Looking to advance your cybersecurity career in cleared environments? The CAP certification, now called Certified in Governance, Risk and Compliance (CGRC), is a globally recognized credential for professionals managing information system security under the Risk Management Framework (RMF). It’s especially relevant for U.S. government employees, defense contractors, and anyone seeking compliance with DoD 8570 IAM Level I and II roles.
Key Takeaways:
- Certification Overview: Validates expertise in aligning IT operations with regulatory compliance and risk management.
- Eligibility: Requires 2 years of work experience in governance, risk, or compliance, or candidates can take the Associate pathway.
- Exam Details: 125 questions, 3 hours, $599 fee, minimum score of 700/1000 to pass.
- Career Opportunities: Roles like ISSO, ISSM, and IT Risk Manager, with average salaries of $100,000 annually.
- Study Resources: Focus on NIST publications (SP 800-37, SP 800-53) and ISC² guides.
The CAP certification is essential for cleared professionals navigating RMF-based roles, ensuring compliance with both current and future DoD standards.
CAP Certification Path: Requirements, Exam Details, and Career Outcomes
CAP Certification Exam Overview
Eligibility Requirements
To qualify for the CAP certification exam, candidates must have two years of full-time, paid work experience in at least one of the CAP domains. If you don’t meet this requirement, you can still take the exam through the Associate pathway. This pathway requires an endorsement from an (ISC)² member and allows you three years to gain the necessary work experience while holding the associate title. Work experience must be verifiable and relevant to governance, risk, or compliance. Once eligibility is confirmed, it’s time to focus on the exam format for effective preparation.
Exam Format and Content
The CAP exam, now referred to as the Certified in Governance, Risk and Compliance (CGRC) exam, includes 125 multiple-choice questions to be completed within three hours [5]. It is administered at Pearson VUE testing centers [5].
After completing the exam, you’ll get unofficial results immediately at the testing center. However, official results take six to eight weeks due to psychometric and forensic analysis [5]. If you don’t pass, there are specific waiting periods before retaking the exam: 30 days after the first attempt, 60 days after the second, and 90 days for subsequent attempts [5]. Successfully tackling these requirements is a key milestone for cybersecurity professionals working in cleared environments.
Cost and Registration Process
The CAP exam fee is set at $599 for candidates in the United States and the Americas [5]. Registration is straightforward – sign up for the CGRC exam through Pearson VUE, where you can schedule your test date and location [5].
Once you pass, keep an eye on your email for endorsement instructions. Completing this step is necessary to finalize your certification [5]. To keep your certification active, you’ll need to earn 60 Continuing Professional Education (CPE) credits every three years and pay an Annual Maintenance Fee [2].
sbb-itb-bf7aa6b
The 7 CAP Certification Domains
Domain Overview
The CAP exam is structured around seven domains, each representing a critical phase of the NIST Risk Management Framework (RMF). These domains guide candidates through the full lifecycle of managing and authorizing information systems, from setting up a risk management program to ensuring ongoing monitoring. The CAP/CGRC certification stands out as the only security credential under the DoD 8570 Mandate that aligns with every step of the NIST RMF [3]. Mastering these domains is essential for anyone preparing for the exam and aiming to excel in this field.
What You Need to Know for Each Domain
Each domain highlights key skills and knowledge areas for professionals working in secure and regulated environments.
- Domain 1: Information Security Risk Management Program
This domain establishes the groundwork for system authorization. It focuses on governance, organizational risk tolerance, aligning security with mission goals, and compliance with FISMA and OMB Circular A-130. - Domain 2: Scope of the Information System
Here, the emphasis is on system categorization using FIPS 199 and NIST SP 800-60. It involves determining impact levels (low, moderate, or high) based on potential losses in confidentiality, integrity, and availability. Additionally, it defines system boundaries and components that require authorization. - Domain 3: Selection and Approval of Security and Privacy Controls
This domain addresses selecting baseline controls from NIST SP 800-53 and tailoring them to specific environments. It also covers control overlays for DoD systems and documenting decisions in the System Security Plan. - Domain 4: Implementation of Security and Privacy Controls
Focuses on applying chosen controls during the system development lifecycle (SDLC). It includes integrating security engineering principles and documenting the implementation in the System Security Plan. - Domain 5: Assessment/Audit of Security and Privacy Controls
Covers testing methodologies from NIST SP 800-53A. Professionals learn to create assessment plans, perform control testing, and document results in a Security Assessment Report for independent validation. - Domain 6: Authorization/Approval of Information System
This domain involves final risk determination and emphasizes the role of the Authorizing Official. It includes creating a Plan of Action and Milestones (POA&M) to secure an Authority to Operate (ATO). - Domain 7: Continuous Monitoring
Focuses on maintaining continuous security monitoring as outlined in NIST SP 800-137. This includes managing configurations, vulnerabilities, and adapting to evolving threats to ensure ongoing compliance and maintain the ATO.
