By: Philip D. Schall, Ph.D., CISSP 
As many of you recall from an article written by Kathryn Daily in our January 2023 edition of RMF Today and Tomorrow titled CAP Becomes CGRC What Does this Mean? beginning February 15, 2023, ISC2 renamed the Certified Authorization Professional (CAP) certification to CGRC – Governance, Risk and Compliance Certification. With this name change, ISC2 broadened their topic range beyond RMF to a more robust policy and compliance subject matter.
Beyond being Director of Training for BAI Information Security, I am also a college professor and teach primarily cybersecurity coursework at the undergraduate and graduate level. At the beginning of Fall Semester, I launched a cybersecurity program which included a class in policy and compliance. In designing the curriculum, I had a hard time trying to figure out a way to provide students a viable path to learn cybersecurity policy while offering them real-world skills. My final solution to this curriculum conundrum was to build a CGRC preparatory course. In delivering this curriculum, I had hoped to expose students to the intricacies of cyber policy and provide a baseline preparation for the CGRC exam.
In designing the curriculum, I made the incorrect assumption that I could assign the ISC2 CGRC Common Body of Knowledge (CBK) for the course and then require a fixed amount of practice questions weekly. After some initial research, I quickly learned that ISC2 has still not published a CBK for CGRC. I found this a bit surprising, but it supported my theory that ISC2 changed the exam name as a rebranding and marketing move to increase interest and enrollment before the exam had fully matured to its new format. After a few calls to friends who had taken CGRC and an informal call with a former colleague who worked on CAP exam development, I learned that at this point the CAP exam has not really changed that much and is still primarily RMF-centric.
Getting to the heart of this article, in preparing for the class, I based the curriculum on the references provided by ISC2 (they can be found here) and an excellent PDF I discovered in Reddit searches called The Mango Guide v2, a 41-page study guide for the CGRC. It can be found here.
The bottom line is that ISC2 has rebranded the CAP exam to GCRC in a long-term attempt to increase market share without providing any formal CBK. Instead, they have provided an informal study guide with a list of references and upon clicking “more information”, paid training opportunities are presented on their website instead of a formal study guide.
I believe that the CGRC exam is still very similar to the CAP exam and new questions will be rolled out slowly vs. an entire “rip and replace” of the question base. I anticipate a formal CBK from ISC2 at some point, at least, I would hope ISC2 would publish one. Until then, I am confident to advise RMF students that BAI’s four-day RMF for DoD IT training paired with review of the references listed above and achieving a 70% pass rate on CGRC practice questions should put them in a strong position to be successful in passing the CGRC exam. I will continue to monitor CGRC and provide another update in the coming months/year if/when ISC2 publishes a formal study guide or CBK.