
    JDMurray wrote: »
    It is both obscure and difficult, but I think the real reason is that it's not in demand by employers or organizations that award contracts. There are a lot of DoD people who work in the areas that the CISSP-ISSEP covers, but it's not a "must have" requirement.

    Funny how DoD primes and sub-primes will pay for DITSCAP/DIACAP training classes for their contractors and employees, but most won't spend a nickle on a certification for it. It's up to the individuals to spend the $$$ for the cert. Why bother doing that if no employers are asking for it?

    DoD (Navy in my case) does recognize CAP for IAM staff as part of the IA Workforce initiative. Problem is, most people do the CISSP because it is good at all 3 levels in the IAM career path:
    https://www.cool.navy.mil/ia_documents/ia_iam_flow.htm

    I believe the CAP is required for those that actually formally review C&A packages at the DAA level. In our shop we do a local review of DIACAP packages before they go up to DAA, but we aren't required to get the CAP cert - just to take a DIACAP training class.
Sign In or Register to comment.