CompTIA is well-known with technology professionals. Many IT pros started their technology careers by earning CompTIA's A+ certification. Today, CompTIA offers a wide variety of certifications covering everything from cloud technologies to security. CompTIA certifications are differentiated from others in the market because they are vendor-neutral.
The CASP certification itself offers little value to non-government employers, as it covers so much material but tests on so little.
The organization has now set its sights on being the first to offer a certification specifically designed to address Department of Defense (DoD) Directive 8570.1 specifications. Did CompTIA hit the mark? That's what we'll discuss in this tip.
Background: DoD Directive 8507.1
A few years ago, the U.S. government was looking for a method to screen the capabilities of job candidates and verify the information security knowledge of existing technical staff. The DoD issued Directive 8570.1 in 2005, which established the security certification requirements for technical and information security personnel in the U.S. government. This directive established a baseline of stringent requirements for commercial security certifications to be used to verify the information security knowledge possessed by its workforce.
The CompTIA Advanced Security Practitioner (CASP) is the latest security certification from CompTIA and the first designed to meet DoD requirements. The CASP certification is intended to be the most advanced technical security certification CompTIA has ever developed. The prerequisites are steep and require a minimum of 10 years of experience in IT administration and five years of hands-on security experience. It is accredited by ANSI and compliant with ISO 17024, which requires regular reviews and updates of the certification.
The breadth of material the CASP certification exam covers is vast, so it is weighted on specific domains of information security knowledge:
This list of topics is deceptive and can lead a prospective test taker to the incorrect conclusion about the ease of passing this test. The test itself is short, but there is a lot of ground to cover in order to be ready for it.
This first domain, Enterprise Security, includes a number of subcategories. Section 1.1 requires strong knowledge of cryptographic tools and techniques, including advanced public key infrastructure concepts, digital signatures, hashing, non-repudiation, confusion and diffusion, just to name a few. This one subsection of encryption and cryptography could be a test all on its own, but there is so much more.
Section 1.2 of the Enterprise Security Domain is focused on virtualization and distributed computing, including everything from VLANS, virtual desktop infrastructure, terminal services and elastic cloud computing, as well as their associated vulnerabilities. This section also covers enough ground to warrant a separate test, just as section 1.1, yet there are six more sections to cover:
Section 1.3 Virtual storage including NAS, SAN, vSAN, iSCSI, FcoE, etc.
Section 1.4 Network design including remote access, VoIP, IPv6, DNS, etc.
Section 1.5 Security controls for hosts including firewalls, antivirus and IPS/HIDS
Section 1.6 Web application security including XSS, SQL injection, Secure
Development Lifecycle (SDL), etc.
Section 1.7 Security tools including port scanners, fuzzers, password crackers, etc.
The extensive content that is included in the Enterprise Security domain is only 40% of a test that consists of only 80 questions for all four domains. The remaining sections are just as vast and cover just as much material.
It's worth taking a moment to briefly compare the CASP certification to (ISC)2's CISSP certification. The CISSP, widely considered the preeminent information security industry certification, has taken criticism in recent years for not being an accurate representation of a person's security skills. The CISSP exam covers similar material as the CASP, but contains 250 questions, three times as many as the CASP exam. Some would argue 250 questions aren't enough to verify an individual is an expert in information security. However, 250 questions has to be a better indicator of an individual's capabilities than 80 questions. It is surprising that CompTIA did not seize this opportunity and design a more stringent assessment for its most advanced certification.
There is no doubt that the CASP certification is intended to be a comprehensive review of the information security knowledge base. However, the test itself may not be an accurate assessment of an individual's knowledge. Information security practitioners do need to understand all of these topics at a high level, but they usually end up specializing in order to master a particular topic. Cryptographers are not always the best at forensics or governance, for example. The CASP test could lead to more boot camps dedicated to preparing people to pass a test for which they forget the information they learned in a week. The test may be more valid if it were expanded to cover all of the intended areas, and then require the test taker to declare a specialization that is covered in greater depth.
As it stands, the CASP certification is simply a hurdle for government employees to pass over in order to keep or obtain jobs. The CASP certification itself offers little value to non-government employers, as it covers so much material but tests on so little. Employers will only know that the certification holders have been exposed to information security, but not fully vetted. People just getting started in information security may benefit from studying the material covered by CASP as long as they don't put too much stock in the test itself.
Certifications are the beginning of knowledge and a solid foundation on which to build. The best security practitioners are those who learn and study because of an insatiable curiosity and a self-motivated passion for the industry. The CASP certification does cover the right material, but is a "mile long and an inch deep." The CASP certification may prove to be a good starting point for businesses as well as government agencies as a replacement for Security+. However, the test must expand in order to become the benchmark by which security professionals are measured.
About the author:
Joseph Granneman is SearchSecurity.com's resident expert on information security management. He has more than 20 years of technology experience, primarily focused in health care information technology. He is an active independent author and presenter in the health care information technology and information security fields. He is frequently consulted by the media and interviewed on various health care information technology and security topics. He has focused on compliance and information security in cloud environments for the past decade with many different implementations in the medical and financial services industries.