(ISC)² CAP (Certification and Accreditation Professional)

I see no worthwhile threads on CAP in these forums and understandably so, because up until last month it didn't seem like a worthwhile enough venture to pursue. I know most are not familiar with the certification so I'll go ahead and summarize in a few sentences before commencing.

Federal Information Security Management Act (FISMA), the E-Government Act (Public Law 107-347) mandates Information Technology asset and data security be upheld according to certain standards. These standards demand periodic Risk Assesments, proper Info Sec policies and procedures, contingency planning, auditing, security awareness training, etc.

The above measures have to be met through the implementation of fed standards such as NIACAP (National Information Assurance Certification and Accreditation Process), DITSCAP (Defense Information Technology Systems Certification and Accreditation Process) or NIST (National Institute of Standards and Technology). These Certification and Accreditation methodologies are guidelines for meeting FISMA requirements which make up the foundation for testing organizations for FISMA compliance.

Professionals who enforce these Certification and Accreditation inspections typically conduct penetration tests, vulnerability assessments, risk assessments, policy and procedure evaluations, etc.

Well, the (ISC)² CAP, even though its been out for a couple of years hasn't been too popular but it looks like that's about to change. The CAP certification just qualified under (DoD) 8570.1 Mandate, meaning "This mandate requires that all DoD information assurance workers obtain a professional certification accredited under the global ANSI/ISO/IEC Standard 17024". (ISC)² Security Transcends Technology

What does this mean to you? I'm thinking I need to get hot on this certification, ASAP. Thoughts?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

veritas_libertas

So is the CAP basically the equivalent of the CISA?

GAngel

veritas_libertas wrote: »

So is the basically the equivalent of the CISA?

No CISA/CISM need 5 years experience this is only 2. I'd rather write SSCP than waste money on a cert no one has ever heard of and looks to hold very little real world relevance. Pardon my french but peau jaillet au toilet.

Understanding the Purpose of Certification
Initiation of the System Authorization Process
Certification Phase
Accreditation Phase
Continuous Monitoring Phase

If that's a pen test related cert have I got a bridge to sell you...

TallDarknFugly

veritas_libertas wrote: »

So is the basically the equivalent of the CISA?

While both certs are approved under the same DOD mandate, the CAP seems much more geared towards Certification and Accreditation, while the CISA leans more towards auditing. There are still so many similarities and overlaps between both from what I can see, but for anyone getting into C&A, I would imagine CAP would be the heavier cert sooner or later...

Everything I'm saying here is pure speculation on my part. Although the CAP has been out for a while its still under-documented and unpopular. I just think with this new development it may become a standard soon...

@ Gangel-
It's not a pen test cert per se, but that could be part of the C&A process.

GAngel

TallDarknFugly wrote: »

While both certs are approved under the same DOD mandate, the CAP seems much more geared towards Certification and Accreditation, while the CISA leans more towards auditing. There are still so many similarities and overlaps between both from what I can see, but for anyone getting into C&A, I would imagine CAP would be the heavier cert sooner or later...

Everything I'm saying here is pure speculation on my part. Although the CAP has been out for a while its still under-documented and unpopular. I just think with this new development it may become a standard soon...

@ Gangel-
It's not a pen test cert per se, but that could be part of the C&A process.

The government employing people to do risk assessments with 2 years experience is laughable. By the time someone lands a heavy position in security they should be able to do CISSP,CISM,CISA which is the whole point. Why they would waste time on this expensive nothing cert is beyond me.

TallDarknFugly

GAngel wrote: »

The government employing people to do risk assessments with 2 years experience is laughable. By the time someone lands a heavy position in security they should be able to do CISSP,CISM,CISA which is the whole point. Why they would waste time on this expensive nothing cert is beyond me.

Good point... I'm not sure if I meet the reqs for CISA or CISM though, even though I'm CISSP and have at least 9yrs experience in the industry. So for me, the CAP helps push me further into the C&P field if I decide to delve there in the future. I would imagine there's a handful of others with the same background

JDMurray

The CAP is for people that have already been in the information systems certification and accreditation business for years. It's not something you get when you want to just break into the business.

eMeS

GAngel wrote: »

Pardon my french but peau jaillet au toilet.

Yeah, pardon mine too...M. Dynamik est une sallop.

MS

colemic

TallDarknFugly wrote: »

Good point... I'm not sure if I meet the reqs for CISA or CISM though, even though I'm CISSP and have at least 9yrs experience in the industry. So for me, the CAP helps push me further into the C&P field if I decide to delve there in the future. I would imagine there's a handful of others with the same background

Same boat here... there is very little info out and little discussion on this cert but anyone involved with DoD IA is dealing with, or will be dealing with, DIACAP in the near future. This cert, to me, seems to be geared towards those in that arena.

Has anyone gone for this yet? if so, have you found it to be useful/relevant? I would think that anyone who has been in IA for DoD for a couple of years would certainly have the required experience for it, and while I don't have that requirement met yet, I am up to my eyeballs in DIACAP and am wondering if it is a cert/process that would be beneficial in understanding the 'big picture' of DIACAP.

