CAP Training near St. Louis and Scott Air Force Base

CAP (Certified Authorization Professional) Training

Available Live In-Person or Live Online

Includes the following:

  • Exam Pass Guarantee

  • Expert training by working cybersecurity professionals

  • Exam Fee Included

  • Lunch, snacks, beverages, and networking opportunities

  • Digital and Print materials

  • Outstanding Reviews

CAP Training with Exam Fee and an Exam Pass Guarantee
CAP Certification Training (includes Exam Fee)
Delivery Option:
Add To Cart

The Certified Authorization Professional (CAP) certification allows you to prove your cybersecurity expertise within the Risk Management Framework (RMF). Take your commitment to cybersecurity assessment and authorization to a new level with the CAP certification. This leading information security certification proves you’re an expert aligning information systems with the Risk Management Framework (RMF).

The CAP certification training covers the RMF at an extensive level. It's the only certification under the DoD 8570 mandate that aligns to each of the RMF steps.

The CAP shows you have the knowledge, skills and abilities to authorize and maintain information systems within the RMF. Specifically, it validates that you know how to formalize processes to assess risk and establish security documentation throughout the entire lifecycle of a system.

Whether you’re in DoD cybersecurity or you protect a private company, there are a number of reasons to earn your CAP certification:

  • Credibility and marketability. Earning the CAP is a powerful way to validate your knowledge. It shows you thoroughly understand information security and risk management processes and procedures. You’ll stand out and be more competitive.

  • Better opportunities. Holding the CAP certification makes you more versatile. It can help you move up and advance your career. If you’re a contractor, it can lead to better choice in assignments.

  • Growth and learning. From exam prep to continuing education, the CAP offers many ways to expand your knowledge. You can stay up-to-date with new technologies and risks.

  • Increased compensation. While pay practices vary, many CAPs find that this certification leads to increases in salary.


To qualify for the CAP certification, you must have:

  • A minimum of two years cumulative, paid, full-time work experience

  • In one or more of the seven domains of the CAP Common Body of Knowledge (CBK):

    1. Information Security Risk Management

    2. Categorization of Information Systems (IS)

    3. Selection of Security Controls

    4. Implementation of Security Controls

    5. Assessment of Security Controls

    6. Authorize Information Systems (IS)

    7. Continuous Monitoring

OVERVIEW and OBjectives

RMF Overview

In this course, you will identify and reinforce the major cybersecurity subjects from the seven domains of the (ISC)2 CAP Common Body of Knowledge (CBK):

1. Information Security Risk Management

  • Understand the Foundation of an Organization-Wide Information Security Risk Management Program

    • Principles of information security

    • National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)

    • RMF and System Development Life Cycle (SDLC) integration

    • Information System (IS) boundary requirements

    • Approaches to security control allocation

    • Roles and responsibilities in the authorization process

  • Understand Risk Management Program Processes

    • Enterprise program management controls

    • Privacy requirements

    • Third-party hosted Information Systems (IS)

  • Understand Regulatory and Legal Requirements

    • Federal information security requirements

    • Relevant privacy legislation

    • Other applicable security-related mandates

2. Categorization of Information Systems (IS)

  • Define the Information System (IS)

    • Identify the boundary of the Information System (IS)

    • Describe the architecture

    • Describe Information System (IS) purpose and functionality

  • Determine Categorization of the Information System (IS)

    • Identify the information types processed, stored, or transmitted by the Information System (IS)

    • Determine the impact level on confidentiality, integrity, and availability for each information type

    • Determine Information System (IS) categorization and document results

3. Selection of Security Controls

  • Identify and Document Baseline and Inherited Controls

  • Select and Tailor Security Controls

    • Determine applicability of recommended baseline

    • Determine appropriate use of overlays

    • Document applicability of security controls

  • Develop Security Control Monitoring Strategy

  • Review and Approve Security Plan (SP)

4. Implementation of Security Controls

  • Implement Selected Security Controls

    • Confirm that security controls are consistent with enterprise architecture

    • Coordinate inherited controls implementation with common control providers

    • Determine mandatory configuration settings and verify implementation (e.g., United States Government Configuration Baseline (USGCB), National Institute of Standards and Technology (NIST) checklists, Defense Information Systems Agency (DISA), Security Technical Implementation Guides (STIGs), Center for Internet Security (CIS) benchmarks)

