This free CGRC study guide walks through every content domain the Certified in Governance, Risk and Compliance exam tests, organized to the current ISC2 exam outline (effective June 15, 2024).[1]
It’s interactive, not a wall of text: every module has built-in checkpoint quizzes, flashcards, and practice questions, so you learn by doing — not just reading.
CGRC is the cert formerly known as CAP (Certified Authorization Professional), and the whole exam is built on the NIST Risk Management Framework. The seven official domains map almost one-to-one to the seven RMF steps, so we teach one module per domain, following the RMF lifecycle from program setup through monitoring.
Read a module, test yourself at each checkpoint, then drill gaps with our free practice test and flashcards. This guide is a high-yield overview that maps the official content — not a full RMF reference manual.
CGRC is one of the 9 ISC2 certifications — explore our ISC2 study guides to compare and prep across the whole family.
CGRC Exam Snapshot
| Detail | CGRC Exam |
|---|---|
| Questions | 125 items (100 scored + 25 unscored pretest) |
| Format | Linear, fixed-form (not adaptive); multiple choice + advanced items |
| Time | 3 hours |
| Passing score | 700 out of 1000 (scaled) |
| Administered by | ISC2, delivered at Pearson VUE |
| Certifying body | ISC2 (formerly (ISC)²) |
| Formerly known as | CAP — Certified Authorization Professional |
| Eligibility | 2 years' experience in 1+ CGRC domain; or Associate of ISC2 |
| Cost | $249 USD (Americas) |
| Recertification | Every 3 years — 60 CPE credits + $135 annual maintenance fee |
| Outline version | Effective June 15, 2024 |
The CGRC is narrow but deep: instead of broad security breadth, it tests one thing thoroughly — the lifecycle for authorizing and maintaining a system. Implementation of Controls is the heaviest domain at 17%, and Domains 1, 4, and 5 together are about half the exam.[1] Study by the lifecycle:
GRC, Risk Management & Compliance Program
16% of the exam
Scope of the System
10% of the exam
Selection & Approval of Controls
14% of the exam
Implementation of Controls
17% of the exam
Assessment/Audit of Controls
16% of the exam
System Compliance
14% of the exam
Compliance Maintenance
13% of the exam
Because the domains follow the RMF, the cleanest way to learn CGRC is to learn the framework itself. Here are the seven RMF steps and the domain each one maps to — this single diagram is the spine of the whole exam:
- 1
Prepare · Domain 1 · GRC Program
Establish context, roles, risk tolerance, an organization-wide risk strategy, and common controls (added in SP 800-37 Rev 2).
- 2
Categorize · Domain 2 · Scope of the System
Define the system and information types, then categorize impact (Low/Moderate/High) on confidentiality, integrity, and availability — FIPS 199.
- 3
Select · Domain 3 · Selection & Approval of Controls
Choose the SP 800-53B baseline (Low/Moderate/High) from the FIPS 200 minimums, then tailor it to the system.
- 4
Implement · Domain 4 · Implementation of Controls
Deploy the selected controls and document HOW each is implemented in the System Security Plan (SSP).
- 5
Assess · Domain 5 · Assessment/Audit of Controls
Independently test whether controls work as intended (Examine, Interview, Test) and record findings in the Security Assessment Report (SAR).
- 6
Authorize · Domain 6 · System Compliance
The Authorizing Official (AO) reviews residual risk and makes a risk-based decision — grant an ATO, deny (DATO), or require remediation.
- 7
Monitor · Domain 7 · Compliance Maintenance
Continuously monitor control effectiveness and changes (SP 800-137), feeding ongoing authorization. Security is a lifecycle, not a one-time event.
Module 1 · GRC, Risk Management & Compliance Program
One official domain, 16% of the exam. This domain is the foundation: what governance, risk, and compliance mean, the frameworks and laws a CGRC professional works within, and how the RMF organizes risk management across a system’s life. It corresponds to the RMF step.
1.1 Governance, Risk & Compliance Principles
ties three disciplines together. Governance sets direction and accountability through policy, oversight, and roles.
