CGRC Salary: What Governance, Risk and Compliance Pros Actually Earn
An honest look at CGRC salary data - what ISSOs, security control assessors, GRC analysts, and compliance managers really earn, why the pay skews federal, and where the numbers are thin.

Table of Contents
The CGRC salary question comes up constantly in governance, risk, and compliance circles, and it is harder to answer honestly than most certification pay guides admit. CGRC is a smaller, more specialised credential than CISSP or CISA, and the people who hold it cluster in a narrow slice of the market: US federal agencies, defense contractors, FedRAMP-focused cloud providers, and firms doing NIST Risk Management Framework (RMF) work.
This guide covers what CGRC holders realistically earn by role, why the pay data skews so heavily toward government and cleared work, what the exam actually costs and requires, and where the numbers are thin enough that you should treat them as directional only. You can review the full exam breakdown on our CGRC exam page.
CGRC vs CAP: Same Certification, New Name
If you searched for CGRC and kept landing on pages about CAP, you are not confused - the certification was renamed. CGRC (Certified in Governance, Risk and Compliance) is the ISC2 credential formerly known as CAP (Certified Authorization Professional). ISC2 rebranded it in 2023 to reflect a broader governance and compliance scope rather than the narrower "authorization" framing of the CAP era.
Practical implications of the rename:
- It is the same certification. Existing CAP holders were transitioned to CGRC automatically. No re-examination, no additional fee.
- Job postings lag the rename. Federal and contractor job descriptions still list "CAP" years later, often alongside CISSP and CISM in the same requirements block. Search both terms when job hunting.
- Salary data is fragmented across two names. Any aggregate figure you find is split between CAP-era and CGRC-era reporting, which is one reason precise CGRC-specific pay data barely exists.
- DoD 8140/8570 relevance carried over. The credential retained its standing in US Department of Defense workforce requirements, which is a large part of why it holds value at all.
If a recruiter asks whether you hold CAP, the correct answer for a CGRC holder is yes.
How Much Does a CGRC Holder Earn?
Here is the honest framing: there is no reliable CGRC-specific national salary figure. The certification population is small relative to CISSP or CISA, and most published "CGRC salary" numbers are actually GRC role salary data with the certification bolted on as a label. Treat everything below as role-based benchmarking, not a guaranteed CGRC premium.
Across US job postings, contractor pay bands, and community reporting, professionals in RMF and authorization-focused roles who hold CGRC commonly report total compensation in the following bands:
| Early career (2-4 yrs) | $85,000 - $110,000 |
| Mid-level (5-8 yrs) | $110,000 - $140,000 |
| Senior / lead (9+ yrs) | $140,000 - $175,000 |
| Manager / program owner | $150,000 - $195,000+ |
Two caveats matter more than the numbers themselves. First, these ranges reflect the roles CGRC holders occupy, and someone in the same seat without the cert often earns similarly. Second, the ranges compress sharply outside the Washington DC metro and a handful of defense hubs, because that is where the demand concentrates.
CGRC Salary by Role
Role title explains more of the variance than the certification does. The four titles CGRC holders most commonly hold, with typical US ranges:
- Information System Security Officer (ISSO) - roughly $95,000 to $145,000. The single most common destination for CGRC holders. ISSOs own the security posture and documentation of specific systems, shepherd them through the Authority to Operate (ATO) process, and maintain the System Security Plan. Cleared ISSO roles at the top of this band are common in the DC area.
- Security Control Assessor (SCA) / Validator - roughly $105,000 to $155,000. Independent assessment of implemented controls against NIST SP 800-53. Highly aligned with the CGRC exam blueprint, and one of the few roles where the credential is genuinely named as a preferred qualification.
- GRC Analyst - roughly $85,000 to $130,000. The broadest and most commercial of the four. Commercial-sector GRC analysts often work SOC 2, ISO 27001, and internal policy rather than RMF, and in that context CGRC carries less weight than it does federally.
- Compliance / Risk Manager - roughly $130,000 to $185,000. Program ownership, audit relationships, and multi-system authorization portfolios. At this level the credential is table stakes rather than a differentiator; leadership track record drives the offer.
FedRAMP-specialised roles - advisors, 3PAO assessors, and cloud authorisation leads - tend to sit at or above the top of the SCA band, because the supply of people who genuinely understand FedRAMP package work is small.
Why CGRC Pay Concentrates in Federal and Cleared Work
The concentration of CGRC value in US government-adjacent work is the most important thing to understand before you sit the exam. The exam blueprint is built around the NIST Risk Management Framework - categorise, select, implement, assess, authorise, monitor. That framework is mandatory for US federal information systems and flows down to contractors, but it is not the operating model of a typical commercial enterprise.
What that means practically:
- Security clearance is often the bigger lever. An active Secret or TS/SCI clearance can add $10,000 to $30,000 to an offer for the same role - frequently more than any certification premium.
- Geography is narrow. The DC/Maryland/Virginia corridor, plus Colorado Springs, Huntsville, San Antonio, and Tampa, account for a disproportionate share of postings.
