CAP Exam Review

Jonnyg

I took the Certified Authorization Professional (CAP) exam yesterday and thought I would leave a review, since there is so little information about it on these forums. The exam itself is not difficult and the questions are structured similarly to CISSP exam questions, so, if you have taken the CISSP, you will recognize the question style. There is one challenge to the CAP that I believe is the cause of difficulty for many people who have taken it and not been successful. The fact that there isn't much in the way of study materials and books and little information about the exam itself makes preparing and gauging your readiness the difficult part. So in short, if you are properly prepared, the exam is trivial and the questions are fair and direct. Below is how I prepared myself for the exam in less than three weeks.

Resources
NIST and FIPS Documentation
FedVTE CAP Training
Official Guide to the CAP CBK, Second Edition

Study Plan
The reality is that the current CAP CIB lays out everything you need to know, and based on my experience, you will pass easily if you follow the CIB to the letter and know every single topic on it. The CAP has seven domains and all of them involve the Risk Management Framework (RMF). The first domain covers the necessities of the RMF and each of the six domains that follow map directly to the six chronological steps of the RMF. DIACAP/NIACAP should not be studied for this exam.

Knowing that the exam is essentially all about the RMF, I decided to master the NIST and FIPS documents themselves as the primary source of preparation. This turned out to be the ideal and recommended way to prepare. By knowing the major NIST and FIPS documents inside and out, you will be adequately prepared for the exam. You also must know all of the relevant terms. I advise going through the glossary of the major NIST documents and knowing the terminology that is used. Below are the documents you should know by heart:

FIPS 199
FIPS 200
NIST SP 800-18 R4
NIST SP 800-30 R1
NIST SP 800-37 R1
NIST SP 800-39
NIST SP 800-53 R4
NIST SP 800-53A
NIST SP 800-59
NIST SP 800-60

All of the documents are related and each has its place. If you understand the RMF inside and out, as well as how these documents work together, you will be prepared. Just remember that the exam is about the RMF, so adequately preparing for the exam means knowing everything about the RMF so you can answer any question that may be thrown your way. Stick to the CIB to make sure you do not miss any topics.

Of the material listed in my study plan above, all of it was outdated except the actual documentation. This is another important fact to point out. The FedVTE was a good resource to get me introduced to the RMF in general, but I did not bother finishing it. I got about 66% of the way through it before I realized it would be better to use my time on the actual documentation itself. The Official Guide to the CAP CBK, Second Edition (2012) is also outdated. However, it does have a lot of good information in it, and I used it a couple days before the exam to fine-tune some topics from the CIB I had not covered during my documentation study. I would recommend reading it or skimming through it to get your introduction to CAP. You really need to understand and know the official documentation if you truly want to be prepared for the CAP. For example, you should be able to write out the entire RMF process in fine detail, to include the steps, tasks, primary roles, supporting documentation, and relationship to the exact phase of the SDLC it maps to. If you can do this with no problem, you are well on your way to your CAP certification.

It is difficult to understand what you need to be prepared for this exam, but I am hoping that this write-up provides assistance. Using this study plan, I was able to pass the CAP exam in 107 minutes. Furthermore, I would recommend that whoever attempts this exam have DoD C&A experience. I have three years experience and found that this was a huge factor in my ability to quickly prepare for the exam. The more experience you have with it, the more natural the RMF will be and the more sense it will all make to you as you read through the documentation and prepare.

Feel free to ask any questions you may have. I would be more than happy to answer any questions, provided they do not violate the ISC2 ethics.

neb2886

Thanks for posting this. I have been considering doing the CAP since I work in IT audit and the majority of my clients are Federal government. What were your reasons for pursuing this cert? Client requirement?

Jonnyg

neb2886 wrote: »

Thanks for posting this. I have been considering doing the CAP since I work in IT audit and the majority of my clients are Federal government. What were your reasons for pursuing this cert? Client requirement?

