Official (ISC)2® Guide to the CAP® CBK®  book cover
2nd Edition

Official (ISC)2® Guide to the CAP® CBK®

ISBN 9781439820759
Published July 18, 2012 by Auerbach Publications
462 Pages 9 B/W Illustrations

SAVE ~ $18.99
was $94.95
USD $75.96

Prices & shipping based on shipping country


Book Description

Significant developments since the publication of its bestselling predecessor, Building and Implementing a Security Certification and Accreditation Program, warrant an updated text as well as an updated title. Reflecting recent updates to the Certified Authorization Professional (CAP®) Common Body of Knowledge (CBK®) and NIST SP 800-37, the Official (ISC) Guide to the CAP® CBK®, Second Edition provides readers with the tools to effectively secure their IT systems via standard, repeatable processes.

Derived from the author’s decades of experience, including time as the CISO for the Nuclear Regulatory Commission, the Department of Housing and Urban Development, and the National Science Foundation’s Antarctic Support Contract, the book describes what it takes to build a system security authorization program at the organizational level in both public and private organizations. It analyzes the full range of system security authorization (formerly C&A) processes and explains how they interrelate. Outlining a user-friendly approach for top-down implementation of IT security, the book:

  • Details an approach that simplifies the authorization process, yet still satisfies current federal government criteria
  • Explains how to combine disparate processes into a unified risk management methodology
  • Covers all the topics included in the Certified Authorization Professional (CAP®) Common Body of Knowledge (CBK®)
  • Examines U.S. federal polices, including DITSCAP, NIACAP, CNSS, NIAP, DoD 8500.1 and 8500.2, and NIST FIPS
  • Reviews the tasks involved in certifying and accrediting U.S. government information systems

Chapters 1 through 7 describe each of the domains of the (ISC) CAP® CBK®. This is followed by a case study on the establishment of a successful system authorization program in a major U.S. government department. The final chapter considers the future of system authorization. The book’s appendices include a collection of helpful samples and additional information to provide you with the tools to effectively secure your IT systems.

Table of Contents

Security Authorization of Information Systems
     Legal and Regulatory Framework for System Authorization
     External Program Drivers
     System-Level Security
     Defining System Authorization
     Resistance to System Authorization
     Benefits of System Authorization
Key Elements of an Enterprise System Authorization Program
     The Business Case
     Goal Setting
     Tasks and Milestones
     Program Oversight
     Program Guidance
     Special Issues
     Program Integration
     System Authorization Points of Contact
     Measuring Progress
     Managing Program Activities
     Monitoring Compliance
     Providing Advice and Assistance
     Responding to Changes
     Program Awareness, Training, and Education
     Using Expert Systems
     Waivers and Exceptions
NIST Special Publication 800-37, Revision 1, and the Application of the Risk Management Framework to Systems
     Authority and Scope
     Purpose and Applicability
     Target Audience
Fundamentals of Information System Risk Management According to NIST SP 800-37, Revision 1
     Guidance on Organization-Wide Risk Management
     Organization Level (Tier 1)
     Mission/Business Process Level (Tier 2)
     Information System Level (Tier 3)
     Guidance on Risk Management in the System Development Life Cycle
     NIST’s Risk Management Framework
     Guidance on System Boundary Definition
     Guidance on Software Application Boundaries
     Guidance on Complex Systems
     Guidance on the Impact of Technological Changes on System Boundaries
     Guidance on Dynamic Subsystems
     Guidance on External Subsystems
     Guidance on Security Control Allocation
     Guidance on Applying the Risk Management Framework
     Summary of NIST Guidance
System Authorization Roles and Responsibilities
     Primary Roles and Responsibilities
     Other Roles and Responsibilities
     Additional Roles and Responsibilities from NIST SP 800-37, Revision 1
     Documenting Roles and Responsibilities
     Job Descriptions
     Position Sensitivity Designations
     Personnel Transition
     Time Requirements
     Expertise Requirements
     Using Contractors
     Routine Duties
     Organizational Skills
     Organizational Placement of the System Authorization Function
The System Authorization Life Cycle
     Initiation Phase
     Acquisition/Development Phase
     Implementation Phase
     Operations/Maintenance Phase
     Disposition Phase
     Challenges to Implementation
Why System Authorization Programs Fail
     Program Scope
     Assessment Focus
     Short-Term Thinking
     Long-Term Thinking
     Poor Planning
     Lack of Responsibility
     Excessive Paperwork
     Lack of Enforcement
     Lack of Foresight
     Poor Timing
     Lack of Support
System Authorization Project Planning
     Planning Factors
     Dealing with People
     Team Member Selection
     Scope Definition
     Project Agreements
     Project Team Guidelines
     Administrative Requirements
     Other Tasks
     Project Kickoff
The System Inventory Process
     System Identification
     Small Systems
     Complex Systems
     Combining Systems
     Accreditation Boundaries
     The Process
     Inventory Information
     Inventory Tools
     Using the Inventory
Interconnected Systems
     The Solution
     Agreements in the System Authorization Process
     Trust Relationships
     Time Issues
     Maintaining Agreements
     Security Authorization of Information Systems: Review Questions