Study Tips for Each Domain
To prepare effectively, align your study efforts with the core elements of each domain using these strategies:
- Dive into key NIST Special Publications, particularly SP 800-37 (RMF), SP 800-53 (Security Controls), SP 800-53A (Assessment), and SP 800-137 (Continuous Monitoring). These documents are central to the exam.
- Approach the material with a managerial perspective. The exam focuses on governance and compliance decision-making rather than just technical details.
- For professionals with security clearances, connect each domain to DoD-specific policies, such as the 8500 series and CNSS instructions. Relating your real-world experience to these domains can help pinpoint areas where you may need to deepen your understanding.
How to Prepare for the CAP Exam
Recommended Study Materials
The Official (ISC)² Guide to the CAP CBK, Second Edition by Patrick Howard is a key resource for exam preparation. It’s priced at about $52.92 for a new copy, with used versions available for as low as $6.65. While it has a solid 4.4/5-star rating on Amazon from 178 global reviews, keep in mind that it was published in 2012. This means it doesn’t include some of the newer RMF elements, like the "Preparation" step or roles such as SCA-R and SCA-V. Use it as a baseline resource, but supplement it with updated materials.
Another critical document is NIST SP 800-37 Rev 2, which outlines the RMF 2.0 process featured heavily on the exam. Pay close attention to Appendices D, E, F, and G for detailed insights. Before spending on additional materials, download ISC2’s free resources like the "Ultimate Guide to the CAP" and "Advance Your Risk Management Career Strategy" eBook. These can provide a solid starting point. Additionally, the Official ISC2 CAP Flash Cards are free and can help you test your knowledge on the go.
For practice questions, consider purchasing the book Certified Authorization Professional (CAP): Exam Questions and Annotated Answers for around $20.00. ISC2 also offers an Official CBK Training Seminar, which includes 180-day access to course content and a printable Student Guide. To connect with others preparing for the exam, join online communities like the ISC2 Community "CAP Certification Study Group" and the TechExams Community forum.
Creating Your Study Plan
Start by conducting a gap analysis across the seven CAP domains to identify where you’re strong and where you need improvement. Plan your study time based on the weight of each domain – spend more time on areas that account for a larger percentage of the exam. Scheduling your exam 6–10 weeks in advance (with a $599 fee) can help you stay focused and motivated by setting a clear deadline.
Two weeks before the test, take a full-length, three-hour mock exam with 125 questions to simulate the actual experience. This will help you build stamina and refine your pacing. Remember, your overall score determines whether you pass, so you don’t need to excel in every single domain – just aim for a strong total performance. If you don’t pass on your first try, plan for a 30-day review period before retaking the exam. Adjust your study plan accordingly to address any gaps.
Common Mistakes to Avoid
As you prepare, steer clear of these common errors: Focusing too much on technical controls while neglecting administrative, procedural, and legal aspects of the authorization process. The CAP exam evaluates your understanding of the entire risk management process, not just specific tools or programming knowledge. Always prioritize studying primary source material like NIST documentation rather than relying solely on third-party summaries.
Don’t overlook the full RMF lifecycle. While "Categorization" and "Selection" often get the most attention, areas like "Continuous Monitoring" and "Authorization" are equally important. Be sure you understand the responsibilities of key roles, such as the System Authorization Authority, the Assessor, and the System Owner, as these are central to the exam. Keep a managerial perspective that balances technical knowledge with governance and compliance, as this aligns with the holistic approach required for success on the CAP exam.
Career Benefits of CAP Certification
CAP and DoD 8570 Compliance
The CAP certification, now referred to as CGRC by (ISC)², is a DoD Approved 8570 Baseline Certification that satisfies training requirements under both the DoD 8570 and the updated DoD 8140 standards. This certification is a critical requirement for many cleared professionals working in Information Assurance roles within federal agencies and defense contracting.
What sets CAP apart is its alignment with every phase of the NIST Risk Management Framework (RMF). This makes it indispensable for professionals tasked with managing risk assessment and creating security documentation throughout a system’s lifecycle. With the Department of Defense requiring all components to transition to the DoD Cyber Workforce Framework (DCWF) by fiscal year 2026, CAP certification ensures compliance with both current and legacy standards [7].
For cleared positions, certifications like CAP are often non-negotiable. Defense contracts frequently require baseline certifications, and candidates lacking these credentials can be automatically disqualified, regardless of their experience. This makes CAP not just a certification but a gateway to expanded career opportunities in the cleared community.
