CGRC logo
Focused certification exam prep
Start practice
Home / Study Resources / Exam Preparation / CGRC Exam Format: Question Types and Time Limits

CGRC Exam Format: Question Types and Time Limits

Updated 11 min read CGRC Exam Prep
Table of Contents
TL;DR
  • The CGRC exam uses multiple-choice questions delivered via computer-based testing at Pearson VUE centers worldwide.
  • Seven domains are tested; Domain 4 (Implementation of Security and Privacy Controls) carries the highest weight at 17%.
  • Domains 1, 4, and 5 together account for nearly half the exam-prioritize these three above all others.
  • Understanding the RMF lifecycle end-to-end is the single most cross-cutting skill the exam measures.

What Is the CGRC Exam?

The Certified in Governance, Risk, and Compliance (CGRC) credential-formerly known as the CAP (Certified Authorization Professional)-is issued by (ISC)². It validates that a practitioner can apply a risk management framework to authorize and maintain information systems, balancing security requirements against operational mission needs. The certification is recognized across federal civilian agencies, defense contractors, and increasingly in large commercial enterprises that must comply with federal-adjacent frameworks like FedRAMP, FISMA, and NIST SP 800-series guidance.

If you are just starting your research, reviewing the CGRC Prerequisites and Experience Requirements 2026 first will help you confirm eligibility before investing time in exam prep. This article focuses exclusively on the exam itself-its format, question mechanics, time constraints, and exactly which domains will demand the most from you.

Why the Format Matters: Knowing the structure of the CGRC exam before you study is not a shortcut-it is the lens through which every study hour should be filtered. Candidates who understand domain weights allocate their time rationally. Those who do not often over-study comfortable topics and under-prepare for heavy-weight domains.

Question Format: What You Actually See on Screen

The CGRC exam is delivered as a computer-based test (CBT) through Pearson VUE testing centers globally, with remote proctoring also available through Pearson VUE OnVUE. Every question on the current exam is a traditional single-best-answer multiple-choice item with four answer choices (A through D). There are no drag-and-drop simulations, no hotspot questions, and no scenario-based "select all that apply" items as of the current exam version.

How the Questions Are Written

CGRC questions are scenario-anchored. Nearly every item presents a short professional scenario-a system owner receives an ATO decision, a control assessor discovers a deficiency, a privacy officer is evaluating a new data flow-and then asks what the best next action is, or which response is most appropriate. This is deliberate: the exam is testing practitioner judgment, not memorization of definitions.

This means two things for your preparation. First, you need to understand why a process step exists in the RMF lifecycle, not just that it exists. Second, strong distractors (wrong answers that look plausible) will often reflect technically accurate information applied in the wrong context or wrong sequence. Recognizing sequencing errors is a skill that only develops through practice-and consistent use of domain-mapped practice questions accelerates that recognition significantly.

Number of Questions

The CGRC exam consists of 125 questions. Of those, a subset are unscored pretest items that (ISC)² uses to evaluate future questions. You will not be told which questions are pretest items, so treat every question as scored.

Pretest Questions: Because some questions are unscored, do not waste time during the exam trying to identify which items "feel experimental." Answer every question to the best of your ability. Trying to guess which items are pretest wastes cognitive energy that is better spent on the actual scored content.

Time Limits and Pacing Strategy

Candidates are given 3 hours (180 minutes) to complete the exam. That works out to roughly 86 seconds per question if you pace yourself evenly across all 125 items-a comfortable margin compared to some other professional certifications, provided you do not get stuck dwelling on difficult scenarios.

Practical Pacing Benchmarks

Experienced test-takers tend to target a first-pass completion at around the 90-minute mark, leaving a full hour to revisit flagged items. The CBT interface allows you to flag questions and return to them, which makes a two-pass strategy effective. On your first pass: answer confidently where you can, flag anything that requires more deliberation, and never spend more than two minutes on any single item before moving forward.

Domain familiarity directly affects pacing. Candidates who are strong in Domains 2 (Scope of the System) and 6 (System Compliance) tend to move through those questions quickly, banking time for the more scenario-heavy questions in Domains 1, 4, and 5. Build your pacing awareness through timed practice sessions before exam day.

Exam Parameter Detail
Total Questions 125 (includes unscored pretest items)
Question Format Single-best-answer multiple choice (4 options)
Time Allowed 3 hours (180 minutes)
Average Time Per Question ~86 seconds
Delivery Method Pearson VUE CBT (in-center or online proctored)
Language English
Scoring Scale (ISC)² scaled scoring; passing score is 700 out of 1000

Domain Breakdown and Weight Distribution

The CGRC exam covers seven domains, each carrying a specific percentage of the total scored content. These weights are not suggestions-they are the (ISC)² blueprint, and your study plan should mirror them proportionally.

Domain Name Weight
1 Security and Privacy Governance, Risk Management, and Compliance Program 16%
2 Scope of the System 10%
3 Selection and Approval of Framework, Security, and Privacy Controls 14%
4 Implementation of Security and Privacy Controls 17%
5 Assessment/Audit of Security and Privacy Controls 16%
6 System Compliance 14%
7 Compliance Maintenance 13%

Domains 1, 4, and 5 together represent 49% of the exam-nearly half the total scored questions. If you are time-constrained in your preparation, these three domains must receive disproportionate attention. Domains 3 and 6 are equally weighted at 14% each, and Domain 7 at 13% is close behind. Domain 2 at 10% is the lightest, but do not ignore it; scoping decisions have downstream consequences across the entire RMF that the exam will probe in other domain questions.

What Each Domain Actually Tests

Domain 1: Security and Privacy Governance, Risk Management, and Compliance Program (16%)

This domain establishes the foundation. Candidates must understand how organizational risk tolerance is defined, how governance structures (including Authorizing Officials, System Owners, and ISSOs) interrelate, and how privacy and security programs are integrated rather than run in parallel silos.

  • NIST RMF step roles and responsibilities
  • Risk framing at the organizational, mission/business, and information system tiers
  • Privacy program integration with security governance (linking to NIST SP 800-37 and SP 800-53)
  • Regulatory drivers: FISMA, FedRAMP, OMB circulars

Domain 2: Scope of the System (10%)

Scoping defines what is in and out of an authorization boundary. Exam questions here focus on system categorization using FIPS 199 and NIST SP 800-60, identifying system components, and establishing the authorization boundary correctly.

  • FIPS 199 impact categorization (Confidentiality, Integrity, Availability)
  • Defining system boundaries in cloud and hybrid environments
  • Identifying data types and their impact levels under NIST SP 800-60

Domain 3: Selection and Approval of Framework, Security, and Privacy Controls (14%)

Once scope and categorization are established, practitioners select a control baseline from NIST SP 800-53 and tailor it for the system's environment, risk posture, and operational context. This domain tests the logic of control selection and the overlay/tailoring process.

  • NIST SP 800-53 control families and baseline selection
  • Tailoring: scoping, compensating controls, and organization-defined parameters
  • Privacy control selection and the Fair Information Practice Principles (FIPPs)
  • System Security Plan (SSP) and Privacy Plan documentation

Domain 4: Implementation of Security and Privacy Controls (17%)

The highest-weighted domain focuses on how controls are actually put in place. This is where technical and operational security intersect with documentation discipline. Candidates must know what "implemented" means in an RMF context-it is not just deploying a firewall; it is documenting how each control is satisfied.

  • Control implementation descriptions within the SSP
  • Configuration management and baseline configuration
  • Supply chain risk management considerations
  • Privacy controls implementation and data minimization practices
  • Continuous monitoring planning initiated during implementation

Domain 5: Assessment/Audit of Security and Privacy Controls (16%)

Assessment is the independent evaluation of whether implemented controls are working as intended. Questions here probe assessment methodology, evidence collection, Security Assessment Report (SAR) construction, and the role of the Control Assessor versus the System Owner.

