The Certified Authorization Professional (CAP) is a certification that indicates a professional level of knowledge/skill on the subject of federal information system authorization (formerly certification & accreditation). In the US federal government, “Authorization” to operate a federally owned information system is a formal acceptance of risk from an Authorization Officer (AO). An AO is a high ranking official granted the authority to make major risk related decisions for an entire branch/or unit within a federal organization. The AO accepts or rejects the risks that information systems poses to his or her organization based on the recommendations of a security control assessors audit and accompanied Security Authorization Package.
The CAP is based almost entirely on federal information security/protection laws, National Institute of Standards & Technology (NIST), and Office of Management & Budget regulations.
There are seven domains the CAP exam focuses on:
1. Understanding the Security Authorization of Information Systems
2. Categorize Information Systems
3. Establish the Security Control Baseline
4. Apply Security Controls
5. Assess Security Controls
6. Authorize Information System
7. Monitor Security Controls