Job Roles for CAP-Certified Professionals
CAP-certified individuals often land roles that are both in-demand and well-compensated, with average annual salaries around $100,000 [4]. The certification qualifies professionals for Information Assurance Management (IAM) Level I and II roles, which focus on authorizing and approving RMF-related policies and procedures.
| Job Category | Specific Job Titles |
|---|---|
| Management & Oversight | Chief Information Security Officer (CISO), GRC Director, Information Assurance Manager, IT Risk Manager |
| Technical & Engineering | Information Systems Security Officer (ISSO), Information Systems Security Manager (ISSM), Cybersecurity Engineer, Authorization Specialist |
| Compliance & Audit | Cybersecurity Auditor, Cybersecurity Compliance Officer, Information Systems Auditor, Third-Party Risk Manager |
"IAM personnel are responsible for authorizing or approving RMF policy and procedure documents, so it is important they know and understand the RMF. That is why [CAP] is a valued certification." – Tyra Appleby, Systems Security Engineer [6]
Given the federal government and DoD’s reliance on RMF, CAP-certified professionals are especially sought after in regions like Washington, D.C., and Virginia [4]. During interviews, it’s beneficial to connect your professional experience to the seven domains of the CAP Common Body of Knowledge to highlight your expertise with RMF.
Finding CAP Jobs on Cleared Cyber Security Jobs
Once certified, finding roles that value CAP becomes much easier. Cleared Cyber Security Jobs is a specialized job board designed for security-cleared professionals in the cybersecurity industry. The platform offers tools like targeted job filters, resume uploads, and alerts for positions requiring CAP certification, all tailored to the cleared workforce.
As a job seeker, you can search for roles such as ISSO, ISSM, and IAM-level positions that specifically require CAP certification. The platform connects you directly with employers looking for cleared professionals, bypassing staffing firms. It also offers job fairs, giving you the chance to meet hiring managers face-to-face.
For employers, the platform provides access to a resume database and job posting packages, making it easier to find professionals with CAP credentials. Since all job seekers must have U.S. citizenship and an active security clearance, the talent pool is highly qualified, simplifying the hiring process and increasing your chances of standing out as a candidate.
CGRC Certification Explained: Exam Details, Study Tips & Career Benefits
Conclusion
The CAP certification – now known as CGRC under (ISC)² – continues to be a key credential for professionals in authorization and compliance roles, especially those with security clearances. Its alignment with the NIST Risk Management Framework and its recognition for DoD 8570 IAM Level I and Level II positions make it a critical qualification for federal and defense contracting jobs. Without it, your access to many cleared opportunities could be restricted.
More than just meeting baseline requirements, the CAP certification paves the way for higher-level roles like CISO, IT Risk Manager, and Information Systems Auditor. Professionals holding this credential typically earn around $100,000 annually [4]. Its vendor-neutral nature ensures your skills are applicable across both public and private sectors, providing flexibility in career paths.
The certification also connects you to a global network of over 160,000 cybersecurity professionals through (ISC)² [1], offering opportunities for ongoing learning and professional development. This is particularly valuable in regions with high demand for cybersecurity expertise, such as Washington, D.C., and Virginia.
To maximize the benefits of your certification, showcase it prominently on your resume and highlight how your experience aligns with the seven CAP domains during interviews. This not only emphasizes your understanding of the Risk Management Framework but also demonstrates your ability to apply it practically. Remember to maintain your certification by earning 60 CPE credits every three years and paying the Annual Maintenance Fee [2].
Whether you’re starting out in authorization or aiming for leadership roles, the CAP certification establishes you as a trusted expert in governance, risk, and compliance – qualities that are in high demand among cleared employers.
FAQs
Is CAP the same as CGRC?
The CAP certification has been updated and is now called Certified in Governance, Risk and Compliance (CGRC). Despite the name change, it remains the same credential, with the new title emphasizing its focus on governance, risk, and compliance practices.
Can I take the CAP/CGRC exam without 2 years of experience?
To be eligible for the exam, you must have at least 2 years of paid work experience in one or more of the seven domains outlined in the CAP Common Body of Knowledge (CBK). This requirement is in place to ensure that candidates possess the hands-on experience needed to excel.
What CAP/CGRC study resources should I prioritize first?
To kick off your preparation, dive into the Official (ISC)2® Guide to the CAP® CBK®. This resource provides a detailed breakdown of the core knowledge areas covered in the exam. Pair this with the ISC2 CGRC/CAP exam outline, which gives a clear overview of the exam domains, helping you focus on the right topics.
Once you’ve reviewed these foundational materials, consider leveraging ISC2’s official prep tools and training courses. These resources are designed to deepen your understanding and ensure your study efforts align closely with the exam’s structure and content.