    • Determine compensating security controls

  • Document Security Control Implementation

    • Capture planned inputs, expected behavior, and expected outputs of security controls

    • Verify documented details are in line with the purpose, scope, and impact of the Information System (IS)

    • Obtain implementation information from appropriate organization entities (e.g., physical security, personnel security)

5. Assessment of Security Controls

  • Prepare for Security Control Assessment (SCA)

    • Determine Security Control Assessor (SCA) requirements

    • Establish objectives and scope

    • Determine methods and level of effort

    • Determine necessary resources and logistics

    • Collect and review artifacts (e.g., previous assessments, system documentation, policies)

    • Finalize Security Control Assessment (SCA) plan

  • Conduct Security Control Assessment (SCA)

    • Assess security control using standard assessment methods

    • Collect and inventory assessment evidence

  • Prepare Initial Security Assessment Report (SAR)

    • Analyze assessment results and identify weaknesses

    • Propose remediation actions

  • Review Interim Security Assessment Report (SAR) and Perform Initial Remediation Actions

    • Determine initial risk responses

    • Apply initial remediations

    • Reassess and validate the remediated controls

  • Develop Final Security Assessment Report (SAR) and Optional Addendum

6. Authorization of Information Systems (IS)

  • Develop Plan of Action and Milestones (POAM)

    • Analyze identified weaknesses or deficiencies

    • Prioritize responses based on risk level

    • Formulate remediation plans

    • Identify resources required to remediate deficiencies

    • Develop schedule for remediation activities

  • Assemble Security Authorization Package

    • Compile required security documentation for Authorizing Official (AO)

  • Determine Information System (IS) Risk

    • Evaluate Information System (IS) risk

    • Determine risk response options (i.e., accept, avoid, transfer, mitigate, share)

  • Make Security Authorization Decision

    • Determine terms of authorization

7. Continuous Monitoring

  • Determine Security Impact of Changes to Information Systems (IS) and Environment

    • Understand configuration management processes

    • Analyze risk due to proposed changes

    • Validate that changes have been correctly implemented

  • Perform Ongoing Security Control Assessments (SCA)

    • Determine specific monitoring tasks and frequency based on the agency’s strategy

    • Perform security control assessments based on monitoring strategy

    • Evaluate security status of common and hybrid controls and interconnections

  • Conduct Ongoing Remediation Actions (e.g., resulting from incidents, vulnerability scans, audits, vendor updates)

    • Assess risk(s)

    • Formulate remediation plan(s)

    • Conduct remediation tasks

  • Update Documentation

    • Determine which documents require updates based on results of the continuous monitoring process

  • Perform Periodic Security Status Reporting

    • Determine reporting requirements

  • Perform Ongoing Information System (IS) Risk Acceptance

    • Determine ongoing Information System (IS)

  • Decommission Information System (IS)

    • Determine Information System (IS) decommissioning requirements

    • Communicate decommissioning of Information System (IS)

CAP Exam Domain Weighting


  • The CAP Exam has a maximum of 125 multiple choice questions.

  • Passing grade is 700 out of 1000 points.

  • You have 3 hours to complete the exam.

  • We will register for the exam in the course.



4 days

Continuing Education Credits

28 hours


CAP training located in O'Fallon, Illinois, close to Scott Air Force Base and St. Louis

CAP training located in O'Fallon, Illinois, close to Scott Air Force Base and St. Louis

Our CAP training is offered less than 15 minutes from downtown St. Louis, near Scott Air Force Base, at our O'Fallon, Illinois training facility, located at:

7 Eagle Center, Suite B-5
O'Fallon, IL 62269

We also offer private onsite courses, at your location.  We love to travel and will gladly send a trainer to your location. Please Contact Us for more information.



Live, Instructor-Led Training with a dynamic CAP certified trainer that is a cybersecurity professional. Trainers have real-world experience with the material covered in the CAP course.


This course is delivered in a "hybrid" format, where we have both In-Person and Live Online attendees. This provides a fun, interactive environment where In-Person and Live Online students can easily interact both with each other and the instructor. When you register for the course, you can choose which delivery option works best for you:

  • Live In-Person

  • Live Online


  • December 9-12 (M-Th), 8:30am - 4:30pm, 2019


CAP Certification Training (includes Exam Fee)
Delivery Option:
Add To Cart