NIST guidelines spark change to (ISC)2 credential
Connecting state and local government leaders
(ISC)2, a nonprofit organization of certified information security professionals, is changing a key credential in response to the National Institute of Standards and Technology's changes to risk management guidelines for federal systems.
(ISC)2, a nonprofit organization of certified information security professionals, is changing a key credential in response to the National Institute of Standards and Technology’s changes to risk management guidelines for federal systems.
Formerly called the Certification and Accreditation Professional, the new (ISC)2 credential is now known as a Certified Authorization Professional (CAP).
Related story:
Next steps for continuous network monitoring
The organization is also changing the structure of the credential, from four domains to seven, and places a stronger emphasis on the underlying methodologies and processes associated with the harmonized security authorization process, including continuous monitoring. The domain updates will take effect in November 2010. For existing CAP-holders, nothing will change.
“We felt it critical to update the name and domains of CAP to align with current requirements, technology and thinking,” said Hord Tipton, executive director of (ISC)2.
The original four CAP domains or phases were preparation, certification, execution and continuous monitoring. The seven new domains are:
- Understanding the Security Authorization of Information Systems (formerly known as Certification and Accreditation)
- Categorize Information Systems (formerly part of the Preparation Phase)
- Establish the Security Control Baseline (formerly part of the Preparation Phase)
- Apply Security Controls (formerly part of the Preparation Phase)
- Assess Security Controls (known previously as the Certification Phase)
- Authorize Information System (known previously as the Execution Phase)
- Monitor Security Controls (also known as Continuous Monitoring)
NIST’s SP 800-37 publication, “Guide for Applying the Risk Management Framework to Federal Information Systems,” released in November 2009, places a stronger focus on continuous monitoring and stresses that such monitoring is only one piece of a larger, integrated process, said Tipton.