Risk management identifies, assesses, and treats risk to the organization’s mission. Compliance ensures the organization meets its legal, regulatory, and contractual obligations. The CGRC tests how you use frameworks to align all three so a system can be authorized and kept compliant.[1]
Security rests on the classic objectives — confidentiality, integrity, and availability — plus non-repudiation and, increasingly, privacy, which the 2024 outline weaves throughout. Governance flows top-down: senior management owns risk and sets the tone, and the policy hierarchy runs policy → standard → procedure → guideline.
| Pillar | What it does | Example artifact |
|---|---|---|
| Governance | Sets direction, accountability, and oversight | Security policy, risk strategy, roles |
| Risk management | Identifies, assesses, and treats risk to the mission | Risk assessment, risk register, POA&M |
| Compliance | Meets legal, regulatory, and contractual duties | FISMA/HIPAA/GDPR mapping, audit evidence |
1.2 Frameworks, Standards & Laws
CGRC is built on the NIST RMF, but the 2024 outline explicitly broadened to other frameworks — and a favorite question type asks you to pick the right framework for a purpose. Know what each is for:
| Framework / law | Purpose |
|---|---|
| NIST RMF (SP 800-37) | Lifecycle for authorizing and managing system risk (the spine of CGRC) |
| NIST CSF | Voluntary framework to manage and reduce cybersecurity risk |
| ISO/IEC 27001 | Information security management system (ISMS) |
| ISO 31000 | Enterprise / organizational risk management |
| COBIT | IT governance aligned to business objectives |
| FedRAMP | Standardized authorization for cloud services used by U.S. federal agencies |
| PCI-DSS | Protecting payment-card data |
| CMMC | Cybersecurity maturity for the U.S. defense industrial base |
| FISMA / HIPAA / GDPR | Laws driving federal, healthcare, and EU privacy compliance |
1.3 Risk Management & the RMF Lifecycle
Risk is the chance a threat exploits a vulnerability to harm an asset. You assess it two ways. Qualitative analysis is subjective — ranking risks high/medium/low. Quantitative analysis is dollar-based: = Asset Value × Exposure Factor, and = SLE × ARO is the expected yearly cost — the basis for deciding whether a control is worth its cost.[10]
You then pick a : mitigate (add controls), transfer/share (insurance or a third party), avoid (stop the activity), or accept (formally tolerate it). Whatever you choose, remains — risk is never fully eliminated, and transferring the financial impact never transfers your accountability.
Checkpoint · GRC & Risk Management Program
Question 1 of 10
Which document establishes the organization-wide risk management strategy, including risk tolerance and risk appetite, that guides all RMF activities?
Module 2 · Scope of the System
One official domain, 10% of the exam — the lightest, but it feeds everything downstream. This domain is the RMF step: define exactly what the system is, what information it handles, and how much impact a compromise would have. Get categorization wrong and every later decision is wrong.
2.1 System Boundary & Information Types
First you define the — everything included in the system for authorization: its people, processes, hardware, software, information, and the connections it depends on. Then you identify the the system handles (financial, medical, investigative, and so on), because each type carries its own impact. Drawing the boundary correctly matters: too broad inflates cost and complexity, too narrow leaves real risk unaddressed.
2.2 FIPS 199 Categorization & the High-Water Mark
categorizes the potential impact of a system — Low, Moderate, or High — separately for confidentiality, integrity, and availability. The overall system categorization uses the : it takes the highest of the three ratings, never the average or the sum.[4] NIST SP 800-60 helps map information types to provisional impact levels.
| Impact level | Meaning if compromised |
|---|---|
| Low | Limited adverse effect on operations, assets, or individuals |
| Moderate | Serious adverse effect |
| High | Severe or catastrophic adverse effect |
Checkpoint · Scope of the System
Question 1 of 10
Which step of the RMF is responsible for determining the categorization of an information system based on impact?
Module 3 · Selection & Approval of Controls
One official domain, 14% of the exam. This is the RMF Selectstep: starting from the system’s categorization, choose and tailor the right set of security and privacy controls.
3.1 Baselines, Tailoring & Control Types
The flow is mechanical and heavily tested: categorization → minimum requirements → pick the matching (Low, Moderate, or High) from → it to the system. The baseline is a starting point, not a fixed minimum.[7]
- 1
FIPS 199 — categorize
Determine the system impact level (Low / Moderate / High) using the high-water mark across C, I, and A.
- 2
FIPS 200 — minimum requirements
Apply the federal minimum security requirements that correspond to the impact level.
- 3
SP 800-53B — pick the baseline
Select the matching control baseline (Low ~150, Moderate ~304, High ~392 controls) from SP 800-53B.
- 4
Tailor the baseline
Scope, parameterize, supplement, apply overlays, and add compensating controls — the baseline is a starting point, not a fixed minimum.
