With 20 study hours or so, I passed the ISC2 CGRC (formerly known as CAP) exam today (Jan 9, 2024). As a CISSP, I was reluctant to pursue the entry-level exam CC and US government-specific CGRC/CAP because CISSP covers job practices well enough. However, as a CISSP instructor, I must wear the same shoes to prove to my students that CC is a fantastic starter and a significant milestone in the CISSP journey. Moreover, CGRC is a good personal goal for learning and growth in 2024.
Having completed the exam today, I’d like to thank Nancy Allen, also a CGRC holder, who inspired me to push forward to both CGRC and CC. She is quite active in the community and passionate about sharing and helping people. Thank you so much for your contributions and advancing the profession!
I’m thankful for Prabh Nair‘s valuable sharing, How to Prepare for CGRC 2024. He summarized key points for CGRC aspirants and provided effective guidance.
I am grateful to Fadi Sodah (aka Madunix), author of the CISSP Process Guide, for his ongoing quality write-ups. Even though Fadi is undergoing a disease recovery, he keeps writing and helping people. He inspired and motivated me a lot when I was suffering challenges. Thank you, Fadi!
Summary of RMF Tasks
| Step 0 | Prepare – Organization Level |
| TASK P-1 | Identify and assign individuals to specific roles associated with security and privacy risk management. |
| TASK P-2 | Establish a risk management strategy for the organization that includes a determination of risk tolerance. |
| TASK P-3 | Assess organization-wide security and privacy risk and update the risk assessment results on an ongoing basis. |
| TASK P-4 | Establish, document, and publish organizationally-tailored control baselines and/or Cybersecurity Framework Profiles. |
| TASK P-5 | Identify, document, and publish organization-wide common controls that are available for inheritance by organizational systems. |
| TASK P-6 | Prioritize organizational systems with the same impact level. |
| TASK P-7 | Develop and implement an organization-wide strategy for continuously monitoring control effectiveness. |
| Prepare – System Level | |
| TASK P-8 | Identify the missions, business functions, and mission/business processes that the system is intended to support. |
| TASK P-9 | Identify stakeholders who have an interest in the design, development, implementation, assessment, operation, maintenance, or disposal of the system. |
| TASK P-10 | Identify assets that require protection. |
| TASK P-11 | Determine the authorization boundary of the system. |
| TASK P-12 | Identify the types of information to be processed, stored, and transmitted by the system. |
| TASK P-13 | Identify and understand all stages of the information life cycle for each information type processed, stored, or transmitted by the system. |
| TASK P-14 | Conduct a system-level risk assessment and update the risk assessment results on an ongoing basis. |
| TASK P-15 | Define the security and privacy requirements for the system and the environment of operation. |
| TASK P-16 | Determine the placement of the system within the enterprise architecture. |
| TASK P-17 | Allocate security and privacy requirements to the system and to the environment of operation. |
| TASK P-18 | Register the system with organizational program or management offices. |
| Step 1 | Categorize System |
| TASK C-1 | Document the characteristics of the system. |
| TASK C-2 | Categorize the system and document the security categorization results. |
| TASK C-3 | Review and approve the security categorization results and decision. |
| Step 2 | Select Controls |
| TASK S-1 | Select the controls for the system and the environment of operation. |
| TASK S-2 | Tailor the controls selected for the system and the environment of operation. |
| TASK S-3 | Allocate security and privacy controls to the system and to the environment of operation. |
| TASK S-4 | Document the controls for the system and environment of operation in security and privacy plans. |
| TASK S-5 | Develop and implement a system-level strategy for monitoring control effectiveness that is consistent with and supplements the organizational continuous monitoring strategy. |
| TASK S-6 | Review and approve the security and privacy plans for the system and the environment of operation. |
| Step 3 | Implement Controls |
| TASK I-1 | Implement the controls in the security and privacy plans. |
| TASK I-2 | Document changes to planned control implementations based on the “as-implemented” state of controls. |
| Step 4 | Assess Controls |
| TASK A-1 | Select the appropriate assessor or assessment team for the type of control assessment to be conducted. |
| TASK A-2 | Develop, review, and approve plans to assess implemented controls. |
| TASK A-3 | Assess the controls in accordance with the assessment procedures described in assessment plans. |
| TASK A-4 | Prepare the assessment reports documenting the findings and recommendations from the control assessments. |
| TASK A-5 | Conduct initial remediation actions on the controls and reassess remediated controls. |
| TASK A-6 | Prepare the plan of action and milestones based on the findings and recommendations of the assessment reports. |
| Step 5 | Authorize System |
| TASK R-1 | Assemble the authorization package and submit the package to the authorizing official for an authorization decision. |
| TASK R-2 | Analyze and determine the risk from the operation or use of the system or the provision of common controls. |