- Outside the US, recognition drops sharply. In Europe, Australia, and most of Asia, ISO 27001 lead auditor or implementer credentials carry more weight for GRC hiring than CGRC does.
- Commercial GRC hiring rarely names CGRC. Postings tend to list CISSP, CISA, or CRISC. If your career target is commercial GRC, the CISSP is usually the higher-leverage credential.
None of this makes CGRC a bad certification. It makes it a targeted one, and the return on it depends almost entirely on whether you are heading into RMF and authorisation work.
CGRC Exam Cost, Format, and Requirements
The logistics are straightforward and cheaper than most ISC2 credentials:
- Exam fee: $599 USD
- Format: 125 multiple-choice questions
- Duration: 3 hours
- Passing score: 700 out of 1000
- Experience requirement: 2 years of cumulative paid work experience in one or more of the exam domains
- Annual maintenance fee: $135 USD
- CPE requirement: 60 CPE credits over the 3-year certification cycle
The two-year experience bar is notably lower than CISSP's five years, which makes CGRC a realistic mid-career credential rather than a late-career one. Candidates who cannot yet meet the requirement can pass the exam and hold Associate of ISC2 status while accruing the experience.
The exam covers seven domains with the following weightings:
| 1. Information Security Risk Management Program | 16% |
| 2. Scope of the Information System | 10% |
| 3. Selection and Approval of Framework, Security and Privacy Controls | 16% |
| 4. Implementation of Security and Privacy Controls | 15% |
| 5. Assessment/Audit of Security and Privacy Controls | 16% |
| 6. Authorization/Approval of Information System | 14% |
| 7. Continuous Monitoring | 13% |
The weightings are deliberately flat - no single domain dominates, so a narrow preparation strategy does not work well here. If you want to gauge your readiness on governance and risk material before committing the $599, work through our free practice tests to find your weak domains first.
Is CGRC Worth It for the Money?
The financial case is unusually easy to model because the costs are low. Total first-year outlay is roughly $599 for the exam plus the $135 annual maintenance fee, well under $1,000 before study materials. Against mid-level role bands of $110,000 to $140,000, even a modest positioning advantage repays that quickly.
CGRC is worth it if:
- You work in or are targeting US federal, defense contractor, or FedRAMP environments.
- Your role touches ATO packages, System Security Plans, POA&Ms, or control assessments.
- You need a DoD 8140-aligned credential and want one with a two-year experience bar rather than five.
- You already hold or are pursuing a clearance - the combination is where the real pay sits.
CGRC is a weaker choice if:
- You are in commercial GRC where SOC 2 and ISO 27001 dominate.
- You work outside the United States.
- You want a broad, portable security credential - in which case CISSP covers more ground and is recognised far more widely.
The most common winning pattern we see: CGRC as a second or third credential, stacked on top of a broader cert, used to signal specific RMF and authorisation depth to federal hiring managers. As a first and only certification, it is narrow. As a specialisation marker, it is efficient and cheap. Full domain and logistics detail is on our CGRC certification page.
Frequently Asked Questions
Is CGRC the same as CAP?
Yes. CGRC (Certified in Governance, Risk and Compliance) is the current name for the ISC2 credential previously called CAP (Certified Authorization Professional). ISC2 renamed it in 2023 and transitioned existing CAP holders automatically - no re-exam and no extra fee. Many job postings still say CAP, so search both terms.
How much does a CGRC holder earn?
There is no reliable CGRC-specific national average, because the certified population is small and most published figures are really GRC role data. Based on the roles CGRC holders typically occupy in the US, mid-level compensation commonly falls between $110,000 and $140,000, with senior and program-management roles reaching $175,000 or more. Ranges compress significantly outside US government and defense hubs.
Is CGRC harder than CISSP?
No. CGRC has 125 questions in 3 hours against CISSP's adaptive format, requires 2 years of experience rather than 5, and covers 7 tightly scoped RMF-aligned domains rather than CISSP's 8 broad domains. Most candidates find CGRC materially easier - but also narrower in career value.
What does the CGRC exam cost?
The exam fee is $599 USD. After certification there is a $135 annual maintenance fee and a requirement of 60 CPE credits across each 3-year cycle. Total ongoing cost is low compared with most enterprise security certifications.
Do I need a security clearance to benefit from CGRC?
Not strictly, but it helps enormously. Because CGRC value concentrates in US federal and defense contractor work, an active Secret or TS/SCI clearance often adds more to an offer - commonly $10,000 to $30,000 - than the certification itself. The clearance plus CGRC combination is where the strongest pay sits.
Is CGRC worth it for commercial sector GRC roles?
Less so. Commercial GRC hiring revolves around SOC 2, ISO 27001, and internal risk frameworks, and postings usually name CISSP, CISA, or CRISC instead. If your target is commercial rather than federal, a broader credential will generally return more.
Practice with ExamCert
1000+ certification practice questions covering AWS, Azure, GCP, AI, security, and more — with detailed explanations.
Browse All ExamsMaster the 2026 IT Stack
Practice exam questions with detailed explanations across AWS, Azure, GCP, security, and AI certifications.