NIST SP 800-53 organizes controls into 20 families(such as AC Access Control, AU Audit, and SC System & Communications Protection). By implementer, controls are , , , or (inherited).
| Baseline | System category | Approx. controls |
|---|---|---|
| Low | Low-impact system | ~150 |
| Moderate | Moderate-impact system | ~300 |
| High | High-impact system | ~390 |
3.2 Inherited, Compensating & Overlay Controls
A is provided once at the organization level and inherited by many systems — the data center’s physical security, an enterprise identity service. A is an alternative used when a baseline control isn’t feasible, providing equivalent protection (and documented as such). An is a tailored, fully specified set of adjustments for a community, technology, or mission — for example a privacy or cloud overlay.
| Option | When you use it |
|---|---|
| Inherit a common control | A control is provided org-wide and applies to your system |
| Apply a compensating control | The baseline control is not feasible; an equivalent safeguard is used |
| Apply an overlay | A community/tech/mission needs a standard set of adjustments |
| Scope out a control | The control genuinely does not apply to the system |
Checkpoint · Selection & Approval of Controls
Question 1 of 10
Which of the following best defines the 'security control baseline'?
Module 4 · Implementation of Controls
One official domain, 17% of the exam — the heaviest. This is the RMF Implement step: actually deploy the selected controls and document exactly how each one is implemented.
4.1 Implementation Strategy & the SSP
Implementation starts with a strategy — resourcing, funding, timeline, and how effectiveness will be measured — and ends with controls deployed and documented in the . The SSP is the master document: it describes the system, its boundary and environment, and how every selected control is implemented. The develops and maintains it, and it becomes the core of the authorization package.[3]
4.2 Control Types & Documentation
Knowing the type of a control helps assign responsibility and pick the right safeguard. By implementer: (policy, planning, risk assessment), (people and procedures — training, incident response), (technology-enforced — encryption, access control), and (inherited). By function, controls are also called preventive, detective, corrective, deterrent, recovery, and compensating.
| Type | Implemented by | Example |
|---|---|---|
| Management | Policy, planning, governance | Risk assessment, security planning |
| Operational | People and procedures | Security awareness training, incident response |
| Technical | Technology / the system | Encryption, access control, audit logging |
| Common | The organization (inherited) | Data-center physical security, enterprise IAM |
Checkpoint · Implementation of Controls
Question 1 of 10
What is the primary objective of the Implement step in the RMF?
Module 5 · Assessment/Audit of Controls
One official domain, 16% of the exam. This is the RMF Assess step: determine whether the controls are implemented correctly, operating as intended, and producing the desired result — then report findings and respond to risk.
5.1 Assessment Planning & Methods
Assessment begins with a that defines scope, roles, evidence, and procedures, and it is performed by an independent . SP 800-53A defines three : Examine (review documents and configurations), Interview (talk to the people who run the control), and Test (exercise the control, e.g., a vulnerability scan or penetration test).[8]
| Method | What the assessor does | Example |
|---|---|---|
| Examine | Reviews documents, policies, and configurations | Read the SSP and access-control settings |
| Interview | Questions the people who operate the control | Ask staff how they handle incidents |
| Test | Exercises the control to see how it behaves | Run a vulnerability scan or penetration test |
5.2 The SAR, Risk Response & POA&M
Findings go into the , which marks each control satisfied, other-than-satisfied, or not applicable. For each unresolved weakness the organization chooses a — avoid, accept, mitigate, or transfer/share — and records the remaining gaps in the , with a remediation plan, owner, resources, and target dates.
SSP — System Security Plan
Implement · owner: System Owner
How every control is implemented + the system environment.
SAP — Security Assessment Plan
Assess (start) · owner: SCA
The plan for HOW controls will be assessed.
SAR — Security Assessment Report
Assess (end) · owner: SCA
Findings: each control satisfied / other-than-satisfied / N/A.
POA&M — Plan of Action & Milestones
Assess → Monitor · owner: System Owner
Unresolved weaknesses, remediation owner, and target dates.
ATO — Authorization to Operate
Authorize · owner: Authorizing Official
The AO's formal decision to operate and accept residual risk.
| SAR status | Meaning | Next step |
|---|---|---|
| Satisfied | The control works as intended | No action needed |
| Other-than-satisfied | The control has a weakness or gap | Add to the POA&M with a remediation plan |
| Not applicable | The control does not apply to the system | Document the justification |
Checkpoint · Assessment/Audit of Controls
Question 1 of 10
What is the main goal of the Assess step in the RMF?
