Procurement Report: Certified Authorization Professional (CAP) Training and Certification Services

Product Category: Professional Cybersecurity Certification & Training Services Subject: CAP (Certified Authorization Professional) by (ISC)² Date: October 26, 2023

1. Technical Specifications and Performance Metrics

The "product" in this context is the CAP certification program, which serves as a comprehensive validation of expertise in the Risk Management Framework (RMF). Unlike physical hardware, its performance metrics are defined by knowledge retention, exam pass rates, and the scope of competency validation.

• Knowledge Domain Coverage: The curriculum covers the full lifecycle of the RMF, including six specific steps: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor.
• Exam Structure: The CAP exam typically consists of 150 questions administered over a 3-hour duration. It utilizes a multiple-choice format with a passing score generally set at 700 on a scale of 100–900.
• Recertification Cycle: The certification requires a 3-year (36-month) recertification cycle.
• Continuing Professional Education (CPE): To maintain active status, professionals must earn a minimum of 60 CPE credits within each 3-year cycle.
• Performance Benchmark: The certification is designed to validate "advanced technical skills," distinguishing it from entry-level certifications.

Procurement Recommendation: When budgeting for training, allocate resources for 120–150 hours of study time per candidate to ensure readiness for the exam. Procurement teams should prioritize vendors offering practice exams that simulate the 3-hour time constraint and the 150-question volume to accurately gauge candidate readiness.

2. Industry Compliance and Quality Assurance

The CAP certification is distinguished by its rigorous alignment with federal mandates and international standards, making it a critical asset for government and defense contracting.

• DoD 8570/8140 Mandate: CAP is the only certification under the DoD 8570 mandate that aligns with each step of the RMF. It is explicitly approved as a DoD Baseline Certification for Information Assurance (IA) and Cybersecurity roles.
• International Standardization: The certification program is in compliance with ANSI/ISO/IEC Standard 17024, which sets general requirements for bodies operating personnel certification. This ensures the exam process is fair, valid, and reliable.
• Authority: The certification is established by (ISC)², a globally recognized cybersecurity expert organization, ensuring the content reflects current best practices and policies.
• Risk Management Alignment: Unlike generic security certs, CAP specifically targets the "Authorization" and "Risk Management" workflows required by federal agencies.

Procurement Recommendation: For organizations holding DoD contracts or working with federal agencies, procurement of CAP training is not optional but mandatory for personnel in specific IA roles. Verify that the training provider explicitly states alignment with DoD 8140/8570 and ANSI/ISO/IEC 17024 in their course materials to ensure compliance audit readiness.

3. Cost Efficiency and Integration Capabilities

While specific pricing for the exam and training varies by region and provider, the cost structure is standardized around the certification lifecycle.

• Exam Fee: The standard examination fee is typically $749 USD (subject to change by (ISC)²).
• Annual Maintenance Fee (AMF): Once certified, an annual maintenance fee is required, typically ranging from $125 to $150 USD per year.
• Training Costs: B2B training packages (recommended courses) typically range from $2,000 to $4,000 USD per participant, depending on the depth of the curriculum (self-paced vs. instructor-led).
• Recertification Cost: The cost to recertify involves the 60 CPE credits (often earned through free webinars or paid courses) and the AMF.

Integration Capabilities: The CAP certification integrates seamlessly with existing HR and compliance management systems used in government contracting. It serves as a direct proxy for meeting DoD 8140 workforce qualification requirements, reducing the administrative burden of manual skill verification.

Procurement Recommendation: Calculate the Total Cost of Ownership (TCO) over a 3-year period. Factor in the initial exam fee ($749), the 3-year AMF ($375–$450), and the training cost. For large teams, negotiate volume discounts with training providers. Prioritize training that includes CPE credit tracking to streamline the recertification process.

4. Typical Use Cases

The CAP certification is highly specialized for roles involving the authorization and maintenance of information systems within a risk management framework.

• Government Contracting: Essential for contractors supporting the Department of Defense (DoD) and other federal agencies requiring RMF compliance.
• System Authorization Officers: Professionals responsible for signing the Authority to Operate (ATO) for federal information systems.
• Risk Management Specialists: Individuals tasked with implementing and monitoring security controls across the system lifecycle.
• Compliance Auditors: Staff verifying that an organization's security posture meets the stringent requirements of DoD 8570.

Procurement Recommendation: Target procurement of CAP training specifically for employees in System Owners, Authorizing Officials (AO), and Risk Management Officers. Do not allocate this budget to general IT support staff; the ROI is highest for personnel directly responsible for the RMF lifecycle.