Information System Categorization
     Defining Sensitivity
     Data Sensitivity and System Sensitivity
     Sensitivity Assessment Process
     Data Classification Approaches
     Responsibility for Data Sensitivity Assessment
     Ranking Data Sensitivity
     National Security Information
     Criticality Assessment
     Criticality in the View of the System Owner
     Ranking Criticality
     Changes in Criticality and Sensitivity
NIST Guidance on System Categorization
     Task 1-1: Categorize and Document the Information System
     Task 1-2: Describe the Information System
     Task 1-3: Register the Information System
     Information System Categorization: Review Questions

Establishment of the Security Control Baseline
     Minimum Security Baselines and Best Practices
     Security Controls
     Levels of Controls
     Selecting Baseline Controls
     Use of the Minimum Security Baseline Set
     Common Controls
Assessing Risk
     Risk Assessment in System Authorization
     The Risk Assessment Process
     Step 1: System Characterization
     Step 2: Threat Identification
     Step 3: Vulnerability Identification
     Step 4: Control Analysis
     Step 5: Likelihood Determination
     Step 6: Impact Analysis
     Step 7: Risk Determination
     Step 8: Control Recommendations
     Step 9: Results Documentation
     Conducting the Risk Assessment
     Risk Categorization
     Documenting Risk Assessment Results
     Using the Risk Assessment
     Overview of NIST Special Publication 800-30, Revision 1
System Security Plans
     Plan Contents
     What a Security Plan Is Not
     Plan Initiation
     Information Sources
     Security Plan Development Tools
     Plan Format
     Plan Approval
     Plan Maintenance
     Plan Security
     Plan Metrics
     Resistance to Security Planning
NIST Guidance on Security Controls Selection
     Task 2-1: Identify Common Controls
     Task 2-2: Select Security Controls
     Task 2-3: Develop Monitoring Strategy
     Task 2-4: Approve Security Plan
     Establishment of the Security Control Baseline: Review Questions

Application of Security Controls
Security Procedures
     The Problem with Procedures
     Procedure Templates
     Process for Developing Procedures
     Common Procedures
     Procedures in the System Authorization Process
Remediation Planning
     Managing Risk
     Applicability of the Remediation Plan
     Responsibility for the Plan
     Risk Remediation Plan Scope
     Plan Format
     Using the Plan
     When to Create the Plan
     Risk Mitigation Meetings
NIST Guidance on Implementation of Security Controls
     Task 3-1: Implement Security Controls
     Task 3-2: Document Security Control Implementation
     Application of Security Controls: Review Questions

Assessment of Security Controls
     Scope of Testing
     Level of Effort
     Assessor Independence
     Developing the Test Plan
     The Role of the Host
     Test Execution
     Documenting Test Results
NIST Guidance on Assessment of Security Control Effectiveness     
     Task 4-1: Prepare for Controls Assessment
     Task 4-2: Assess Security Controls
     Task 4-3: Prepare Security Assessment Report
     Task 4-4: Conduct Remediation Actions
     Assessment of Security Controls: Review Questions