Module 6 · System Compliance (Authorization)
One official domain, 14% of the exam. This is the RMF Authorizestep: package the evidence, determine residual risk, and get a senior official’s formal, risk-based decision on whether the system may operate.
6.1 The Authorization Package & Roles
The is the bundle the reviews — the , the , and the . Memorize those three. The roles are heavily tested through scenarios — know who does what:
Authorizing Official (AO)
The senior official who accepts residual risk and signs the ATO. The ONLY role that can authorize a system to operate.
AO Designated Rep. (AODR)
Coordinates the day-to-day authorization work — but CANNOT make or sign the authorization decision or accept risk.
Security Control Assessor (SCA)
Independently assesses and tests the controls and writes the SAR. Must be independent of the System Owner.
System Owner
Responsible for the system; develops the SSP, owns the POA&M, and assembles and submits the authorization package.
ISSO / ISSM
ISSO handles day-to-day operational security of the system; ISSM manages ISSOs, aggregates risk, and advises the AO.
Common Control Provider
Supplies inherited common controls used across many systems (e.g., the data-center physical controls).
| Document | Owner | RMF step |
|---|---|---|
| System Security Plan (SSP) | System Owner | Implement |
| Security Assessment Report (SAR) | Security Control Assessor (SCA) | Assess |
| Plan of Action & Milestones (POA&M) | System Owner | Assess → Monitor |
| Authorization to Operate (ATO) | Authorizing Official (AO) | Authorize |
6.2 ATO, DATO & Risk Acceptance
The AO weighs against the mission and makes a risk-based decision: grant an , grant an ATO with conditions, or issue a . An is different — it authorizes testing in an operational environment during development, not production operation.
| Decision | What it means |
|---|---|
| ATO | Full authorization to operate; the AO accepts the residual risk |
| ATO with conditions | Operate, but specific weaknesses must be remediated on a schedule |
| DATO | Denial — the risk is unacceptable; the system may not operate |
| IATT | Interim Authority to Test — testing only, not production operation |
Checkpoint · System Compliance (Authorization)
Question 1 of 10
What is the main deliverable that an Authorizing Official reviews to make the authorization decision?
Module 7 · Compliance Maintenance (Monitoring)
One official domain, 13% of the exam. This is the RMF Monitor step: an ATO is not the finish line. You keep the system compliant over time through continuous monitoring, change management, and — eventually — secure decommissioning.
7.1 Continuous Monitoring (ISCM)
(NIST SP 800-137) is ongoing awareness of security, vulnerabilities, and threats so risk decisions stay current. After authorization the organization keeps assessing control effectiveness, tracking changes, and reporting — feeding rather than treating the ATO as a one-time event.[9] An effective ISCM strategy defines what to monitor, how often, and the metrics that trigger action.
7.2 Change Management & Decommissioning
is the controlled process for evaluating, approving, implementing, and tracking changes to an authorized system. A proposed change gets a , goes through a change control board (CCB) for approval, and is documented — with a rollback plan if it fails.
A significant change can trigger reassessment and even reauthorization. At end of life, securely retires the system, including sanitizing media and updating documentation.
| Step | What happens |
|---|---|
| Request | A change is proposed and recorded |
| Security impact analysis | Evaluate how the change affects the system's security state |
| CCB approval | The change control board approves, defers, or rejects |
| Implement & document | Apply the change (with a rollback plan) and update the SSP |
| Reassess if significant | A significant change can trigger reassessment / reauthorization |
Checkpoint · Compliance Maintenance (Monitoring)
Question 1 of 10
Ongoing authorization (as opposed to periodic reauthorization) relies most heavily on what?
How to Use This CGRC Study Guide
This guide is built to be worked, not just read. The most efficient path to a pass:
- Learn the RMF first. The seven steps — Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor — are the spine. Master the order and what each step produces and the exam falls into place.
- Prioritize by weight. Implementation (17%), the GRC program (16%), and Assessment (16%) together are about half the exam — but Scope (10%) is the foundation, so don’t skip it.
- Think governance, not gadgets. CGRC asks for the best action — usually assess, document, or get the right approval — not the flashiest technical fix.
- Memorize the roles and documents. Know who owns the SSP, SAR, POA&M, and ATO, and the rule that the SCA assesses while the AO accepts.
- Check off as you go. Use the Study Guide Contents to mark each section done; it raises your exam-readiness score.
