How to Pass the (ISC)² CGRC Exam in 2026 — Governance, Risk & Compliance

By /

How to Pass the (ISC)² CGRC Exam in 2026 — Governance, Risk & Compliance

By Tyrone E. Wilson | Cover6 Academy

Formerly the CAP (Certified Authorization Professional), CGRC validates expertise in the Risk Management Framework — the RMF — used across every federal agency and defense contractor. It’s the certification for GRC professionals working in the DoD and federal space. If your work touches system authorization, ATO packages, FISMA compliance, or continuous monitoring for government systems, CGRC is the credential that proves you know the RMF inside and out.

Ready to Test Your Knowledge?

Cover6 Academy’s (ISC)² CGRC Practice Exam covers all 7 domains with questions modeled after real exam objectives.

Get the CGRC Practice Exam →

CGRC Domain Breakdown

  • Information Security Risk Management Program (15%) — Establishing and maintaining an IS risk management program aligned to organizational and regulatory requirements
  • Scope of the Information System (11%) — Defining system boundaries, categorizing information systems per FIPS 199, and aligning with organizational risk tolerance
  • Selection & Approval of Security & Privacy Controls (17%) — Selecting appropriate controls from NIST SP 800-53, tailoring baselines, and documenting in the SSP
  • Implementation of Security & Privacy Controls (11%) — Implementing selected controls and documenting implementation status and evidence
  • Assessment/Audit of Security & Privacy Controls (15%) — Conducting security control assessments, reviewing SAR findings, and evaluating residual risk
  • Authorization/Approval of the Information System (14%) — Preparing the authorization package (SSP, SAR, POA&M) and supporting the AO decision
  • Continuous Monitoring (17%) — The highest-weighted domain: ongoing assessment, system changes, reporting, and maintaining ATO status

Exam Day Logistics

  • Questions: 125
  • Time: 3 hours
  • Passing Score: 700/1000
  • Cost: $599
  • Experience Required: 2 years of cumulative paid work experience in one or more of the 7 CGRC domains

How to Study

CGRC is a federal-focused exam — you need to think in terms of NIST publications, FISMA, and the RMF lifecycle. Continuous Monitoring (17%) and Selection & Approval of Security & Privacy Controls (17%) are the two highest-weighted domains and should be your starting point. Use the Cover6 Train Up method: start with 25-question domain-focused sets to identify exactly where your RMF knowledge breaks down, build to 50 and 75-question mixed sessions, then run timed full 125-question exams until you’re consistently scoring 80% or above. Fluency with NIST SP 800-37 (RMF), NIST SP 800-53 (controls), and NIST SP 800-53A (assessment procedures) is essential — the study guide included with the Cover6 CGRC practice exam maps every question to the relevant NIST publication so you always know where to go deeper. Budget 8–10 weeks if you’re new to federal GRC; 4–6 weeks if you work in this space daily.

Stop Guessing. Start Practicing.

CGRC requires deep RMF knowledge and systematic preparation. Our Practice Exam + Study Guide gives you everything you need to walk in confident and earn your authorization.

Start Practicing Now →

Get Free Cybersecurity Training & Meetups

Join The 6 newsletter — meetups, workshops, and career insights. Free forever.

Shopping Cart
Scroll to Top