  • NIST SP 800-53A assessment procedures (examine, interview, test)
  • Security Assessment Plan (SAP) development
  • Findings classification: satisfied vs. other than satisfied
  • Plan of Action and Milestones (POA&M) initiation from assessment findings

Domain 6: System Compliance (14%)

Compliance here means the formal authorization decision. Candidates must understand the Authorization to Operate (ATO), Denial of Authorization to Operate (DATO), and Interim Authority to Test (IATT), as well as the risk acceptance process the Authorizing Official follows.

  • Authorization package components (SSP, SAR, POA&M, executive summary)
  • Risk acceptance criteria and AO decision types
  • Ongoing authorization vs. traditional periodic reauthorization
  • Reciprocity and authorization boundaries for shared services

Domain 7: Compliance Maintenance (13%)

After authorization, systems must remain compliant. This domain covers continuous monitoring strategy, change management impact on the authorization boundary, and incident response's role in compliance posture.

  • Continuous monitoring strategy and ISCM program design (NIST SP 800-137)
  • Change management: when changes trigger reauthorization
  • Security status reporting and ongoing authorization decisions
  • System decommissioning and data disposition

The Hardest Domains and Why

Based on the nature of what each domain tests, Domains 1, 4, and 5 present the most conceptual challenge for most candidates-not coincidentally, they are also the three heaviest domains by weight.

Domain 1 is abstract. Risk framing at multiple tiers, privacy governance integration, and the interplay between organizational policy and system-level controls require the kind of holistic thinking that is hard to learn from a single reference document. Candidates who come from a purely technical background (system administrators, network engineers) often underperform here because their experience is at Tier 3, not Tiers 1 and 2.

Domain 4 trips up candidates who conflate "knowing what a control does" with "knowing how to document that a control is implemented." The CGRC exam is fundamentally about process and documentation discipline. A candidate who can configure a SIEM but cannot articulate what the SSP implementation narrative for AU-2 should contain will struggle with Domain 4 questions.

Domain 5 requires understanding the independence and objectivity requirements for assessors, the three NIST SP 800-53A methods, and the logical flow from SAP to SAR to POA&M. Scenario questions here often test whether a candidate knows who should do something, not just what should be done.

Key Takeaway

If you score below 70% on any domain in your practice tests, prioritize that domain immediately regardless of its weight. A weakness in Domain 2 (only 10%) can cascade into wrong answers on Domain 3 and Domain 6 questions, because scoping errors affect control selection and authorization decisions downstream.

Scheduling Your Prep Around the Domain Weights

Rather than generic weekly templates, the following schedule is built specifically around CGRC domain weights and the logical dependency order of the RMF lifecycle. Study Domains in the sequence the RMF flows-not in numerical order-so concepts build on each other the way they do in practice.

Week 1

Domains 2 and 3 - Foundation Before Process

  • Master FIPS 199, FIPS 200, and NIST SP 800-60 for categorization (Domain 2)
  • Study NIST SP 800-53 control families and baseline selection logic (Domain 3)
  • Complete 30-40 practice questions per domain; note every wrong answer
Week 2

Domain 1 - Governance and Risk Framing

  • Study the three-tier risk management model from NIST SP 800-39
  • Map RMF roles (AO, SO, ISSO, ISSM, SCA) and their decision authorities
  • Integrate privacy governance: review NIST SP 800-53 Appendix J and the Privacy Framework
Week 3

Domain 4 - Implementation (Heaviest Domain)

  • Focus on SSP writing mechanics: what a control implementation narrative must contain
  • Study configuration management and supply chain risk management concepts
  • Run timed practice sets of 25 questions; target under 35 minutes per set
Week 4