5. Long-Term Planning Considerations

The cybersecurity landscape is shifting from static compliance to continuous monitoring, a trend directly addressed by the CAP curriculum.

• Market Demand: There is a sustained high demand for RMF expertise due to increasing federal cybersecurity mandates. The CAP certification remains the only credential aligned with every RMF step, creating a "moat" for holders in the government sector.
• Regulatory Evolution: As DoD transitions from 8570 to 8140, the requirement for advanced technical skills and risk management knowledge is expected to grow, not shrink.
• Recertification Trends: The requirement for 60 CPE credits every 3 years ensures that certified professionals stay current with evolving threats and policies. Procurement plans must include a budget for continuous education.
• Talent Retention: Offering CAP certification as a benefit significantly aids in retaining specialized government contractors who require this specific credential to maintain their employment eligibility.

Procurement Recommendation: Develop a 3-year workforce development plan that aligns with the recertification cycle. Budget for CPE activities in Year 2 and Year 3 to avoid lapses in certification. Monitor DoD 8140 updates to ensure training providers are updating their curricula to reflect the latest workforce qualification directives.

6. Special Product Recommendations

The following table compares the CAP certification against related credentials to assist in selecting the right training path for specific buyer needs.

| Product Type | Best-Fit Buyer | Key Specs | Risk Check | Procurement Advice | | :--- | :--- | :--- | :--- :--- | | CAP (Certified Authorization Professional) | DoD Contractors, System Owners, AOs | DoD 8570/8140 Aligned, ANSI/ISO 17024, 3-Year Cycle | High dependency on specific RMF knowledge | Mandatory for federal ATO roles; prioritize (ISC)² approved providers. | | CISSP (Certified Information Systems Security Professional) | General Security Managers, CISOs | Broad security knowledge, 5 years exp req. | Less specific to DoD RMF steps | Good for general management, but not a substitute for CAP in DoD RMF roles. | | CISA (Certified Information Systems Auditor) | Internal Auditors, Compliance Officers | Audit focus, ISACA standard | Does not cover RMF implementation | Use for audit teams; pair with CAP for implementation teams. | | Generic "Risk Management" Courses | Entry-level Analysts | Variable content, often non-certified | High risk of non-compliance with DoD 8570 | Avoid for DoD roles; verify ANSI/ISO 17024 compliance before purchase. |

Procurement Recommendation: For any role requiring an Authority to Operate (ATO), procurement must be restricted to the CAP certification. Do not substitute with generic risk management courses unless they explicitly state alignment with DoD 8570 and ANSI/ISO/IEC 17024.

7. Frequently Asked Questions (FAQ)

Q1: Is the CAP certification valid for all DoD roles? A: No. It is specifically required for roles involving the Risk Management Framework (RMF) and is the only certification under DoD 8570 that aligns with each RMF step. It is not a blanket replacement for all cybersecurity roles, which may require other certifications like CISSP or Security+.

Q2: How often must the CAP certification be renewed? A: The certification must be recertified every 3 years. This requires earning a minimum of 60 Continuing Professional Education (CPE) credits and paying the annual maintenance fee.

Q3: Does the CAP certification meet DoD 8140 requirements? A: Yes, the CAP certification is a DoD Approved 8570 Baseline Certification and meets the training requirements for DoD 8140. It is recognized for validating advanced technical skills in information system authorization.

Q4: What is the cost of the CAP exam? A: The standard exam fee is approximately $749 USD. Additional costs apply for training courses and the annual maintenance fee (typically $125–$150/year).

Q5: Is the CAP certification recognized internationally? A: Yes, because it is in compliance with ANSI/ISO/IEC Standard 17024, the certification meets international standards for personnel certification, ensuring global recognition of the competency level.

Q6: Can I earn CPE credits through self-study? A: Yes, but the credits must be relevant to the RMF and cybersecurity domains. The 60 credits required for recertification can be earned through various activities including training, webinars, and professional work experience, provided they are documented correctly.

Q7: What is the difference between CAP and other risk management certifications? A: CAP is unique because it is the only certification under the DoD mandate that aligns with every single step of the RMF. Other certifications may cover risk broadly but do not specifically target the authorization and maintenance workflow required by federal agencies.

Q8: How long does the certification process take? A: The time varies by individual preparation, but candidates typically require 120–150 hours of study. The exam itself is 3 hours. Once passed, the certification is valid for 3 years before recertification is required.