MMSTECH148: Certified Authorization Professional (CAP)

Federal Risk Management Framework (RMF) Implementation R4.0  focuses on the Risk Management Framework prescribed by NIST Standards.

This course covers all objectives for the ISC2 Certified Authorization Professional (CAP) certification exam and can also be used to prepare students to take the exam. CAP exam topics are called out on the title page of each chapter.

Chapter 1: Introduction

Key concepts including assurance, assessment, authorization
Reasons for change to the Risk Management Framework (RMF)
Key characteristics of security
Security controls

Chapter 2: Cybersecurity Policy Regulations and Framework

Evolution and interaction of security laws, policy, and regulations in cybersecurity
Accessing the correct documents for cyber security guidance
Assessment and Authorization transformation goals

Chapter 3: RMF Roles and Responsibilities

Tasks and responsibilities for RMF roles

Chapter 4: Risk Analysis Process

Four-step risk management process
Impact level
Level of risk
Effective risk management options

Chapter 5: Step 1: Categorize

Key documents in RMF process
Security Categorization
Information System Description
Information System Registration
Lab 1: Categorize a fictitious DoD agency information system

Chapter 6: Step 2: Select

Common Control Identification
Security Control Selection
Tailor security controls
Monitoring Strategy
Security Plan Approval
Lab 2: Select security controls for a fictitious DoD agency information system

Chapter 7: Step 3: Implement

Security Control Implementation
Security Control Documentation
Lab 3: Discuss and review decisions related to implementation of security controls

Chapter 8: Step 4: Assess

Assessment Preparation
Security Control Assessment
Security Assessment Report
Remediation Actions
Lab 4: Consult NIST SP 800-53A to determine appropriate assessment techniques for a fictitious DoD agency.

Chapter 9: Step 5: Authorize

Plan of Action and Milestones
Security Authorization Package
Risk Determination
Risk Acceptance
Lab 5: Practice compiling the documents that make up the Security Authorization Package

Chapter 10: Step 6: Monitor

Information System and Environment Changes
Patches
Ongoing Security Control Assessments
Ongoing Remediation Actions
Key Updates
Security Status Reporting
Ongoing Risk Determination and Acceptance
Information System Removal and Decommissioning
Lab 6: Identify vulnerabilities and deficiencies in the information system of a fictitious DoD agency and propose steps to remediate them.