Domains 5 and 6 - Assessment and Authorization

  • Work through NIST SP 800-53A assessment methods: examine, interview, test
  • Study SAP and SAR structure; practice identifying "other than satisfied" findings
  • Understand ATO package components and AO risk acceptance criteria (Domain 6)
Week 5

Domain 7 and Full Review

  • Cover continuous monitoring strategy using NIST SP 800-137
  • Study change management triggers for reauthorization
  • Take two full-length timed practice exams; review every incorrect answer by domain

Run full-length timed simulations using the CGRC practice test platform at the end of Weeks 3, 4, and 5. Each simulation should be 125 questions in 180 minutes to build the endurance and pacing habits the actual exam requires.

Who Hires CGRC-Certified Professionals

The CGRC credential targets a specific professional niche: practitioners who operate inside or adjacent to the federal information security authorization ecosystem. Primary employers include:

  • Federal civilian agencies (DoD, DHS, HHS, VA, Treasury, and others) that must comply with FISMA and maintain Authorization to Operate (ATO) programs for their information systems
  • Defense contractors and government systems integrators that manage RMF programs on behalf of DoD components or civilian agencies
  • Cloud service providers pursuing FedRAMP authorization, where a dedicated compliance or authorization specialist is often required throughout the Joint Authorization Board (JAB) process
  • Large healthcare, financial, and critical infrastructure organizations that have adopted NIST CSF or NIST SP 800-53 as their internal security framework, particularly those with government contracts
  • Consulting firms and advisory practices that deliver RMF advisory, audit readiness, and ATO support services to federal and federal-adjacent clients

Titles associated with the CGRC include Information System Security Officer (ISSO), Information System Security Manager (ISSM), Authorization Program Manager, Compliance Analyst, and Senior GRC Analyst. The credential signals to employers that a candidate understands not just the technical security controls, but the governance process, documentation discipline, and regulatory logic that make an authorization package defensible and auditable.

Before sitting for the exam, confirm that your professional background meets the experience requirements outlined in the CGRC Prerequisites and Experience Requirements 2026 guide-particularly the paid work experience requirements that (ISC)² enforces before awarding the full certification.

Frequently Asked Questions

How many questions are on the CGRC exam, and how long do I have?

The CGRC exam contains 125 questions and candidates are given 3 hours (180 minutes) to complete it. Some questions are unscored pretest items, but you will not know which ones-answer every question as if it counts toward your score.

What question format does the CGRC use-are there simulations or drag-and-drop items?

No. The current CGRC exam uses exclusively single-best-answer multiple-choice questions with four answer choices. There are no simulation, hotspot, or drag-and-drop item types. However, the questions are scenario-based and test professional judgment rather than simple recall.

Which CGRC domain has the most questions?

Domain 4, Implementation of Security and Privacy Controls, is the heaviest at 17% of the exam. Domains 1 and 5 are each 16%, making these three domains collectively the largest portion of the exam. Prioritize them accordingly in your study schedule.

Can I take the CGRC exam online, or do I have to go to a testing center?

Both options are available. The exam is delivered through Pearson VUE, which offers in-person testing at authorized test centers globally as well as remote online proctoring through the OnVUE platform. Check the current Pearson VUE site for specific system requirements if you plan to test from home.

What is the best way to practice for CGRC scenario-based questions?

The most effective method is consistent practice with questions that mirror the actual exam's scenario style-short professional situations followed by "best next action" or "most appropriate response" choices. Use domain-specific CGRC practice tests so you can identify which domains need more attention rather than treating all questions as one undifferentiated pool.

Ready to Start Practicing?

Put your CGRC domain knowledge to the test with scenario-based practice questions that mirror the actual exam format. Identify your weak domains now-before exam day-and build the judgment and pacing habits you need to pass with confidence.

Start Free Practice Test
Continue reading:

Ready to pass your CGRC exam?

Put this into practice with free CGRC questions across every exam domain.