NIST guidelines spark change to (ISC)2 credential

New standards reflect interest in continuous monitoring

(ISC)2, a nonprofit organization of certified information security professionals, is changing a key credential in response to the National Institute of Standards and Technology’s changes to risk management guidelines for federal systems.

Formerly called the Certification and Accreditation Professional, the new (ISC)2 credential is now known as a Certified Authorization Professional (CAP).

Related story:

Next steps for continuous network monitoring

The organization is also changing the structure of the credential, from four domains to seven, and places a stronger emphasis on the underlying methodologies and processes associated with the harmonized security authorization process, including continuous monitoring. The domain updates will take effect in November 2010. For existing CAP-holders, nothing will change.

“We felt it critical to update the name and domains of CAP to align with current requirements, technology and thinking,” said Hord Tipton, executive director of (ISC)2.

The original four CAP domains or phases were preparation, certification, execution and continuous monitoring. The seven new domains are:

  1. Understanding the Security Authorization of Information Systems (formerly known as Certification and Accreditation)
  2. Categorize Information Systems (formerly part of the Preparation Phase)
  3. Establish the Security Control Baseline (formerly part of the Preparation Phase)
  4. Apply Security Controls (formerly part of the Preparation Phase)
  5. Assess Security Controls (known previously as the Certification Phase)
  6. Authorize Information System (known previously as the Execution Phase)
  7. Monitor Security Controls (also known as Continuous Monitoring)

NIST’s SP 800-37 publication, “Guide for Applying the Risk Management Framework to Federal Information Systems,” released in November 2009, places a stronger focus on continuous monitoring and stresses that such monitoring is only one piece of a larger, integrated process, said Tipton.

About the Author

Kathleen Hickey is a freelance writer for GCN.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected