Official (ISC)2® Guide to the CAP® CBK®: 2nd Edition (Hardback) book cover

Official (ISC)2® Guide to the CAP® CBK®

2nd Edition

By Patrick D. Howard

Auerbach Publications

462 pages | 9 B/W Illus.

Purchasing Options:$ = USD
Hardback: 9781439820759
pub: 2012-07-18
SAVE ~$17.59
eBook (VitalSource) : 9780429103841
pub: 2016-04-19
from $43.98

FREE Standard Shipping!


Significant developments since the publication of its bestselling predecessor, Building and Implementing a Security Certification and Accreditation Program, warrant an updated text as well as an updated title. Reflecting recent updates to the Certified Authorization Professional (CAP®) Common Body of Knowledge (CBK®) and NIST SP 800-37, the Official (ISC) Guide to the CAP® CBK®, Second Edition provides readers with the tools to effectively secure their IT systems via standard, repeatable processes.

Derived from the author’sdecades of experience, including time as the CISO for the Nuclear Regulatory Commission, the Department of Housing and Urban Development, and the National Science Foundation’s Antarctic Support Contract, the book describes what it takes to build a system security authorization program at the organizational level in both public and private organizations. It analyzes the full range of system security authorization (formerly C&A) processes and explains how they interrelate. Outlining a user-friendly approach for top-down implementation of IT security, the book:

  • Details an approach that simplifies the authorization process, yet still satisfies current federal government criteria
  • Explains how to combine disparate processes into a unified risk management methodology
  • Covers all the topics included in the Certified Authorization Professional (CAP®) Common Body of Knowledge (CBK®)
  • Examines U.S. federal polices, including DITSCAP, NIACAP, CNSS, NIAP, DoD 8500.1 and 8500.2, and NIST FIPS
  • Reviews the tasks involved in certifying and accrediting U.S. government information systems

Chapters 1 through 7 describe each of the domains of the (ISC) CAP® CBK®. This is followed by a case study on the establishment of a successful system authorization program in a major U.S. government department. The final chapter considers the future of system authorization. The book’s appendices include a collection of helpful samples and additional information to provide you with the tools to effectively secure your IT systems.


Praise for the popular first edition:

This book focuses on the processes that must be employed by an organization to establish a certification and accreditation program based on current federal government criteria… Pat has structured this book to address the key issues in certification and accreditation, including roles and responsibilities, the life cycle, and even a discussion of pitfalls to avoid. As with all of Pat’s work, he provides the reader with practical information on what works and what does not … Even if government certification and accreditation is not your concern, the new ISO 27002 (formerly ISO17799) will require all of us to look for a process to make certification and accreditation bearable. Pat has succeeded in doing just that with this practical and readable book.

—Thomas R. Peltier, Peltier Associates, Member of the ISSA Hall of Fame

Table of Contents

Security Authorization of Information Systems


Legal and Regulatory Framework for System Authorization

External Program Drivers

System-Level Security

Defining System Authorization

Resistance to System Authorization

Benefits of System Authorization

Key Elements of an Enterprise System Authorization Program

The Business Case

Goal Setting

Tasks and Milestones

Program Oversight



Program Guidance

Special Issues

Program Integration

System Authorization Points of Contact

Measuring Progress

Managing Program Activities

Monitoring Compliance

Providing Advice and Assistance

Responding to Changes

Program Awareness, Training, and Education

Using Expert Systems

Waivers and Exceptions

NIST Special Publication 800-37, Revision 1, and the Application of the Risk Management Framework to Systems


Authority and Scope

Purpose and Applicability

Target Audience

Fundamentals of Information System Risk Management According to NIST SP 800-37, Revision 1

Guidance on Organization-Wide Risk Management

Organization Level (Tier 1)

Mission/Business Process Level (Tier 2)

Information System Level (Tier 3)

Guidance on Risk Management in the System Development Life Cycle

NIST’s Risk Management Framework

Guidance on System Boundary Definition

Guidance on Software Application Boundaries

Guidance on Complex Systems

Guidance on the Impact of Technological Changes on System Boundaries

Guidance on Dynamic Subsystems

Guidance on External Subsystems

Guidance on Security Control Allocation

Guidance on Applying the Risk Management Framework

Summary of NIST Guidance

System Authorization Roles and Responsibilities

Primary Roles and Responsibilities

Other Roles and Responsibilities

Additional Roles and Responsibilities from NIST SP 800-37, Revision 1

Documenting Roles and Responsibilities

Job Descriptions

Position Sensitivity Designations

Personnel Transition

Time Requirements

Expertise Requirements

Using Contractors

Routine Duties

Organizational Skills

Organizational Placement of the System Authorization Function

The System Authorization Life Cycle

Initiation Phase

Acquisition/Development Phase

Implementation Phase

Operations/Maintenance Phase

Disposition Phase

Challenges to Implementation

Why System Authorization Programs Fail

Program Scope

Assessment Focus

Short-Term Thinking

Long-Term Thinking

Poor Planning

Lack of Responsibility

Excessive Paperwork

Lack of Enforcement

Lack of Foresight

Poor Timing

Lack of Support

System Authorization Project Planning

Planning Factors

Dealing with People

Team Member Selection

Scope Definition



Project Agreements

Project Team Guidelines

Administrative Requirements


Other Tasks

Project Kickoff



The System Inventory Process


System Identification

Small Systems

Complex Systems

Combining Systems

Accreditation Boundaries

The Process


Inventory Information

Inventory Tools

Using the Inventory



Interconnected Systems

The Solution

Agreements in the System Authorization Process

Trust Relationships


Time Issues


Maintaining Agreements

Security Authorization of Information Systems: Review Questions

Information System Categorization


Defining Sensitivity

Data Sensitivity and System Sensitivity

Sensitivity Assessment Process

Data Classification Approaches

Responsibility for Data Sensitivity Assessment

Ranking Data Sensitivity

National Security Information


Criticality Assessment

Criticality in the View of the System Owner

Ranking Criticality

Changes in Criticality and Sensitivity

NIST Guidance on System Categorization

Task 1-1: Categorize and Document the Information System

Task 1-2: Describe the Information System

Task 1-3: Register the Information System

Information System Categorization: Review Questions

Establishment of the Security Control Baseline


Minimum Security Baselines and Best Practices

Security Controls

Levels of Controls

Selecting Baseline Controls

Use of the Minimum Security Baseline Set

Common Controls


Assessing Risk


Risk Assessment in System Authorization

The Risk Assessment Process

Step 1: System Characterization

Step 2: Threat Identification

Step 3: Vulnerability Identification

Step 4: Control Analysis

Step 5: Likelihood Determination

Step 6: Impact Analysis

Step 7: Risk Determination

Step 8: Control Recommendations

Step 9: Results Documentation

Conducting the Risk Assessment

Risk Categorization

Documenting Risk Assessment Results

Using the Risk Assessment

Overview of NIST Special Publication 800-30, Revision 1


System Security Plans



Plan Contents

What a Security Plan Is Not

Plan Initiation

Information Sources

Security Plan Development Tools

Plan Format

Plan Approval

Plan Maintenance

Plan Security

Plan Metrics

Resistance to Security Planning


NIST Guidance on Security Controls Selection

Task 2-1: Identify Common Controls

Task 2-2: Select Security Controls

Task 2-3: Develop Monitoring Strategy

Task 2-4: Approve Security Plan

Establishment of the Security Control Baseline: Review Questions

Application of Security Controls


Security Procedures


The Problem with Procedures


Procedure Templates

Process for Developing Procedures





Common Procedures

Procedures in the System Authorization Process


Remediation Planning

Managing Risk

Applicability of the Remediation Plan

Responsibility for the Plan

Risk Remediation Plan Scope

Plan Format

Using the Plan

When to Create the Plan

Risk Mitigation Meetings


NIST Guidance on Implementation of Security Controls

Task 3-1: Implement Security Controls

Task 3-2: Document Security Control Implementation

Application of Security Controls: Review Questions

Assessment of Security Controls


Scope of Testing

Level of Effort

Assessor Independence

