CASP vs CISSP – Let’s Explore

Which Certification is Right for You?

Why CASP Exists:  A Slightly Cynical View (and no, this doesn’t mean I’m advocating the CISSP)

In the world where DoD 8570.01-M (DoDD 8140) is relevant the CISSP has long been a staple for those seeking IAT Level III, IAM Level II/Level III and IASAE I and IASAE II roles.  CompTIA’s CASP exam endeavors to muscle in on that action.

With the exception of IAM Level III roles the two certifications have a lot of parity as it relates to satisfying certification criteria. But that doesn’t really answer which one you should attain.  The CISSP and CASP claim to measure different skills.  And while they do seem to have some overlap in the organizational roles they are targeting there is a good bit of difference between them.  What you do for a living (or want to do) may very well direct you toward the exam that is best suited to your career goals.

Ever since the DoD 8570/8140 requirements were put in place the progression in the mind of my students has been, “Get the Security+ and then get the CISSP.” As it related to exam registrations, this meant that CompTIA received the first round of money (Security+) and (ISC)² received the second (CISSP). CompTIA, despite being a non-profit, almost certainly didn’t like this. Their response was to create a certification that matched the CISSP from a DoD acceptability perspective.  Having now positioned the CASP to be an acceptable alternative for most of the IAT/IAM/IASAE levels previously held firmly by (ISC)²’s CISSP cert, the Security+ and CASP certs are poised to be a double-dipping-one-two-punch in CompTIA’s revenue stream. Combine that with the murmurs I hear from people that the CASP is “easier to get and maintain” and CompTIA money folks must be grinning ear to ear, hands wringing in anticipation of overflowing coffers.

To say that there are substantial sums of money in play with all of the certification hullabaloo is a bit of an understatement.  CompTIA wants as much of it as they can get.

Neither CompTIA nor (ISC)² has any product to sell other than certification. An enormously large portion of their revenue stream is people paying the rather large examination fees ($599 and $426 for (ISC)² and CompTIA, respectively). In addition to an exam fee that has steadily increased in cost over the last decade, (ISC)² has been crushing it since the beginning by requiring annual fees from their certified constituents. CompTIA finally got wise to this alternate revenue stream back in 2011 and starting charging people for the privilege of certification. It’s an unavoidable gotcha, for sure. A lot of us have to hold these certs in order to have our job (or the job we want) so paying the fee isn’t really avoidable. If you don’t want to pay your annual dues your cert will expire and the only way to get it back is to take the test again. You’re spending money either way but it’s cheaper to just settle and pay the annual fees. I can assure you that this pricing structure is not an accident.

Exam Details

CISSP ExamCASP Exam
250 questionsUp to 90 questions
6-hour time limit165-minute time limit
Breaks down to an average of 1:26 per questionBreaks down to an average of 2:03 per question
700/1000 to pass.  Score only given upon failure.Pass/Fail.  No score provided.
Pearson VUE Testing Centers onlyPearson VUE Testing Centers only
$599 USD$426 USD

Will You Be Better at What You Do?

Do either of these exams make us better at our jobs? Yes and no. On their very best day their value is ancillary. Because they are not vendor specific, much less organization specific, they will not always provide any sort of direct mapping that demonstrates that you (or your people) are better at what they do. They teach you nothing about implementing your company’s web app and they teach you nothing about the specific commands needed to implement a VPN between two Cisco routers. And you certainly won’t learn the command syntax to pipe the output of crunch into aircrack-ng in order to attack a WPA-PSK handshake. Those types of things are truly technical and quite vendor-specific.  You get none of that from either cert. What both of these certifications do is increase awareness of the holisitc nature of cybersecurity.  Having written that please note that CASP is much closer to the front-lines (i.e. hands-on technical) than the CISSP.  But neither is truly technical.  In order to be truly technical (as it relates to your job), you have to be vendor specific.

When I think of what the process of preparing for the CISSP exam did for me I cannot help but remember the scene in Interview with the Vampire when Brad Pitt’s character, Louis, is first transformed into a vampire.  The world he knew as a human melted away and everything he looked at was new again.  Because a lot of us are pretty compartmentalized in our jobs we often fail to see the bigger picture as it relates to overall security. If you mentally assimilate the information necessary to be worthy of the CISSP cert you will likely have a similar moment, minus the fangs, pale skin and insatiable blood lust.  The organization, its goals, and why it needs to do certain things becomes much more evident.  The need for formalized, structured processes rather than ad-hoc meanderings becomes incredibly evident.  You don’t leave the CISSP exam room knowing how to do those things; you only know that they need to be done.  You still have a lot of work to do when it comes to theory meeting practice back at the office.

What are the questions like?

CompTIA claims that the CASP exam addresses the ‘how’ while implying the CISSP only delves into the ‘why’. This is a bit of a stretch on CompTIA’s part. I’d say the questions are more in the vein of “what’s the problem in this situation?”, “what should you do to fix this?”, “what is the attacker doing?”, and “which product type would best solve this problem?”.  To be fair that’s closer to ‘how’ than the CISSP is but there is still a gap between actually doing technical things and the CASP exam questions.

The CASP is much more technical than the CISSP, for sure. The multiple-choice questions are also more direct and to the point. One of long-standing criticisms of the CISSP is that the questions are sometimes unnecessarily vague (which is a euphemism for ‘annoying as hell’).  More than once when taking the CISSP exam you will wonder if you are being tested on your cybersecurity knowledge or on your test-taking/reading comprehension skills.

Consider this sample CASP question I made up for the occasion:


Your organization has standardized on the use of pistols.  You raise your pin-fired pistol and aim at the target. The slide is all the way back, locked in position. You look in the ejection port and notice that no round is visible. Which of the following is the most appropriate action to take?

