Certified Authorization Professional (CAP)

Home - Terms and Definitions - Briefings - Founder and History

Certified Authorization Professional (CAP)

The Certified Authorization Professional (CAP) must have experience, knowledge and skill in the following areas:
Systems authorization processes
Information risk management processes
Systems development experience
Security control testing and continuous monitoring
IT security/information assurance
Information security policy
Technical and/or auditing experience within the U.S. Federal government agencies (e.g., U.S. Department of Defense etc.), financial institutions, healthcare providers, auditing and/or consulting organizations.
Strong familiarity with NIST and OMB publications.

A candidate must understand and be able to apply knowledge in each domain to be successful. This includes synthesizing material from many sources in order to be successful. The CAP domains are:
Understanding the Security Authorization of Information Systems
Categorize Information Systems
Establish the Security Control Baseline
Apply Security Controls
Assess Security Controls
Authorize Information System
Monitor Security Controls

Understand the Security Authorization of Information Systems Security authorization includes a tiered risk management approach to evaluate both strategic and tactical risk across the enterprise. The authorization process incorporates the application of a Risk Management Framework (RMF), a review of the organizational structure, and the business process/ mission as the foundation for the implementation and assessment of specified security controls. This authorization management process identifies vulnerabilities and countermeasures and determines residual risks. The residual risks are evaluated and deemed either acceptable or unacceptable. More controls must be implemented to reduce unacceptable risk. The system may be deployed only when the residual risks are acceptable to the enterprise.
Key Areas of Knowledge

Understand the Risk Management Approach to Security Authorization
Distinguish between applying risk management principles and satisfying compliance requirements
Identify and maintain information systems inventory
Understand the criticality of securing information
Understand organizational operations

Understand and Distinguish among the Risk Management Framework (RMF) Steps
Categorize information system
Select security controls
Implement security controls
Assess security controls
Authorize information system
Monitor security controls

Define and Understand Roles and Responsibilities
Head of agency (Chief Executive Officer)
Risk executive (Function)
Chief information officer
Information system security officer
Security control assessor
Other defined roles

Understand How the Security Authorization Process Relates to
Organization-wide risk management
System Development Life Cycle (SDLC)
Information system boundaries
Authorization decisions

Understand the Relationship between the RMF and SDLC

Understand Legal, Regulatory, and Other Requirements for Security Authorization
Federal information security and privacy legislation
Office of Management and Budget (OMB)
Committee on National Security Systems (CNSS)
Federal Information Processing Standards (FIPS)
National Institute of Standards and Technology (NIST) Special Publications (SP)

Understand Common Controls and Security Control Inheritance

Understand Ongoing Monitoring Strategies

Categorize Information Systems Categorization of the information system is based on an impact analysis. It is performed to determine the types of information included within the security authorization boundary, the security requirements for the information types, and the potential impact on the organization resulting from a security compromise. The result of the categorization is used as the basis for developing the security plan, selecting security controls, and determining the risk inherent in operating the system.
Key Areas of Knowledge
Categorize the System
Describe the Information System, Including the Security Authorization Boundaries
Register the System

Establish the Security Control Baseline The security control baseline is established by determining specific controls required to protect the system based on the security categorization of the system. The baseline is tailored and supplemented in accordance with an organizational assessment of risk and local parameters. The security control baseline, as well as the plan for monitoring it, is documented in the security plan.
Key Areas of Knowledge
Identify and Document Common (Inheritable) Controls
Select and Document Security Controls
Develop Security Control Monitoring Strategy
Review and Approve Security Plan

Apply Security Controls The security controls specified in the security plan are implemented by taking into account the minimum organizational assurance requirements. The security plan describes how the controls are employed within the information system and its operational environment. The security assessment plan documents the methods for testing these controls and the expected results throughout the systems life-cycle.
Key Areas of Knowledge
Implement Selected Security Controls
Document Security Control Implementation

Assess Security Controls The security control assessment follows the approved plan, including defined procedures, to determine the effectiveness of the controls in meeting security requirements of the information system. The results are documented in the security assessment report.
Key Areas of Knowledge
Prepare for Security Control Assessment
Establish Security Control Assessment Plan
Determine Security Control Effectiveness
Develop Initial Security Assessment Report
Perform Initial Remediation Actions
Develop Final Security Assessment Report and Addendum

Authorize Information System The residual risks identified during the security control assessment are evaluated and the decision is made to authorize the system to operate, deny its operation, or remediate the deficiencies. Associated documentation is prepared and/or updated depending on the authorization decision.
Key Areas of Knowledge
Develop Plan of Action and Milestones (POAM)
Assemble Security Authorization Package
Determine Risk
Determine the Acceptability of Risk
Obtain Security Authorization Decision

Monitor Security Controls After an Authorization to Operate (ATO) is granted, ongoing continuous monitoring is performed on all identified security controls as well as the political, legal, and physical environment in which the system operates. Changes to the system or its operational environment are documented and analyzed. The security state of the system is reported to designated officials. Significant changes will cause the system to reenter the security authorization process. Otherwise, the system will continue to be monitored on an ongoing basis in accordance with the organization’s monitoring strategy.
Key Areas of Knowledge
Determine Security Impact of Changes to System and Environment
Perform Ongoing Security Control Assessments
Conduct Ongoing Remediation Actions
Update Key Documentation
Perform Periodic Security Status Reporting
Perform Ongoing Risk Determination and Acceptance
Decommission and Remove System

Professional Certifications:
CompTIA - Security+
EC-Council - Certified Ethical Hacker (CEH)
(ISC)2 - Certified Information Systems Security Professional (CISSP)
(ISC)2 - Certified Authorization Professional (CAP)

Volunteer and Community Involvement:
OWASP Denver Chapter Board Member - Outreach and Education.
(ISC)2 Safe and Secure Online Volunteers

Contact Information:
Phone: 720-253-3854
VoIP/IP-Telephony/Video Conference: sip:aquilabusiness@ekiga.net
Email: Aquila Business Services, LLC
Office Address: 11292 E. Virginia Place, Aurora, CO 80012

Aquila In the News...

15Dec11
New Summary Briefing for NIST NICE Workforce Framework Publication.
Press Release: Online Here

28Nov11
Aquila releases IT Security Federal Guidance and Compliance Briefings.
Press Release: Online Here

27Nov11
Aquila provides Internet Safety Presentaions for your organization.
Press Release: Online Here

26Nov11
James Synovec - CIO, is speaking at the CISO Executive Summit 2011 in Las Vegas Dec 5-6.
Press Release: Online Here