| TASK R-3 | Identify and implement a preferred course of action in response to the risk determined. |
| TASK R-4 | Determine if the risk from the operation or use of the information system or the provision or use of common controls is acceptable. |
| TASK R-5 | Report the authorization decision and any deficiencies in controls that represent significant security or privacy risk. |
| Step 6 | Monitor Controls |
| TASK M-1 | Monitor the information system and its environment of operation for changes that impact the security and privacy posture of the system. |
| TASK M-2 | Assess the controls implemented within and inherited by the system in accordance with the continuous monitoring strategy. |
| TASK M-3 | Respond to risk based on the results of ongoing monitoring activities, risk assessments, and outstanding items in plans of action and milestones. |
| TASK M-4 | Update plans, assessment reports, and plans of action and milestones based on the results of the continuous monitoring process. |
| TASK M-5 | Report the security and privacy posture of the system to the authorizing official and other organizational officials on an ongoing basis in accordance with the organizational continuous monitoring strategy. |
| TASK M-6 | Review the security and privacy posture of the system on an ongoing basis to determine whether the risk remains acceptable. |
| TASK M-7 | Implement a system disposal strategy and execute required actions when a system is removed from operation. |
Roles and Responsibilities
| 1 | Authorizing Official | |
| 2 | Authorizing Official Designated Representative | |
| 3 | Chief Acquisition Officier | |
| 4 | Chief Information Officier (CIO) | |
| 5 | Common Control Provider | |
| 6 | Control Assessor | |
| 7 | Enterprise Architect | |
| 8 | Head of Agency | |
| 9 | Information Owner or Information Steward | |
| 10 | Mission or Business Owner | |
| 11 | Risk Executive (Function) | |
| 12 | Security Architect or Privacy Architect | |
| 13 | Senior Accountable Official for Risk Management | The head of the agency |
| 14 | Senior Agency Information Security Officier | Primary Liaison |
| 15 | Senior Agency Official for Privacy | |
| 16 | System Administrator | Operations and Maintenance |
| 17 | System Owner (Program Manager or Business/Asset Owner) | Security and Privacy Plans |
| 18 | System Security Officier (Security Manager) or System Privacy Officier | Principal advisor on all matters |
| 19 | System User | |
| 20 | System Security Engineer or System Privacy Engineer | Development and Implementation |
Important Concepts
Key Elements for Assessment Reporting
- System name
- Security categorization
- Site(s) assessed and assessment date(s)
- Assessor’s name/identification
- Previous assessment results (if reused)
- Security/privacy control or control enhancement designator
- Selected assessment methods and objects
- Depth and coverage attributes values
- Assessment finding summary (indicating “satisfied” or “other than satisfied”)
- Assessor comments (weaknesses or deficiencies noted)
- Assessor recommendations (priorities, remediation, corrective actions, or improvements)
CBK Suggested References
- Information Security Risk Management for ISO 27001/ISO 27002, 3rd Edition by Alan Calder, Steve Watkings. Publisher: IT Governance Publishing. (Aug, 2019).
- ISO 27001/ISO 27002 A Pocket Guide, 2nd Edition by Chris Davis, Mike Kegerreis, Mike Schille. Publisher: McGraw-Hill. (Oct, 2013).
- IT Auditing Using Controls to Protect Information Assets, 3rd Edition by Mike Kegerreis, Mike Schiller, Chris Davis. Publisher: McGraw-Hill Education. (Oct, 2019).
- NIST FIPS-199, Standards for Security Categorization of Federal Information and Information Systems by U.S. Dept. of Commerce. (Feb, 2004).
- NIST SP 800-115, Technical Guide to Information Security Testing and Assessment by Karen Scarfone, Murugiah Souppaya, Amanda Cody, Angela Orebaugh. (Sep, 2008).
- NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations by Kelley Dempsey, Nirali Shah Chawla, Arnold Johnson, Ronald Johnston, Alicia Clay Jones, Angela Orebaugh, Matthew Scholl, Kevin Stine. (Sep, 2011).
- NIST SP 800-160, Vol. 1, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems by Ron Ross, Michael McEvilley, Janet Carrier Oren. (Mar, 2018).
- NIST SP 800-30, Rev. 1, Guide for Conducting Risk Assessments by Joint Task Force Transformation Initiative. (Sep, 2012).
- NIST SP 800-37, Rev. 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy by Joint Task Force Transformation Initiative. (Dec, 2018).
- NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View by Joint Task Force Transformation Initiative. (Mar, 2011).
- NIST SP 800-53, Rev. 5, Security and Privacy Controls for Information Systems and Organizations by Joint Task Force Transformation Initiative. (Sep, 2020).
- NIST SP 800-53B, Control Baselines for Information Systems and Organizations by Joint Task Force Transformation Initiative. (Oct, 2020).
- NIST SP 800-60, Vol. 1, Rev. 1, Guide for Mapping Types of Information and Information Systems to Security Categories by Kevin Stine, Rich Kissel, William C. Barker, Jim Fahlsing, Jessica Gulick. (Aug, 2008).
- NIST SP 800-70, Rev. 4, National Checklist Program for IT Products: Guidelines for Checklist Users and Developers by Stephen D. Quinn, Murugiah Souppaya, Melanie Cook, Karen Scarfone. (Sep, 2020).
- NIST SP 800-88, Guidelines for Media Sanitization by Richard Kissel, Andrew Regenscheid, Matthew Scholl, Kevin Stine. (Dec, 2014).
CGRC Examination Weights