It was not a requirement. However, I wanted to pursue a cert higher than the CISSP to stand out, so, I decided I would try my hand at the CISSP-ISSEP. After looking into the ISSEP and noticing one of the four domains is C&A/RMF, I decided to tackle the CAP as preparation for that domain. Essentially, the CAP was just a preparation tool for my ISSEP goal. That may be a bit extreme but, I am glad that I did it. I also feel pretty well prepared in that one ISSEP domain now. Three more to go.

neb2886

Understandable, and good strategy. I may go for it being that I keep coming back to C&A work the more I try to get away from it. Good luck on the CISSP-ISSEP!

Jonnyg

If you are in the DoD C&A world or want to get your foot back into that door, I would highly recommend the CAP. Preparing for it helped solidify my existing C&A knowledge and experience and has definitely made me a more well-rounded professional. Also, it helps set yourself apart in the job hunt if searching for this type of job. However, I am not sure how attractive this cert would be outside of the DoD C&A world.

gmbower

Thanks for your write-up on how to study for the CAP exam. I took the exam last June. I didn't pass it. I was really upset, because I felt I had studied really hard and had a pretty good grasp on what would be on the exam.

I should of taken it again soon afterwards, but I'm already scarred from not passing exams, so I let it go. And then I accepted a position where I am required to have the certification. I studied again and sat for the exam again in Feb 2014. Once again, I failed. The CAP Exam changed dramatically in Sept. 2013. Now I find myself attempting to prepare yet again to sit for this exam and must pass it before July 30th or face losing my current position. My test anxiety level shot through the roof today. I have been frantically looking for a good test engine to use that has questions that are comparable to the ones on the exam. I had purchased the exam prep test engine that (ISC)2 endorses, but the questions were NOTHING like the ones on the exam. I did worse this time around than before.

Can you recommend a good test engine to use?

I've been taking a different approach this time, as suggested by a friend. I've found a bunch of flashcards online and I'm going through all of them to get the terms memorized. It includes a lot of the Special Pubs, so I feel I'm getting a lot more information than I had before.

Jonnyg

There are no good question sets to use for the CAP that I am aware of. It is difficult to study for because there is so little in the way of available study materials. This exam isn't one that can be passed solely on flash cards and practice questions, although they help. You really need to know the documents themselves. Knowing them inside out is the key to passing this exam confidently.

Have you spent time with the documents themselves? I highly recommend going through the documents listed above. Knowing just what they cover is not enough. You need to know, at a bare minimum, what they cover and the finer details of how they work and are implemented. There are a few that you need to know in their entirety, such as 37. If you don't know 37 by heart, you have a very low chance of passing.

I wouldn't worry so much on test questions, especially since you are on a time crunch. Focus on reading the documents and knowing the raw material. Know everything about the RMF and how the other documents support it and you should do well.

lajt

Let me just say, that I was in the exact position as you. I took the CAP last year in March, failed (I was so close to pass but I think 2% off), and then didn't touch the exam until last month. I set a similar study schedule, added an extra week of study time and this time I passed. With that said. I have NO idea how I passed this time around. I studied the official CAP book, I read all the policies that Jonnyg stated above and more. And I was still just as confused in the test as last year. I did a lot of practice tests from different test engines, but I wouldn't even recommend any of them to you. They didn't help me in the slightest. I do have 2 years experience in the DoD C&A field, so that must have played some part to it, haha.

As Jonnyg said, know everything about the RMF. I'd like to add you should also know the tasks of DIACAP/DITSCAP/NIACAP. And make sure you're 100% up on roles and responsibilities. I knew that was my weakest area last year and still went to take the exam. This year I spent 3 days just reading and learning everyone's tasks. I think that helped me pass this time around.

Good luck!

Jonnyg

lajt wrote: »

Let me just say, that I was in the exact position as you. I took the CAP last year in March, failed (I was so close to pass but I think 2% off), and then didn't touch the exam until last month. I set a similar study schedule, added an extra week of study time and this time I passed. With that said. I have NO idea how I passed this time around. I studied the official CAP book, I read all the policies that Jonnyg stated above and more. And I was still just as confused in the test as last year. I did a lot of practice tests from different test engines, but I wouldn't even recommend any of them to you. They didn't help me in the slightest. I do have 2 years experience in the DoD C&A field, so that must have played some part to it, haha.

