CAP Exam Review
I took the Certified Authorization Professional (CAP) exam yesterday and thought I would leave a review, since there is so little information about it on these forums. The exam itself is not difficult and the questions are structured similarly to CISSP exam questions, so, if you have taken the CISSP, you will recognize the question style. There is one challenge to the CAP that I believe is the cause of difficulty for many people who have taken it and not been successful. The fact that there isn't much in the way of study materials and books and little information about the exam itself makes preparing and gauging your readiness the difficult part. So in short, if you are properly prepared, the exam is trivial and the questions are fair and direct. Below is how I prepared myself for the exam in less than three weeks.
Resources
NIST and FIPS Documentation
FedVTE CAP Training
Official Guide to the CAP CBK, Second Edition
Study Plan
The reality is that the current CAP CIB lays out everything you need to know, and based on my experience, you will pass easily if you follow the CIB to the letter and know every single topic on it. The CAP has seven domains and all of them involve the Risk Management Framework (RMF). The first domain covers the necessities of the RMF and each of the six domains that follow map directly to the six chronological steps of the RMF. DIACAP/NIACAP should not be studied for this exam.
Knowing that the exam is essentially all about the RMF, I decided to master the NIST and FIPS documents themselves as the primary source of preparation. This turned out to be the ideal and recommended way to prepare. By knowing the major NIST and FIPS documents inside and out, you will be adequately prepared for the exam. You also must know all of the relevant terms. I advise going through the glossary of the major NIST documents and knowing the terminology that is used. Below are the documents you should know by heart:
FIPS 199
FIPS 200
NIST SP 800-18 R4
NIST SP 800-30 R1
NIST SP 800-37 R1
NIST SP 800-39
NIST SP 800-53 R4
NIST SP 800-53A
NIST SP 800-59
NIST SP 800-60
All of the documents are related and each has its place. If you understand the RMF inside and out, as well as how these documents work together, you will be prepared. Just remember that the exam is about the RMF, so adequately preparing for the exam means knowing everything about the RMF so you can answer any question that may be thrown your way. Stick to the CIB to make sure you do not miss any topics.
Of the material listed in my study plan above, all of it was outdated except the actual documentation. This is another important fact to point out. The FedVTE was a good resource to get me introduced to the RMF in general, but I did not bother finishing it. I got about 66% of the way through it before I realized it would be better to use my time on the actual documentation itself. The Official Guide to the CAP CBK, Second Edition (2012) is also outdated. However, it does have a lot of good information in it, and I used it a couple days before the exam to fine-tune some topics from the CIB I had not covered during my documentation study. I would recommend reading it or skimming through it to get your introduction to CAP. You really need to understand and know the official documentation if you truly want to be prepared for the CAP. For example, you should be able to write out the entire RMF process in fine detail, to include the steps, tasks, primary roles, supporting documentation, and relationship to the exact phase of the SDLC it maps to. If you can do this with no problem, you are well on your way to your CAP certification.
It is difficult to understand what you need to be prepared for this exam, but I am hoping that this write-up provides assistance. Using this study plan, I was able to pass the CAP exam in 107 minutes. Furthermore, I would recommend that whoever attempts this exam have DoD C&A experience. I have three years experience and found that this was a huge factor in my ability to quickly prepare for the exam. The more experience you have with it, the more natural the RMF will be and the more sense it will all make to you as you read through the documentation and prepare.
Feel free to ask any questions you may have. I would be more than happy to answer any questions, provided they do not violate the ISC2 ethics.
Resources
NIST and FIPS Documentation
FedVTE CAP Training
Official Guide to the CAP CBK, Second Edition
Study Plan
The reality is that the current CAP CIB lays out everything you need to know, and based on my experience, you will pass easily if you follow the CIB to the letter and know every single topic on it. The CAP has seven domains and all of them involve the Risk Management Framework (RMF). The first domain covers the necessities of the RMF and each of the six domains that follow map directly to the six chronological steps of the RMF. DIACAP/NIACAP should not be studied for this exam.
Knowing that the exam is essentially all about the RMF, I decided to master the NIST and FIPS documents themselves as the primary source of preparation. This turned out to be the ideal and recommended way to prepare. By knowing the major NIST and FIPS documents inside and out, you will be adequately prepared for the exam. You also must know all of the relevant terms. I advise going through the glossary of the major NIST documents and knowing the terminology that is used. Below are the documents you should know by heart:
FIPS 199
FIPS 200
NIST SP 800-18 R4
NIST SP 800-30 R1
NIST SP 800-37 R1
NIST SP 800-39
NIST SP 800-53 R4
NIST SP 800-53A
NIST SP 800-59
NIST SP 800-60
All of the documents are related and each has its place. If you understand the RMF inside and out, as well as how these documents work together, you will be prepared. Just remember that the exam is about the RMF, so adequately preparing for the exam means knowing everything about the RMF so you can answer any question that may be thrown your way. Stick to the CIB to make sure you do not miss any topics.
