certified authorization professional training

CAP (Certified Authorization Professional) Training

Available Live In-Person or Live Online

Includes the following:

 CAP Training with Exam Fee and an Exam Pass Guarantee
CAP Exam Prep Course (includes Exam Fee)
Delivery Option:
Add To Cart

The CAP certification allows you to prove your cybersecurity expertise within the Risk Management Framework (RMF). Take your commitment to cybersecurity assessment and authorization to a new level with the CAP certification. This leading information security certification proves you’re an expert aligning information systems with the Risk Management Framework (RMF).

The CAP certification covers the RMF at an extensive level. It's the only certification under the DoD 8570 mandate that aligns to each of the RMF steps.

The CAP shows you have the knowledge, skills and abilities to authorize and maintain information systems within the RMF. Specifically, it validates that you know how to formalize processes to assess risk and establish security documentation throughout the entire lifecycle of a system.

Whether you’re in DoD cybersecurity or you protect a private company, there are a number of reasons to earn your CAP certification:

  • Credibility and marketability. Earning the CAP is a powerful way to validate your knowledge. It shows you thoroughly understand information security and risk management processes and procedures. You’ll stand out and be more competitive.

  • Better opportunities. Holding the CAP certification makes you more versatile. It can help you move up and advance your career. If you’re a contractor, it can lead to better choice in assignments.

  • Growth and learning. From exam prep to continuing education, the CAP offers many ways to expand your knowledge. You can stay up-to-date with new technologies and risks.

  • Increased compensation. While pay practices vary, many CAPs find that this certification leads to increases in salary.


To qualify for the CAP certification, you must have:

  • A minimum of two years cumulative, paid, full-time work experience

  • In one or more of the seven domains of the CAP Common Body of Knowledge (CBK):

    1. Risk Management Framework (RMF)

    2. Categorization of Information Systems

    3. Selection of Security Controls

    4. Security Control Implementation

    5. Security Control Assessment

    6. Information System Authorization

    7. Monitoring of Security Controls

OVERVIEW and OBjectives

In this course, you will identify and reinforce the major cybersecurity subjects from the seven domains of the (ISC)2 CAP Common Body of Knowledge (CBK):

1. Risk Management Framework (RMF)

  • Describe the RMF

  • Describe and distinguish between the RMF steps

  • Identify roles and define responsibilities

  • Understand and describe how the RMF process relates to the organizational structure

  • Understand the relationship between the RMF and System Development Life Cycle (SDLC)

  • Understand legal, regulatory and other security requirements

2. Monitoring of Security Controls

  • Determine security impact of changes to system and environment

  • Perform ongoing security control assessments (e.g., continuous monitoring, internal and external assessments)

  • Conduct ongoing remediation actions (resulting from incidents, vulnerability scans, audits, vendor updates, etc.)

  • Update key documentation (e.g., SP, SAR, POAM)

  • Perform periodic security status reporting

  • Perform ongoing risk determination and acceptanc

  • Decommission and remove system

3. Information System Authorization 

  • Develop plan of action and milestones (POAM) (e.g., resources, schedule, requirements)

  • Assemble security authorization package

  • Determine risk

  • Determine the acceptability of risk

  • Obtain security authorization decision

4. Security Control Assessment

  • Prepare for security control assessment

  • Develop security control assessment plan

  • Assess security control effectiveness

  • Develop initial security assessment report (SAR)

  • Review interim SAR and perform initial remediation actions

  • Develop final SAR and optional addendum

5. Security Control Implementation

  • Implement selected security controls

  • Document security control implementation

6. Selection of Security Controls

  • Identify and document (inheritable) controls

  • Select, tailor and document security controls

  • Develop security control monitoring strategy

  • Review and approve security plan

7. Categorization of Information Systems

  • Categorize the system

  • Describe the information system (including the security authorization boundaries)

