CGRC
ISC2 CGRC (formerly CAP)
The ISC2 Certified in Governance, Risk and Compliance (CGRC, formerly CAP) certifies professionals who apply the NIST Risk Management Framework (RMF) to authorize and maintain information systems. It covers the complete ATO (Authorization to Operate) lifecycle — from scoping and security control selection through implementation, assessment, system authorization, and continuous monitoring — essential for US government, DoD, and federal contractor security roles.
CGRC Exam Overview
| Detail | Information |
|---|---|
| Full Name | ISC2 CGRC (formerly CAP) |
| Governing Body | ISC2 |
| Number of Questions | 125 |
| Time Limit | 3 hours |
| Passing Score | 700/1000 |
| Exam Fee | $599 USD |
| Category | IT Certifications |
| C3RT App Available On | iPhone, iPad, and Mac |
| Official Source | ISC2 official website ↗ |
CGRC Content Areas and Domains
Domain weights are approximate and based on the ISC2 content outline. Always verify at the official source before your exam.
Topics Covered
- ✓ Information Security Risk Management Program — risk management program integration with organizational governance
- ✓ Scope of the Information System — system identification, boundary definition, privacy impact
- ✓ Selection & Approval of Security & Privacy Controls — NIST 800-53 control selection, overlays, tailoring
- ✓ Implementation of Security & Privacy Controls — control implementation documentation, plan of action and milestones (POA&M)
- ✓ Assessment/Audit of Security & Privacy Controls — security assessment plan, control testing methods, assessment report
- ✓ Authorization/Approval of the Information System — ATO decision, security authorization package, risk acceptance
- ✓ Continuous Monitoring — ongoing control monitoring, status reporting, reauthorization triggers
How C3RT Helps You Pass the CGRC
Adaptive Practice
Questions adapt to your weak areas automatically so every study session on the CGRC is time well spent.
Diagnostic Mocks
Full-length mock exams timed to the real CGRC format with detailed score breakdowns by topic.
Mistake Bank
Every wrong answer is saved for targeted re-drill. The system resurfaces your mistakes until they stick.
Native on iOS & Mac
Built with SwiftUI, not a web wrapper. Instant load, offline support, hardware-speed rendering.
CGRC Frequently Asked Questions
What does CGRC stand for?
CGRC stands for ISC2 CGRC (formerly CAP). It is administered by ISC2.
Who administers the CGRC?
The ISC2 CGRC (formerly CAP) (CGRC) is administered by ISC2. For official information, visit the ISC2 website.
How many questions is the CGRC?
The CGRC consists of 125 questions. Candidates are given 3 hours to complete the exam.
What is the passing score for the CGRC?
The passing score for the CGRC is 700/1000, as set by ISC2. Scoring methodology and passing standards may be updated periodically. Always verify current requirements with the governing body.
How much does the CGRC exam cost?
The CGRC exam fee is $599 USD. This fee is set by ISC2 and may vary by testing centre, region, or membership status. Additional fees for registration or rescheduling may apply.
Who should get CGRC (formerly CAP)?
CGRC targets information system security officers (ISSOs), information system security managers (ISSMs), security engineers, and compliance professionals working in US federal government, DoD, or federal contractor environments. The credential is directly aligned to NIST SP 800-37 (RMF) and NIST SP 800-53, making it essential for ATO and FedRAMP compliance work.
Why was CAP renamed to CGRC?
ISC2 renamed the Certified Authorization Professional (CAP) to Certified in Governance, Risk and Compliance (CGRC) in 2022 to better reflect the broader governance, risk, and compliance aspects of the credential. The exam content was also updated to include privacy controls and more GRC concepts beyond just the authorization process, while retaining the RMF focus.
What is the NIST Risk Management Framework?
The NIST RMF (NIST SP 800-37) is the US federal government's standard process for managing security and privacy risk for information systems. It consists of 7 steps: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. The CGRC exam tests deep knowledge of each step, the associated NIST publications (800-53, 800-53A, 800-60), and the documentation artifacts produced at each step.
Is CGRC a DoD 8140 approved certification?
Yes — CGRC (formerly CAP) is approved under DoD 8140.01 for multiple workforce categories related to risk management and system authorization. It meets requirements for Information System Security Manager (ISSM) and related roles. This makes it valuable for defense contractor and US federal agency security positions that require DoD 8140 compliance.
How difficult is the ISC2 CGRC exam?
The ISC2 CGRC (Certified in Governance, Risk, and Compliance, formerly CAP) is considered intermediate to advanced in difficulty. It covers NIST RMF, federal information system authorization, and risk management processes. Candidates with GRC or federal security backgrounds typically find it well-aligned with their experience, while those from purely technical backgrounds may need additional preparation in policy and compliance areas.
What are the eligibility requirements for the ISC2 CGRC?
You must have two years of paid, full-time work experience in one or more of the seven CGRC domains, including information security risk management or authorization and assessment. A relevant degree may waive one year of the experience requirement. The Associate of ISC2 pathway applies here as well.
How long should I study for the ISC2 CGRC?
Most candidates need 2–4 months of preparation, with heavy emphasis on NIST Special Publications (SP 800-37, 800-53, 800-171) and the CGRC official study materials. Practical GRC experience greatly accelerates preparation.
What career value does the ISC2 CGRC provide?
CGRC is particularly valuable for GRC analysts, risk managers, and information system security officers (ISSOs) in federal agencies and federal contractors. It is recognized under DoD 8570 and demonstrates mastery of the NIST Risk Management Framework. Salaries for CGRC holders typically range from $80,000 to $120,000+.
What is the ISC2 CGRC retake policy?
Standard ISC2 retake policies apply: 30-day wait after first failure, 60 days after second, 90 days after third, with a maximum of three attempts per year.
How long is the ISC2 CGRC credential valid?
The CGRC is valid for three years. Renewal requires 60 CPE credits over three years and payment of the ISC2 Annual Maintenance Fee.
What continuing education is required for ISC2 CGRC renewal?
Renewal requires 60 CPE credits over three years. Content related to NIST frameworks, federal risk management, and compliance standards is especially appropriate for CGRC CPE activities.
How does ISC2 CGRC compare to ISACA CRISC for GRC roles?
Both target governance, risk, and compliance but from different angles. ISC2 CGRC is heavily focused on the NIST Risk Management Framework and federal authorization processes — making it essential for federal IT GRC roles. ISACA CRISC takes a broader, enterprise IT risk management focus applicable across industries. Federal and DoD contractors often prioritize CGRC; corporate enterprise risk professionals often prefer CRISC.
C3RT is a native iOS and macOS exam preparation platform covering the ISC2 CGRC (formerly CAP) (CGRC), a IT Certifications certification, administered by ISC2. C3RT is not affiliated with or endorsed by ISC2. Certification names and trademarks are the property of their respective organisations. For official exam registration, eligibility requirements, and content outlines, visit the ISC2 official website ↗ .