CAP Cheat Sheet 2026
The 30 highest-yield CAP facts, distilled from real exam questions. Print it, save it as a PDF, or study it here β free, no sign-up.
125 questions
180 min time limit
70.00% to pass
- What are the three core documents that make up a standard RMF authorization package? β SSP, SAR, and POA&M
- A Plan of Action and Milestones (POA&M) is used to track what? β Weaknesses and remediation plans for security controls
- Which OMB memorandum introduced the 'Assume Breach' mentality and required agencies to adopt zero trust architecture? β OMB M-22-09
- Which document formally describes the security controls applied to a system and how they are implemented? β System Security Plan
- In the context of authorization, what does 'security control inheritance' mean? β A system leverages controls already implemented by a common control provider
- Which tool is commonly used in US federal agencies to automate continuous monitoring data collection? β Continuous Diagnostics and Mitigation (CDM) Dashboard
- The Federal Risk and Authorization Management Program (FedRAMP) standardizes security authorizations for which type of systems? β Cloud computing products and services used by federal agencies
- What is the purpose of an Interconnection Security Agreement (ISA)? β To document the security requirements for a connection between two systems
- Which NIST publication provides guidance on preparing the authorization package and submitting it to the AO? β NIST SP 800-37
- What is the purpose of a Plan of Action and Milestones (POA&M) update in the continuous monitoring process? β To document newly identified weaknesses and track remediation progress over time
- Which artifact in the authorization package summarizes the findings from security control testing? β Security Assessment Report (SAR)
- In RMF terminology, what is a 'common control'? β A control inherited by multiple systems from a shared provider
- A healthcare system processes patient records and payment data. Which security objective is most likely to have the highest impact level? β Confidentiality
- Which NIST RMF task requires organizations to update the System Security Plan to reflect the actual implementation of security controls? β Implement security controls (Step 4)
- After an accreditation audit, the CAP receives a report indicating minor non-compliance issues in two departments. What should the CAP do first? β Prepare a corrective action plan and meet with the departments to address the issues
- Which RMF step was added in NIST SP 800-37 Revision 2 to emphasize security early in the system lifecycle? β Prepare
- When a significant system change resets an ongoing authorization, what document must be updated first? β The SSP to reflect the new system configuration and updated controls
- What security activity must be performed before a system is decommissioned during the SDLC Disposal phase? β Media sanitization and data destruction per NIST SP 800-88
- Which document in the authorization package describes known vulnerabilities and the schedule to fix them? β Plan of Action and Milestones
- Which regulation governs the security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems? β NIST SP 800-171
- The RMF Monitor step is primarily intended to provide what type of assurance? β Ongoing situational awareness
- What does an Authorization Denial (DATO) indicate? β The AO has determined the risk is unacceptable and the system must not operate
- A CAP is designing a quality improvement project using the PDCA (Plan-Do-Check-Act) model. What is the main purpose of the βCheckβ phase in this model? β To monitor the results of the intervention against expectations
- Vulnerability scanning in a continuous monitoring program is primarily used to identify what? β Known software weaknesses, missing patches, and configuration errors
- What federal acquisition regulation clause requires contractors to report cyber incidents affecting federal information? β DFARS 252.204-7012 (for DoD contracts)
- Which FIPS standard defines the three security objectives: confidentiality, integrity, and availability? β FIPS 199
- In the authorization boundary context, what does it mean when a system is described as 'multi-tenant'? β Multiple organizations share the same infrastructure with logically separated environments
- A data flow diagram (DFD) in an SSP is used to illustrate what? β How data moves through the system, including inputs, outputs, and storage
- In the NIST Risk Management Framework, which step directly follows the selection of security controls? β Implement security controls
- Under RMF, who has final authority to accept the risk associated with operating an information system? β Authorizing Official
Turn these facts into recall: