CAP Cheat Sheet 2026

The 30 highest-yield CAP facts, distilled from real exam questions. Print it, save it as a PDF, or study it here β€” free, no sign-up.

125 questions
180 min time limit
70.00% to pass
  1. What are the three core documents that make up a standard RMF authorization package? β†’ SSP, SAR, and POA&M
  2. A Plan of Action and Milestones (POA&M) is used to track what? β†’ Weaknesses and remediation plans for security controls
  3. Which OMB memorandum introduced the 'Assume Breach' mentality and required agencies to adopt zero trust architecture? β†’ OMB M-22-09
  4. Which document formally describes the security controls applied to a system and how they are implemented? β†’ System Security Plan
  5. In the context of authorization, what does 'security control inheritance' mean? β†’ A system leverages controls already implemented by a common control provider
  6. Which tool is commonly used in US federal agencies to automate continuous monitoring data collection? β†’ Continuous Diagnostics and Mitigation (CDM) Dashboard
  7. The Federal Risk and Authorization Management Program (FedRAMP) standardizes security authorizations for which type of systems? β†’ Cloud computing products and services used by federal agencies
  8. What is the purpose of an Interconnection Security Agreement (ISA)? β†’ To document the security requirements for a connection between two systems
  9. Which NIST publication provides guidance on preparing the authorization package and submitting it to the AO? β†’ NIST SP 800-37
  10. What is the purpose of a Plan of Action and Milestones (POA&M) update in the continuous monitoring process? β†’ To document newly identified weaknesses and track remediation progress over time
  11. Which artifact in the authorization package summarizes the findings from security control testing? β†’ Security Assessment Report (SAR)
  12. In RMF terminology, what is a 'common control'? β†’ A control inherited by multiple systems from a shared provider
  13. A healthcare system processes patient records and payment data. Which security objective is most likely to have the highest impact level? β†’ Confidentiality
  14. Which NIST RMF task requires organizations to update the System Security Plan to reflect the actual implementation of security controls? β†’ Implement security controls (Step 4)
  15. After an accreditation audit, the CAP receives a report indicating minor non-compliance issues in two departments. What should the CAP do first? β†’ Prepare a corrective action plan and meet with the departments to address the issues
  16. Which RMF step was added in NIST SP 800-37 Revision 2 to emphasize security early in the system lifecycle? β†’ Prepare
  17. When a significant system change resets an ongoing authorization, what document must be updated first? β†’ The SSP to reflect the new system configuration and updated controls
  18. What security activity must be performed before a system is decommissioned during the SDLC Disposal phase? β†’ Media sanitization and data destruction per NIST SP 800-88
  19. Which document in the authorization package describes known vulnerabilities and the schedule to fix them? β†’ Plan of Action and Milestones
  20. Which regulation governs the security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems? β†’ NIST SP 800-171
  21. The RMF Monitor step is primarily intended to provide what type of assurance? β†’ Ongoing situational awareness
  22. What does an Authorization Denial (DATO) indicate? β†’ The AO has determined the risk is unacceptable and the system must not operate
  23. A CAP is designing a quality improvement project using the PDCA (Plan-Do-Check-Act) model. What is the main purpose of the β€œCheck” phase in this model? β†’ To monitor the results of the intervention against expectations
  24. Vulnerability scanning in a continuous monitoring program is primarily used to identify what? β†’ Known software weaknesses, missing patches, and configuration errors
  25. What federal acquisition regulation clause requires contractors to report cyber incidents affecting federal information? β†’ DFARS 252.204-7012 (for DoD contracts)
  26. Which FIPS standard defines the three security objectives: confidentiality, integrity, and availability? β†’ FIPS 199
  27. In the authorization boundary context, what does it mean when a system is described as 'multi-tenant'? β†’ Multiple organizations share the same infrastructure with logically separated environments
  28. A data flow diagram (DFD) in an SSP is used to illustrate what? β†’ How data moves through the system, including inputs, outputs, and storage
  29. In the NIST Risk Management Framework, which step directly follows the selection of security controls? β†’ Implement security controls
  30. Under RMF, who has final authority to accept the risk associated with operating an information system? β†’ Authorizing Official