  • Register the system


Lesson 1: Security Authorization of Information Systems

  • Introduction

  • Key Elements of an Enterprise System Authorization Program

  • NIST Special Publication 800-37, Revision 1, and the Application of the Risk Management Framework to Systems

  • Fundamentals of Information System Risk Management According to the NIST SP 800-37, Revision 1

  • System Authorization Roles and Responsibilities

  • The System Authorization Life Cycle

  • Why System Authorization Programs Fail

  • System Authorization Project Planning

  • The System Inventory Process

  • Interconnected Systems

Lesson 2: Information System Categorization

  • Introduction

  • Defining Sensitivity

  • Data Sensitivity and Systems Sensitivity

  • Sensitivity Assessment Process

  • Data Classification Approaches

  • Responsibility for Data Sensitivity Assessment

  • Ranking Data Sensitivity

  • National Security Information

  • Criticality

  • Criticality Assessment

  • Criticality in the View of the System Owner

  • Ranking Criticality

  • Changes in Criticality and Sensitivity

  • NIST Guidance on System Categorization

Lesson 3: Establishment of the Security Control Baseline

  • Introduction

  • Minimum Security Baselines and Best Practices

  • Assessing Risk

  • System Security Plans

  • NIST Guidance on Security Controls Selection

Lesson 4: Application of Security Controls

  • Introduction

  • Security Procedures

  • Remediation Planning

  • NIST Guidance on Implementation of Security Controls

Lesson 5: Assessment of Security Controls

  • Introduction

  • Scope of Testing

  • Level of Effort

  • Assessor Independence

  • Developing the Test Plan

  • The Role of the Host

  • Test Execution

  • Documenting Test Results

  • NIST Guidance on Assessment of Security Control Effectiveness

Lesson 6: Information System Authorization

  • Introduction

  • System Authorization Decision Making

  • Essential System Authorization Documentation

  • NIST Guidance on Authorization of Information Systems

Lesson 7: Security Control Monitoring

  • Introduction

  • Continuous Monitoring

  • NIST Guidance on Ongoing Monitoring of Security Controls and Security State of the Information System

Lesson 8: System Authorization Case Study

  • Situation

  • Action plan

  • Lesson Learned

  • Tools

  • Document Templates

  • Coordination

  • Role of the Inspector General

  • Compliance Monitoring

  • Measuring Success

  • Project Milestones

  • Interim Accreditation

  • Management Support and Focus

  • Results and Future Challenges

Lesson 9: The Future of Information System Authorization


CAP Exam Domain Weighting


  • The CAP Exam has a maximum of 125 multiple choice questions.

  • Passing grade is 700 out of 1000 points.

  • You have 3 hours to complete the exam.

  • We will register for the exam in the course.


CAP Exam Prep Course (includes Exam Fee)
Delivery Option:
Add To Cart


4 days

Continuing Education Credits



 CAP training located in O'Fallon, Illinois, close to Scott Air Force Base and St. Louis

CAP training located in O'Fallon, Illinois, close to Scott Air Force Base and St. Louis

Our CAP course is offered less than 15 minutes from downtown St. Louis at our O'Fallon, Illinois training facility, located at:

7 Eagle Center, O'Fallon, IL 62269

We also offer private onsite courses, at your location.  We love to travel and will gladly send a trainer to your location. Please Contact Us for more information.



Live, Instructor-Led Training with a dynamic CAP certified trainer that is a cyber security professional.  Trainers have real-world experience with the material covered in the CAP course.


This course is delivered in a "hybrid" format, where we have both In-Person and Live Online attendees. This provides a fun, interactive environment where In-Person and Live Online students can easily interact both with each other and the instructor. When you register for the course, you can choose which delivery option works best for you:

  • Live In-Person

  • Live Online


  • January 28-31 (M-Th), 8:30am - 4:30pm, 2019

  • April 22-25 (M-Th), 8:30am - 4:30pm, 2019


CAP Exam Prep Course (includes Exam Fee)
Delivery Option:
Add To Cart
### -->