Of the material listed in my study plan above, all of it was outdated except the actual documentation. This is another important fact to point out. The FedVTE was a good resource to get me introduced to the RMF in general, but I did not bother finishing it. I got about 66% of the way through it before I realized it would be better to use my time on the actual documentation itself. The Official Guide to the CAP CBK, Second Edition (2012) is also outdated. However, it does have a lot of good information in it, and I used it a couple days before the exam to fine-tune some topics from the CIB I had not covered during my documentation study. I would recommend reading it or skimming through it to get your introduction to CAP. You really need to understand and know the official documentation if you truly want to be prepared for the CAP. For example, you should be able to write out the entire RMF process in fine detail, to include the steps, tasks, primary roles, supporting documentation, and relationship to the exact phase of the SDLC it maps to. If you can do this with no problem, you are well on your way to your CAP certification.
It is difficult to understand what you need to be prepared for this exam, but I am hoping that this write-up provides assistance. Using this study plan, I was able to pass the CAP exam in 107 minutes. Furthermore, I would recommend that whoever attempts this exam have DoD C&A experience. I have three years experience and found that this was a huge factor in my ability to quickly prepare for the exam. The more experience you have with it, the more natural the RMF will be and the more sense it will all make to you as you read through the documentation and prepare.
Feel free to ask any questions you may have. I would be more than happy to answer any questions, provided they do not violate the ISC2 ethics.
Working on: Nothing, finally.
Comments
It was not a requirement. However, I wanted to pursue a cert higher than the CISSP to stand out, so, I decided I would try my hand at the CISSP-ISSEP. After looking into the ISSEP and noticing one of the four domains is C&A/RMF, I decided to tackle the CAP as preparation for that domain. Essentially, the CAP was just a preparation tool for my ISSEP goal. That may be a bit extreme but, I am glad that I did it. I also feel pretty well prepared in that one ISSEP domain now. Three more to go.
I should of taken it again soon afterwards, but I'm already scarred from not passing exams, so I let it go. And then I accepted a position where I am required to have the certification. I studied again and sat for the exam again in Feb 2014. Once again, I failed. The CAP Exam changed dramatically in Sept. 2013. Now I find myself attempting to prepare yet again to sit for this exam and must pass it before July 30th or face losing my current position. My test anxiety level shot through the roof today. I have been frantically looking for a good test engine to use that has questions that are comparable to the ones on the exam. I had purchased the exam prep test engine that (ISC)2 endorses, but the questions were NOTHING like the ones on the exam. I did worse this time around than before.
Can you recommend a good test engine to use?
I've been taking a different approach this time, as suggested by a friend. I've found a bunch of flashcards online and I'm going through all of them to get the terms memorized. It includes a lot of the Special Pubs, so I feel I'm getting a lot more information than I had before.
Have you spent time with the documents themselves? I highly recommend going through the documents listed above. Knowing just what they cover is not enough. You need to know, at a bare minimum, what they cover and the finer details of how they work and are implemented. There are a few that you need to know in their entirety, such as 37. If you don't know 37 by heart, you have a very low chance of passing.
I wouldn't worry so much on test questions, especially since you are on a time crunch. Focus on reading the documents and knowing the raw material. Know everything about the RMF and how the other documents support it and you should do well.
As Jonnyg said, know everything about the RMF. I'd like to add you should also know the tasks of DIACAP/DITSCAP/NIACAP. And make sure you're 100% up on roles and responsibilities. I knew that was my weakest area last year and still went to take the exam. This year I spent 3 days just reading and learning everyone's tasks. I think that helped me pass this time around.
Good luck!
Congrats on the pass! Having the actual C&A experience definitely helps. What did you think helped you the most in passing on the second attempt?
Website: www.nxecurity.com
I also want to say that CAP certification and body of knowledge is probably better to have first for anyone trying to get into A&A field because it explains in details how the RMF works to ensure adequate/commensurate security for Information systems
Thanks! To say I'm a bit behind on replying is an understatement, but ya know. Not sure if the exam has changed but I was thrown a few DITSCAP/NIACAP questions on my first exam. I was shocked. Also, solidifying the roles and responsibilities helped me a lot. Turns out the way we were doing in real life wasn't correct. So relying on my personal knowledge during the exam was a bad idea...lesson learned.
Better late than never! There really shouldn't be any DITSCAP/NIACAP questions on the exam at this point, but, I also wouldn't be surprised if there still were. I still think having real-world experience is key, so long as the experience is quality and not superficial. Doing it right in the real world is also helpful!
I used the same resources as jonnyg:
NIST and FIPS Documentation
FedVTE CAP Training
Official Guide to the CAP CBK, Second Edition (seriously outdated)
Thank goodness the exam only had questions related to RMF. Having experience doing A&A work really helped and I had no difficulty passing. I would recommend knowing everyone's roles and responsibilities as well as the RMF steps, documentation in each cycle, and the related NIST/FIPS pubs associated with each step.
Simulate how an Information System goes through the entire Risk Management Framework (RMF) & Systems Development Life Cycle (SDLC)
Make sure to know roles and responsibilities inside and out
Read as many NIST documents as time permits (Special Publication 800-34, 800-30, 800-59, 800-60, 800-18, 800-39, 800-37, 800-137, and others)
Know the FIPS-199, FIPS-200, CNSS 1253 inside and out
Skim over the SP 800-53A (Assessment), 800-115 (Assessment / PenTest), FISMA 2002/2014, OMB Circular A-130