As Jonnyg said, know everything about the RMF. I'd like to add you should also know the tasks of DIACAP/DITSCAP/NIACAP. And make sure you're 100% up on roles and responsibilities. I knew that was my weakest area last year and still went to take the exam. This year I spent 3 days just reading and learning everyone's tasks. I think that helped me pass this time around.

Good luck!

Congrats on the pass! Having the actual C&A experience definitely helps. What did you think helped you the most in passing on the second attempt?

Humbe

Jonny - Thanks for the review. I was thinking of studying for this exam before the end of the year and had no clue where to start.

Jonnyg

Good luck! Feel free to ask if you have any questions along the way.

flipflop4567

Jonny, was there anything that you could say that surprised you or tripped you up? I went to a DIACAP/RMF transition class 6 months ago and CAP training 3 months ago. All the review questions are pretty much scenario based besides the normal "What step covers" or "What type of analysis". I work Policy and Governance of Accreditation for the DoD. It's very dry but how much of RMF is actually covered? We are phasing DIACAP out eventually. I appreciate any help. Thanks you.

Jonnyg

There wasn't really anything that tripped me up. The questions were pretty straight-forward. Either I knew the answer or I didn't. I felt all of (ISC)2's exams were fair in that way. Since you have experience with C&A already, I would say you are a good candidate for taking the exam. I would recommend you prepare and know all of the documents listed in my original post and how they support each other. I never recommend relying on a boot camp to pass any exam. I have always found that forcing yourself to dig as deep into you can into as many topics and objectives as you can is the best way to ensure you cover all your bases. Supplement your experience that you have with the tips I have provided in the original review and I think you will do well.

cgrimaldo

Thanks for the write-up!

zxbane

I purchased the CAP CBK Second Edition and have begun reading. I'm also going to go over the documents listed above although I am already familiar with some of them. After that I might give the CAP a shot, just trying to weigh if it is necessary since I already have the CISSP and not many jobs list the CAP as a requirement. I might just do the studying for furthering my own knowledge without actually sitting the exam.

Jonnyg

It is good knowledge to have even if you don't take the exam. I have seen more and more people asking for this certification and I have seen recruiters in some environments specifically prefer candidates with both certs as opposed to just a CISSP. I think the CAP is definitely becoming a solid compliment to the CISSP in the C&A world.

cgrimaldo

I am not completely familiar with the C&A world but do you think the DoD moving away from DIACAP to RMF will affect the demand for people with the CAP?

zxbane

I definitely think that is a strong possibility that is what prompted me to begin looking into the CAP exam. I currently do some C&A related work and know I will be doing more in future roles as well so I thought the CAP could be beneficial. I wouldn't be surprised if it grows in popularity as the RMF becomes the way of doing things.

Jonnyg

I agree and believe the fact that the RMF is becoming the standard will mean this cert will become more popular. It seems this transition has put it more in the spotlight and more people know about the CAP certification now, which has resulted in a growing interest in the cert itself. I do know that some contracting companies are trying to get their people CAP certified ahead of the curve in order to submit stronger, more relevant resumes on proposal bids. I have seen this trend first-hand.

cgrimaldo

I think that might be on my plate in 2015 considering DoD jobs are plentiful out there.

flipflop4567

Anyone have anything else with the CAP exam as of 2015? I took the course a few months ago and have been studying but concerned about what I am going to be seeing on the test.

Jonnyg

A colleague of mine recently passed (January 2015) and had a similar experience to the one I had in 2014. It sounded like the exam hadn't changed much.

akinakin52

I agree with Jonnyg's initial post as guidelines to prepare for the CAP Exam. I was already a CISSP before going for this exam last year May. I passed it without difficulty. I am currently working in the C&A field (now called Assessment and Authorization) and I am loving it.