Information System Authorization
System Authorization Decision Making
     The System Authorization Authority
     Authorization Timing
     The Authorization Letter
     Authorization Decisions
     Designation of Approving Authorities
     Approving Authority Qualifications
     Authorization Decision Process
     Actions Following Authorization
Essential System Authorization Documentation
     System Authorization Package Contents
     Excluded Documentation
     The Certification Statement
     Transmittal Letter
NIST Guidance on Authorization of Information Systems
     Task 5-1: Prepare Plan of Action and Milestones
     Task 5-2: Prepare Security Authorization Package
     Task 5-3: Conduct Risk Determination
     Task 5-4: Perform Risk Acceptance

Security Controls Monitoring
Continuous Monitoring
     Configuration Management/Configuration Control
     Security Controls Monitoring
     Status Reporting and Documentation
     Key Roles in Continuous Monitoring
     Reaccreditation Decision
NIST Guidance on Ongoing Monitoring of Security Controls and Security State of the Information System
     Task 6-1: Analyze Impact of Information System and Environment Changes
     Task 6-2: Conduct Ongoing Security Control Assessments
     Task 6-3: Perform Ongoing Remediation Actions
     Task 6-4: Perform Key Updates
     Task 6-5: Report Security Status
     Task 6-6: Perform Ongoing Risk Determination and Acceptance
     Task 6-7: Information System Removal and Decommissioning
     Security Controls Monitoring: Review Questions

System Authorization Case Study
Action Plan
Lessons Learned
Document Templates
Role of the Inspector General
Compliance Monitoring
Measuring Success
Project Milestones
Interim Accreditation
Management Support and Focus
Results and Future Challenges

The Future of Information System Authorization
Appendix A: References
Appendix B: Glossary
Appendix C: Sample Statement of Work
Appendix D: Sample Project Work Plan
Appendix E: Sample Project Kickoff Presentation Outline
Appendix F: Sample Project Wrap-Up Presentation Outline
Appendix G: Sample System Inventory Policy
Appendix H: Sample Business Impact Assessment
Appendix I: Sample Rules of Behavior (General Support System)
Appendix J: Sample Rules of Behavior (Major Application)
Appendix K: Sample System Security Plan Outline
Appendix L: Sample Memorandum of Understanding
Appendix M: Sample Interconnection Security Agreement
Appendix N: Sample Risk Assessment Outline
Appendix O: Sample Security Procedure
Appendix P: Sample Certification Test Results Matrix
Appendix Q: Sample Risk Remediation Plan
Appendix R: Sample Certification Statement
Appendix S: Sample Accreditation Letter
Appendix T: Sample Interim Accreditation Letter
Appendix U: Certification and Accreditation Professional (CAP®) Common Body of Knowledge (CBK®)
Appendix V: Answers to Review Questions

View More



Patrick D. Howard, CISSP, CISM, is a senior consultant for SecureInfo, a Kratos Company. He has over 40 years experience in security, including 20 years service as a U.S. Army Military Police officer, and has specialized in information security since 1989. Mr. Howard began his service as the Chief Information Security Officer for the National Science Foundation’s Antarctic Support Contract in Centennial, Colorado in March 2012. He previously served as CISO for the Nuclear Regulatory Commission in Rockville, Maryland from 2008–2012, and for the Department of Housing and Urban Development from 2005–2008. Mr. Howard was named a Fed 100 winner in 2007, and is the author of three information security books: The Total CISSP Exam Prep Book, 2002; Building and Implementing a Security Certification and Accreditation Program, 2006; and Beyond Compliance: FISMA Principles and Best Practices, 2011. He is a member of the International Information Systems Security Certification Consortium’s Government Advisory Board and Executive Writer’s Bureau, which he chairs. Mr. Howard is also an adjunct professor of Information Assurance at Walsh College, Troy Michigan. He graduated with a Bachelor’s degree from the University of Oklahoma in 1971 and a Master’s degree from Boston University in 1984.


Praise for the popular first edition:

This book focuses on the processes that must be employed by an organization to establish a certification and accreditation program based on current federal government criteria… Pat has structured this book to address the key issues in certification and accreditation, including roles and responsibilities, the life cycle, and even a discussion of pitfalls to avoid. As with all of Pat’s work, he provides the reader with practical information on what works and what does not … Even if government certification and accreditation is not your concern, the new ISO 27002 (formerly ISO17799) will require all of us to look for a process to make certification and accreditation bearable. Pat has succeeded in doing just that with this practical and readable book.
—Thomas R. Peltier, Peltier Associates, Member of the ISSA Hall of Fame