- Take every checkpoint, then drill. Send weak domains into the flashcards and a practice test until your score climbs comfortably above 700.
CGRC Concept Questions
Common CGRC concepts candidates search while studying — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.
CGRC Glossary
The high-yield CGRC terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.
- Annualized Loss Expectancy (ALE)
- The expected yearly cost of a risk: ALE = SLE × ARO; used to cost-justify controls.
- AO Designated Representative (AODR)
- Coordinates the authorization process day to day but cannot make or sign the authorization decision.
- Assessment method
- How a control is evaluated under SP 800-53A: Examine, Interview, or Test.
- Authorization boundary
- Everything included in a system for authorization — the people, processes, hardware, software, information, and connections it depends on.
- Authorization package
- The SSP, SAR, and POA&M submitted to the Authorizing Official for the authorization decision.
- Authorization to Operate (ATO)
- The Authorizing Official's formal decision to operate a system and accept its residual risk.
- Authorizing Official (AO)
- The senior official who accepts residual risk and signs the ATO; the only role that can authorize a system.
- Categorize
- The RMF step that determines the system's impact level (Low/Moderate/High) on confidentiality, integrity, and availability using FIPS 199.
- Change management
- The controlled process of evaluating, approving, implementing, and tracking changes to an authorized system.
- Common control
- A control provided once at the organization or enclave level and inherited by many systems (e.g., data-center physical security).
- Common Control Provider
- The entity that supplies inherited common controls used across many systems.
- Compensating control
- An alternative safeguard used when a baseline control is not feasible, providing equivalent protection.
- Continuous monitoring (ISCM)
- Ongoing awareness of security, vulnerabilities, and threats so risk decisions stay current (NIST SP 800-137).
- Control baseline
- A predefined starting set of controls (Low, Moderate, or High) defined in NIST SP 800-53B and selected from the system's categorization.
- Decommissioning
- Securely retiring a system at end of life, including sanitizing media and updating documentation.
- Denial of Authorization (DATO)
- A decision that a system's risk is unacceptable and it may not operate.
- FIPS 199
- The federal standard for categorizing the potential impact (Low/Moderate/High) of a system on each security objective.
- FIPS 200
- The federal standard that sets the minimum security requirements corresponding to a system's impact level.
- Governance, Risk, and Compliance (GRC)
- The integrated discipline of directing an organization (governance), managing its risk, and meeting its legal and regulatory obligations (compliance).
- High-water mark
- The rule that a system's overall categorization equals the highest impact level across confidentiality, integrity, and availability — never the average.
- IATT
- Interim Authority to Test — permission to operate a system in a test environment, not in production.
- Information System Security Officer (ISSO)
- The role responsible for the day-to-day operational security posture of a system.
- Information type
- A category of information (e.g., financial, medical, investigative) with its own confidentiality, integrity, and availability impact.
- Management control
- A control implemented through policy, planning, and risk management (e.g., a risk assessment).
- NIST SP 800-137
- The publication that defines Information Security Continuous Monitoring (ISCM).
- NIST SP 800-37
- The publication that defines the Risk Management Framework (Rev. 2 has seven steps).
- NIST SP 800-53
- The catalog of security and privacy controls, organized into 20 control families.
- Ongoing authorization
- Keeping authorization current through continuous monitoring rather than periodic point-in-time reauthorization.
- Operational control
- A control executed primarily by people and procedures (e.g., security awareness training, incident response).
- Overlay
- A fully specified set of control adjustments tailored to a specific community, technology, or mission (e.g., privacy or cloud).
- Plan of Action and Milestones (POA&M)
- The document tracking unresolved weaknesses, the remediation plan, the responsible party, and target dates.
- Prepare
- The RMF step (added in Rev. 2) that establishes context, roles, risk tolerance, an organization-wide risk strategy, and common controls before authorization work begins.
- Residual risk
- The risk that remains after controls are applied; the Authorizing Official formally accepts it.
- Risk Management Framework (RMF)
- NIST's seven-step process (SP 800-37 Rev. 2) for managing information security and privacy risk across a system's life cycle.
- Risk response
- The chosen way to treat a risk: avoid, accept, mitigate (reduce), or transfer/share.
- RMF steps
- The seven steps of the RMF: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor.
- Security Assessment Plan (SAP)
- The plan that defines the scope, roles, and procedures for assessing a system's controls.
