Why CASP Exists: A Slightly Cynical View (and no, this doesn’t mean I’m advocating the CISSP)
In the world where DoD 8570.01-M (DoDD 8140) is relevant the CISSP has long been a staple for those seeking IAT Level III, IAM Level II/Level III and IASAE I and IASAE II roles. CompTIA’s CASP exam endeavors to muscle in on that action.
With the exception of IAM Level III roles the two certifications have a lot of parity as it relates to satisfying certification criteria. But that doesn’t really answer which one you should attain. The CISSP and CASP claim to measure different skills. And while they do seem to have some overlap in the organizational roles they are targeting there is a good bit of difference between them. What you do for a living (or want to do) may very well direct you toward the exam that is best suited to your career goals.
Ever since the DoD 8570/8140 requirements were put in place the progression in the mind of my students has been, “Get the Security+ and then get the CISSP.” As it related to exam registrations, this meant that CompTIA received the first round of money (Security+) and (ISC)² received the second (CISSP). CompTIA, despite being a non-profit, almost certainly didn’t like this. Their response was to create a certification that matched the CISSP from a DoD acceptability perspective. Having now positioned the CASP to be an acceptable alternative for most of the IAT/IAM/IASAE levels previously held firmly by (ISC)²’s CISSP cert, the Security+ and CASP certs are poised to be a double-dipping-one-two-punch in CompTIA’s revenue stream. Combine that with the murmurs I hear from people that the CASP is “easier to get and maintain” and CompTIA money folks must be grinning ear to ear, hands wringing in anticipation of overflowing coffers.
To say that there are substantial sums of money in play with all of the certification hullabaloo is a bit of an understatement. CompTIA wants as much of it as they can get.
Neither CompTIA nor (ISC)² has any product to sell other than certification. An enormously large portion of their revenue stream is people paying the rather large examination fees ($599 and $426 for (ISC)² and CompTIA, respectively). In addition to an exam fee that has steadily increased in cost over the last decade, (ISC)² has been crushing it since the beginning by requiring annual fees from their certified constituents. CompTIA finally got wise to this alternate revenue stream back in 2011 and starting charging people for the privilege of certification. It’s an unavoidable gotcha, for sure. A lot of us have to hold these certs in order to have our job (or the job we want) so paying the fee isn’t really avoidable. If you don’t want to pay your annual dues your cert will expire and the only way to get it back is to take the test again. You’re spending money either way but it’s cheaper to just settle and pay the annual fees. I can assure you that this pricing structure is not an accident.
|CISSP Exam||CASP Exam|
|250 questions||Up to 90 questions|
|6-hour time limit||165-minute time limit|
|Breaks down to an average of 1:26 per question||Breaks down to an average of 2:03 per question|
|700/1000 to pass. Score only given upon failure.||Pass/Fail. No score provided.|
|Pearson VUE Testing Centers only||Pearson VUE Testing Centers only|
|$599 USD||$426 USD|
Will You Be Better at What You Do?
Do either of these exams make us better at our jobs? Yes and no. On their very best day their value is ancillary. Because they are not vendor specific, much less organization specific, they will not always provide any sort of direct mapping that demonstrates that you (or your people) are better at what they do. They teach you nothing about implementing your company’s web app and they teach you nothing about the specific commands needed to implement a VPN between two Cisco routers. And you certainly won’t learn the command syntax to pipe the output of crunch into aircrack-ng in order to attack a WPA-PSK handshake. Those types of things are truly technical and quite vendor-specific. You get none of that from either cert. What both of these certifications do is increase awareness of the holisitc nature of cybersecurity. Having written that please note that CASP is much closer to the front-lines (i.e. hands-on technical) than the CISSP. But neither is truly technical. In order to be truly technical (as it relates to your job), you have to be vendor specific.
When I think of what the process of preparing for the CISSP exam did for me I cannot help but remember the scene in Interview with the Vampire when Brad Pitt’s character, Louis, is first transformed into a vampire. The world he knew as a human melted away and everything he looked at was new again. Because a lot of us are pretty compartmentalized in our jobs we often fail to see the bigger picture as it relates to overall security. If you mentally assimilate the information necessary to be worthy of the CISSP cert you will likely have a similar moment, minus the fangs, pale skin and insatiable blood lust. The organization, its goals, and why it needs to do certain things becomes much more evident. The need for formalized, structured processes rather than ad-hoc meanderings becomes incredibly evident. You don’t leave the CISSP exam room knowing how to do those things; you only know that they need to be done. You still have a lot of work to do when it comes to theory meeting practice back at the office.
What are the questions like?