I also want to say that CAP certification and body of knowledge is probably better to have first for anyone trying to get into A&A field because it explains in details how the RMF works to ensure adequate/commensurate security for Information systems

lajt

Jonnyg wrote: »

Congrats on the pass! Having the actual C&A experience definitely helps. What did you think helped you the most in passing on the second attempt?

Thanks! To say I'm a bit behind on replying is an understatement, but ya know. Not sure if the exam has changed but I was thrown a few DITSCAP/NIACAP questions on my first exam. I was shocked. Also, solidifying the roles and responsibilities helped me a lot. Turns out the way we were doing in real life wasn't correct. So relying on my personal knowledge during the exam was a bad idea...lesson learned.

Jonnyg

lajt wrote: »

Thanks! To say I'm a bit behind on replying is an understatement, but ya know. Not sure if the exam has changed but I was thrown a few DITSCAP/NIACAP questions on my first exam. I was shocked. Also, solidifying the roles and responsibilities helped me a lot. Turns out the way we were doing in real life wasn't correct. So relying on my personal knowledge during the exam was a bad idea...lesson learned.

Better late than never! There really shouldn't be any DITSCAP/NIACAP questions on the exam at this point, but, I also wouldn't be surprised if there still were. I still think having real-world experience is key, so long as the experience is quality and not superficial. Doing it right in the real world is also helpful!

wacky5

I recently passed the CAP exam (3/9) and jonnyg's review was on point. It was tough to find any reviews about this exam but I'm glad I stumbled upon this post.

I used the same resources as jonnyg:

NIST and FIPS Documentation
FedVTE CAP Training
Official Guide to the CAP CBK, Second Edition (seriously outdated)

Thank goodness the exam only had questions related to RMF. Having experience doing A&A work really helped and I had no difficulty passing. I would recommend knowing everyone's roles and responsibilities as well as the RMF steps, documentation in each cycle, and the related NIST/FIPS pubs associated with each step.

gnew70

Thanks for these reviews, I was on the fence about the certification because of the lack of study tools, but after reading this post I will take the advice and use some of the same study tools.

Remedymp

Bumping this to the top as I plan taking this in a month or so.

SuperISSO

Just passed this morning. Along with everything previously mentioned, makes sure to do the following:

Simulate how an Information System goes through the entire Risk Management Framework (RMF) & Systems Development Life Cycle (SDLC)
Make sure to know roles and responsibilities inside and out
Read as many NIST documents as time permits (Special Publication 800-34, 800-30, 800-59, 800-60, 800-18, 800-39, 800-37, 800-137, and others)
Know the FIPS-199, FIPS-200, CNSS 1253 inside and out
Skim over the SP 800-53A (Assessment), 800-115 (Assessment / PenTest), FISMA 2002/2014, OMB Circular A-130

TRodrigue

I had my Bachelor Degree in Cyber security in 2013, but up to now never got a position in the field yet ( may be due my resume or i don't know). So i decided to prepare for the CAP Exam which someone in the field with CISSP cert advised to me. I bought the book and started studying until i came across your posting. What could you advise me more? Actually I'm working in IT field as Technical Support Analyst. But willing to get something more in cyber

Gbengas

the advise given by Johnnyg and SuperISSO are on point. Just know the whole RMF process, link it up with the SDLC, know the roles and responsibilities of all the key players, study the necessary NIST and FIPS documents they mentioned. That's exactly what I did. I found some extra material on the NIST website as well that was pretty helpful. You have to keep in mind that for a CAP certification, your main duty is to maintain compliance for an information system so in studying for it you need to wear a different cap from someone trying to fix or implement controls. I'll advise you do some research on what an SSP, POAM and SAR are and what they contain, as in actually look for an example of each online. I went for an 8 week course for the CAP exam and i was the first to take the exam in the class, and I passed, Thankfully. Do take note, no matter how much you study, the exam is a tad bit tricky. So make sure you know your stuff. I wish you well.