- Security Assessment Report (SAR)
- The report of assessment findings, marking each control satisfied, other-than-satisfied, or not applicable.
- Security control
- A safeguard or countermeasure that protects the confidentiality, integrity, and availability of a system and its information.
- Security Control Assessor (SCA)
- The role that independently assesses and tests controls and writes the SAR; independent of the System Owner.
- Security impact analysis
- An evaluation of how a proposed change affects the security state of a system before it is approved.
- Single Loss Expectancy (SLE)
- The expected monetary loss from a single risk event: SLE = Asset Value × Exposure Factor.
- System Owner
- The official responsible for a system who develops the SSP, owns the POA&M, and submits the authorization package.
- System Security Plan (SSP)
- The master document describing the system, its boundary, and how every selected control is implemented; owned by the System Owner.
- Tailoring
- Adjusting a control baseline to a specific system — scoping, parameterizing, supplementing, and applying overlays or compensating controls.
- Technical control
- A control enforced by technology (e.g., encryption, access control, audit logging).
CGRC Study Guide FAQ
The CGRC exam has 125 questions — 100 scored plus 25 unscored pretest items — and you get 3 hours. It is a linear, fixed-form exam (not adaptive), delivered in English at Pearson VUE test centers, with multiple-choice and advanced item types.
From the June 2024 ISC2 outline: Security & Privacy Governance, Risk Management, and Compliance Program (16%), Scope of the System (10%), Selection and Approval of Framework, Security, and Privacy Controls (14%), Implementation of Security and Privacy Controls (17%), Assessment/Audit of Security and Privacy Controls (16%), System Compliance (14%), and Compliance Maintenance (13%).
You need a scaled score of 700 out of 1000 to pass. The score is scaled, so it does not map directly to a raw percentage of questions correct, but 700/1000 is the consistent passing standard ISC2 reports.
Yes. CGRC (Certified in Governance, Risk and Compliance) is the renamed CAP (Certified Authorization Professional); ISC2 rebranded it to reflect a broader governance, risk, and compliance focus. The exam is still built on the NIST Risk Management Framework, with the current outline effective June 15, 2024.
You need at least two years of cumulative paid work experience in one or more of the seven CGRC domains. If you pass the exam without the required experience, you can become an Associate of ISC2 and earn the experience afterward.
Study by the RMF lifecycle. Start with the GRC program (16%), then follow the seven steps — Categorize, Select, Implement, Assess, Authorize, Monitor. Implementation (17%) and Assessment (16%) are the heaviest. Read each module, take the checkpoint, then drill gaps with our free practice test and flashcards.
The exam fee is $249 USD in the Americas. After certifying, you recertify every three years by earning 60 Continuing Professional Education (CPE) credits — at least 20 per year — and paying an annual maintenance fee of $135.
The CGRC is issued by ISC2 and delivered at Pearson VUE test centers. This study guide, the checkpoints, the glossary, the practice test, and the flashcards are 100% free with no account required.
References
- 1.ISC2. “CGRC Certification Exam Outline (effective June 15, 2024).” isc2.org. ↑
- 2.ISC2. “CGRC — Certified in Governance, Risk and Compliance.” isc2.org. ↑
- 3.National Institute of Standards and Technology. “SP 800-37 Rev. 2: Risk Management Framework for Information Systems and Organizations.” csrc.nist.gov. ↑
- 4.National Institute of Standards and Technology. “FIPS 199: Standards for Security Categorization of Federal Information and Information Systems.” csrc.nist.gov. ↑
- 5.National Institute of Standards and Technology. “FIPS 200: Minimum Security Requirements for Federal Information and Information Systems.” csrc.nist.gov. ↑
- 6.National Institute of Standards and Technology. “SP 800-53 Rev. 5: Security and Privacy Controls.” csrc.nist.gov. ↑
- 7.National Institute of Standards and Technology. “SP 800-53B: Control Baselines for Information Systems and Organizations.” csrc.nist.gov. ↑
- 8.National Institute of Standards and Technology. “SP 800-53A Rev. 5: Assessing Security and Privacy Controls.” csrc.nist.gov. ↑
- 9.National Institute of Standards and Technology. “SP 800-137: Information Security Continuous Monitoring (ISCM).” csrc.nist.gov. ↑
- 10.National Institute of Standards and Technology. “SP 800-30 Rev. 1: Guide for Conducting Risk Assessments.” csrc.nist.gov. ↑

Career Employer
Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.
All PostsCareer Employer’s Editorial Process
Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.