CompTIA claims that the CASP exam addresses the ‘how’ while implying the CISSP only delves into the ‘why’. This is a bit of a stretch on CompTIA’s part. I’d say the questions are more in the vein of “what’s the problem in this situation?”, “what should you do to fix this?”, “what is the attacker doing?”, and “which product type would best solve this problem?”. To be fair that’s closer to ‘how’ than the CISSP is but there is still a gap between actually doing technical things and the CASP exam questions.
The CASP is much more technical than the CISSP, for sure. The multiple-choice questions are also more direct and to the point. One of long-standing criticisms of the CISSP is that the questions are sometimes unnecessarily vague (which is a euphemism for ‘annoying as hell’). More than once when taking the CISSP exam you will wonder if you are being tested on your cybersecurity knowledge or on your test-taking/reading comprehension skills.
Consider this sample CASP question I made up for the occasion:
The CISSP exam may have questions more like this:
The answer to the CISSP question is arguably less clear. Every item listed is one you would do but the question is which one would you do first. This means the answer is process-based and potentially contextual. It’s not as easy to answer. The CASP question, by contrast, is much more direct. One of the answers is correct, the others are not. The question will set the context making one answer more correct when more than one is potentially correct (switching to a compound bow would be a legitimate possibility if the company had not standardized on pistols).
What the Exams Claim to Measure and Who the Exams Are For
|CISSP Exam||CASP Exam|
|Per (ISC)², the CISSP cert claims to measure:
“knowledge and understanding of new threats, technologies, regulations, standards, and practices”
|Per CompTIA, the CASP cert claims to measure:
“technical knowledge and skills required to conceptualize, design, and engineer secure solutions across complex enterprise environments”
“competency in enterprise security; risk management; incident response; research and analysis; integration of computing, communications and business disciplines; and technical integration of enterprise components”
|Per (ISC)², who the CISSP cert is for (by role):
||Per CompTIA, who the CASP cert is for (by role):
|Per (ISC)², who the cert is for:
“ideal credential for those with proven deep technical and managerial competence, skills, experience, and credibility to design, engineer, implement, and manage their overall information security program”
Major Certification Similarities (and a few differences in bold)
|CISSP Exam||CASP Exam|
|(ISC)² is a non-profit organization||CompTIA is a non-profit organization|
|Updated exam released in early/mid-2015||Update exam released in early 2015|
|You must ‘apply’ to take the exam.
Submission of experience is required to take exam.
|No submission of experience is required prior to taking exam.|
|Accredited by ANSI and ISO/IEC 17024:2003||Accredited by ISO and ANSI|
|Exam is vendor neutral||Exam is vendor neutral|
|DoD compliant for 8570.01-M and 8140||DoD compliant for 8570.01-M and 8140|
|Good for DoD IAT Level III, IAM Level II and IAM Level III||Good for DoD IAT Level III and IAM Level II|
|Good for DoD IASAE I and IASAE II||Good for DoD IASAE I and IASAE II|
|Not sufficient for any DoD CND role||Not sufficient for any DoD CND role|
|3-year renewal cycle||3-year renewal cycle|
|Requires annual fee (Annual Maintenance Fee, AMF).
|Requires annual fee (Continuing Education Program Fees).
|Requires submission of Continue Professional Education (CPE) credits.
120 CPEs per 3-year cycle.
How to earn CPEs for CISSPs (PDF)
|Requires submission of Continuing Education (CE) credits.
75 CEUs per 3-year cycle.
How to earn CEUs for CASP (PDF)
|DoD personnel must keep cert updated in DMDC (Defense Manpower Data Center)||DoD personnel must keep cert updated in DMDC (Defense Manpower Data Center)|
My Overall Assessement
I have been a CISSP since 2002 (Colin Weaver, CISSP #37632). As I have recently written, it’s a door opener. Or, at the very least, it’s not a door closer. The latter of those two statement is probably more accurate. There are some roles in the cybersecurity world that want to see it on your resume but it’s not as many as ISC2 would like you to believe. While the CASP has made tremendous inroads on the list of approved DoD certs it still doesn’t have the recognition of the CISSP. There are so many different certifications out there these days, it’s tough to keep up. On a regular basis I see certification acronyms and have to go look them up. It’s quite ridiculous, really. As of today, the CASP is more likely to get a blank stare because it is not as well known. But that is changing. CASP popularity is growing. Only time is going to tell if it makes its way onto the list of retired CompTIA exams. For comparison, (ISC)² does not have a list of retired exams; there aren’t any.
Our Recommendations for Study Materials
- CompTIA Advanced Security Practitioner (CASP) CAS-002 Cert Guide
- CISSP All-in-One Exam Guide, Seventh Edition
- CISSP Study Guide, Third Edition
If you liked this post, please consider sharing it. Thanks!