Developing the Test Plan

The Role of the Host

Test Execution

Documenting Test Results

NIST Guidance on Assessment of Security Control Effectiveness

Task 4-1: Prepare for Controls Assessment

Task 4-2: Assess Security Controls

Task 4-3: Prepare Security Assessment Report

Task 4-4: Conduct Remediation Actions

Assessment of Security Controls: Review Questions

Information System Authorization


System Authorization Decision Making

The System Authorization Authority

Authorization Timing

The Authorization Letter

Authorization Decisions

Designation of Approving Authorities

Approving Authority Qualifications

Authorization Decision Process

Actions Following Authorization


Essential System Authorization Documentation


System Authorization Package Contents

Excluded Documentation

The Certification Statement

Transmittal Letter



NIST Guidance on Authorization of Information Systems

Task 5-1: Prepare Plan of Action and Milestones

Task 5-2: Prepare Security Authorization Package

Task 5-3: Conduct Risk Determination

Task 5-4: Perform Risk Acceptance

Security Controls Monitoring


Continuous Monitoring

Configuration Management/Configuration Control

Security Controls Monitoring

Status Reporting and Documentation

Key Roles in Continuous Monitoring

Reaccreditation Decision

NIST Guidance on Ongoing Monitoring of Security Controls and Security State of the Information System

Task 6-1: Analyze Impact of Information System and Environment Changes

Task 6-2: Conduct Ongoing Security Control Assessments

Task 6-3: Perform Ongoing Remediation Actions

Task 6-4: Perform Key Updates

Task 6-5: Report Security Status

Task 6-6: Perform Ongoing Risk Determination and Acceptance

Task 6-7: Information System Removal and Decommissioning

Security Controls Monitoring: Review Questions

System Authorization Case Study


Action Plan

Lessons Learned


Document Templates


Role of the Inspector General

Compliance Monitoring

Measuring Success

Project Milestones

Interim Accreditation

Management Support and Focus

Results and Future Challenges

The Future of Information System Authorization

Appendix A: References

Appendix B: Glossary

Appendix C: Sample Statement of Work

Appendix D: Sample Project Work Plan

Appendix E: Sample Project Kickoff Presentation Outline

Appendix F: Sample Project Wrap-Up Presentation Outline

Appendix G: Sample System Inventory Policy

Appendix H: Sample Business Impact Assessment

Appendix I: Sample Rules of Behavior (General Support System)

Appendix J: Sample Rules of Behavior (Major Application)

Appendix K: Sample System Security Plan Outline

Appendix L: Sample Memorandum of Understanding

Appendix M: Sample Interconnection Security Agreement

Appendix N: Sample Risk Assessment Outline

Appendix O: Sample Security Procedure

Appendix P: Sample Certification Test Results Matrix

Appendix Q: Sample Risk Remediation Plan

Appendix R: Sample Certification Statement

Appendix S: Sample Accreditation Letter

Appendix T: Sample Interim Accreditation Letter

Appendix U: Certification and Accreditation Professional (CAP®) Common Body of Knowledge (CBK®)

Appendix V: Answers to Review Questions

About the Author/Editor

Patrick D. Howard, CISSP, CISM, is a senior consultant for SecureInfo, a Kratos Company. He has over 40 years experience in security, including 20 years service as a U.S. Army Military Police officer, and has specialized in information security since 1989. Mr. Howard began his service as the Chief Information Security Officer for the National Science Foundation’s Antarctic Support Contract in Centennial, Colorado in March 2012. He previously served as CISO for the Nuclear Regulatory Commission in Rockville, Maryland from 2008–2012, and for the Department of Housing and Urban Development from 2005–2008. Mr. Howard was named a Fed 100 winner in 2007, and is the author of three information security books: The Total CISSP Exam Prep Book, 2002; Building and Implementing a Security Certification and Accreditation Program, 2006; and Beyond Compliance: FISMA Principles and Best Practices, 2011. He is a member of the International Information Systems Security Certification Consortium’s Government Advisory Board and Executive Writer’s Bureau, which he chairs. Mr. Howard is also an adjunct professor of Information Assurance at Walsh College, Troy Michigan. He graduated with a Bachelor’s degree from the University of Oklahoma in 1971 and a Master’s degree from Boston University in 1984.

About the Series

(ISC)2 Press

Learn more…

Subject Categories

BISAC Subject Codes/Headings:
COMPUTERS / Information Technology
COMPUTERS / Security / General