  1. Squeeze the trigger to send a round toward the target.
  2. Move to a position closer to the target.  Aim and squeeze the trigger.
  3. Set the safety.  Replace the pistol with a compound bow.
  4. Drop the empty magazine, insert a loaded magazine.  Release the slide.

The CISSP exam may have questions more like this:

You wake up after a restful night of sleep.    You realize that a power outage prevented your alarm clock from sounding and you are now running late for work and you have a meeting schedule first thing in the morning.  Which of the following would you do first upon this realization?  Select the BEST answer.

  1. Use the restroom.
  2. Pick out clothes to wear.
  3. Brush your teeth.
  4. Eat breakfast.
  5. Take a shower.

The answer to the CISSP question is arguably less clear.  Every item listed is one you would do but the question is which one would you do first. This means the answer is process-based and potentially contextual.  It’s not as easy to answer.  The CASP question, by contrast, is much more direct.  One of the answers is correct, the others are not.  The question will set the context making one answer more correct when more than one is potentially correct (switching to a compound bow would be a legitimate possibility if the company had not standardized on pistols).

What the Exams Claim to Measure and Who the Exams Are For

CISSP ExamCASP Exam
Per (ISC)², the CISSP cert claims to measure:
“knowledge and understanding of new threats, technologies, regulations, standards, and practices”
Per CompTIA, the CASP cert claims to measure:

“technical knowledge and skills required to conceptualize, design, and engineer secure solutions across complex enterprise environments”

and

“competency in enterprise security; risk management; incident response; research and analysis; integration of computing, communications and business disciplines; and technical integration of enterprise components”

Per (ISC)², who the CISSP cert is for (by role):

  • Security Consultant
  • Security Manager
  • IT Director/Manager
  • Security Auditor
  • Security Architect
  • Security Analyst
  • Security Systems Engineer
  • Chief Information Security Officer
  • Director of Security
  • Network Architect
Per CompTIA, who the CASP cert is for (by role):

  • Cybersecurity / IS Professional
  • Information Security Analyst
  • Security Architect
  • IT Specialist INFOSEC
  • IT Specialist, Cybersecurity
Per (ISC)², who the cert is for:
“ideal credential for those with proven deep technical and managerial competence, skills, experience, and credibility to design, engineer, implement, and manage their overall information security program”

Major Certification Similarities (and a few differences in bold)

CISSP ExamCASP Exam
(ISC)² is a non-profit organizationCompTIA is a non-profit organization
Updated exam released in early/mid-2015Update exam released in early 2015
You must ‘apply’ to take the exam.

Submission of experience is required to take exam.

No submission of experience is required prior to taking exam.
Accredited by ANSI and ISO/IEC 17024:2003Accredited by ISO and ANSI
Exam is vendor neutralExam is vendor neutral
DoD compliant for 8570.01-M and 8140DoD compliant for 8570.01-M and 8140
Good for DoD IAT Level III, IAM Level II and IAM Level IIIGood for DoD IAT Level III and IAM Level II
Good for DoD IASAE I and IASAE IIGood for DoD IASAE I and IASAE II
Not sufficient for any DoD CND roleNot sufficient for any DoD CND role
3-year renewal cycle3-year renewal cycle
Requires annual fee (Annual Maintenance Fee, AMF).

$85/year

Requires annual fee (Continuing Education Program Fees).

$49/year

Requires submission of Continue Professional Education (CPE) credits.
120 CPEs per 3-year cycle.
How to earn CPEs for CISSPs (PDF)
Requires submission of Continuing Education (CE) credits.
75 CEUs per 3-year cycle.
How to earn CEUs for CASP (PDF)
DoD personnel must keep cert updated in DMDC (Defense Manpower Data Center)DoD personnel must keep cert updated in DMDC (Defense Manpower Data Center)

My Overall Assessement

I have been a CISSP since 2002 (Colin Weaver, CISSP #37632).  As I have recently written, it’s a door opener.  Or, at the very least, it’s not a door closer.  The latter of those two statement is probably more accurate.  There are some roles in the cybersecurity world that want to see it on your resume but it’s not as many as ISC2 would like you to believe.  While the CASP has made tremendous inroads on the list of approved DoD certs it still doesn’t have the recognition of the CISSP.  There are so many different certifications out there these days, it’s tough to keep up.  On a regular basis I see certification acronyms and have to go look them up.  It’s quite ridiculous, really.  As of today, the CASP is more likely to get a blank stare because it is not as well known.  But that is changing.  CASP popularity is growing.  Only time is going to tell if it makes its way onto the list of retired CompTIA exams.  For comparison, (ISC)² does not have a list of retired exams; there aren’t any.

Why go CASP?

  • The CASP is a less expensive exam.
  • The CASP annual fees are lower.
  • The CASP Continuing Education (CE) requirements are fewer.
  • The CASP criteria for qualifying CE units is less stringent.
  • There are fewer questions on the CASP exam.
  • The CASP exam is more focused, less broad in scope.

Why go CISSP?

  • It is slightly more versatile in the DoD world (IAM Level III).
  • It is more broadly recognized than CASP.
  • Because of its longevity it carries more credibility than CASP.

Our Recommendations for Study Materials

Cheers,

Colin Weaver

If you liked this post, please consider sharing it.  Thanks!

About the Author

Colin Weaver

Colin Weaver is co-owner and lead instructor at ITdojo, Inc., a network security and information assurance training center and consulting firm located in Virginia Beach, VA. His passion for technology, networks, and security has led him to become enthralled with the idea of IPv6 and its implementation. In this blog he will share with you glimpses of what he has learned and a hint at what you’ll learn in his classes.