JDMurray

colemic wrote: »

I am up to my eyeballs in DIACAP and am wondering if it is a cert/process that would be beneficial in understanding the 'big picture' of DIACAP.

The CISSP-ISSEP is deep in DITSCAP, DIACAP, NIACAP, and DoD assurance practices. You should have a look at it and the books on it:

Amazon.com: Official (ISC)2® Guide to the CISSP®-ISSEP® CBK® ((ISC)2 Press) (9780849323416): Susan Hansche CISSP, Susan Hansche: Books

Amazon.com: The CISSP Prep Guide: Mastering the CISSP and ISSEP Exams, Second Edition (9780764559150): Ronald L. Krutz, Russell Dean Vines: Books

astorrs

eMeS wrote: »

Yeah, pardon mine too...M. Dynamik est une sallop

Mine too... oui, dynamik est un batard laid

colemic

JDMurray wrote: »

The CISSP-ISSEP is deep in DITSCAP, DIACAP, NIACAP, and DoD assurance practices. You should have a look at it and the books on it:

Amazon.com: Official (ISC)2® Guide to the CISSP®-ISSEP® CBK® ((ISC)2 Press) (9780849323416): Susan Hansche CISSP, Susan Hansche: Books

Amazon.com: The CISSP Prep Guide: Mastering the CISSP and ISSEP Exams, Second Edition (9780764559150): Ronald L. Krutz, Russell Dean Vines: Books

Thanks, I have not really explored the ISSEP yet, but I definitely will now, and I will keep digging for stuff on the CAP as well... (ISC)² says there is a grand total of 600 people who have passed, and that ain't many... finding one is like lookng for Sasquatch. Is it just an obscure (for now) exam or is it just that hard?

eMeS

colemic wrote: »

Thanks, I have not really explored the ISSEP yet, but I definitely will now, and I will keep digging for stuff on the CAP as well... (ISC)² says there is a grand total of 600 people who have passed, and that ain't many... finding one is like lookng for Sasquatch. Is it just an obscure (for now) exam or is it just that hard?

Why have I heard DIACAP come up so much this week? Both here and elsewhere. That's rhetorical...

I'm delivering an ITIL v3 Foundation class this week for a reasonably sized defense contractor. DIACAP seems high on their radar and it's come up several times during this class.

MS

JDMurray

colemic wrote: »

Is it just an obscure (for now) exam or is it just that hard?

It is both obscure and difficult, but I think the real reason is that it's not in demand by employers or organizations that award contracts. There are a lot of DoD people who work in the areas that the CISSP-ISSEP covers, but it's not a "must have" requirement.

Funny how DoD primes and sub-primes will pay for DITSCAP/DIACAP training classes for their contractors and employees, but most won't spend a nickle on a certification for it. It's up to the individuals to spend the $$$ for the cert. Why bother doing that if no employers are asking for it?

colemic

eMeS wrote: »

Why have I heard DIACAP come up so much this week? Both here and elsewhere. That's rhetorical...

I'm delivering an ITIL v3 Foundation class this week for a reasonably sized defense contractor. DIACAP seems high on their radar and it's come up several times during this class.

MS

Embrace it, because it's the future, man.

Eventually all branches will adhere to it (from my limited knowledge, I believe AF is kinda resistant and still wanting to stay DITSCAP, but it was cancelled as an C&A process.)

Business capture guys have a whiff of it and are seeing the dollar signs they can pick up.

colemic

JDMurray wrote: »

Funny how DoD primes and sub-primes will pay for DITSCAP/DIACAP training classes for their contractors and employees, but most won't spend a nickle on a certification for it. It's up to the individuals to spend the $$$ for the cert. Why bother doing that if no employers are asking for it?

Right, but that's partially because CAP has not been marketed as being the right tool. I may be wrong, but not one time in the CAP stuff on ISC's site is DIACAP mentioned, (ok maybe it is one time), but not how the cert can be leveraged for it.

jimbalaya

JDMurray wrote: »

It is both obscure and difficult, but I think the real reason is that it's not in demand by employers or organizations that award contracts. There are a lot of DoD people who work in the areas that the CISSP-ISSEP covers, but it's not a "must have" requirement.

Funny how DoD primes and sub-primes will pay for DITSCAP/DIACAP training classes for their contractors and employees, but most won't spend a nickle on a certification for it. It's up to the individuals to spend the $$$ for the cert. Why bother doing that if no employers are asking for it?

DoD (Navy in my case) does recognize CAP for IAM staff as part of the IA Workforce initiative. Problem is, most people do the CISSP because it is good at all 3 levels in the IAM career path:
https://www.cool.navy.mil/ia_documents/ia_iam_flow.htm

I believe the CAP is required for those that actually formally review C&A packages at the DAA level. In our shop we do a local review of DIACAP packages before they go up to DAA, but we aren't required to get the CAP cert - just to take a DIACAP training class.