Which IT Certification Should I Start With

Someone asked me “which IT Certification Should I Start With”. This is just my opinion backed by my own experience in the Information Technology career field. This is based on what I have seen.

OSCP certification attempt

oscp certs

oscp certs

I have a goal of taking the Offensive Security Certified Professional (OSCP).  I will attempt it in the next 3 years.  I figure it gives me time to study and gain experience  programming to do advanced infiltrations on information systems.

I have been doing Information Security analyst work for a while and I enjoy doing it.  But I want to see all sides of security not just what an attack looks like from the inside looking out but from the outside looking in.

The main reason I want to attempt the OSCP is for fun.  I enjoy puzzles.  I want the challenge of it even if I fail miserably.

As certifications go, I think its the future of high-level certifications.  Not unlike the Cisco, and Red Hat Certifications, the OSCP takes practical skills to pass.  Pure written exams lend themselves to braindumps and crowdsourced cheating.  An overwhelming number of “IT professionals” now have lots of certifications with very little experience.  The reason I don’t like this is because I don’t like carrying other peoples weight.

DIACAP to DIARMF: Assessment Authorization

DIACAP to DIARMF: Assessment Authorization

DIACAP to DIARMF: Assessment Authorization

With the move from certification and accreditation (C&A) to risk management framework, comes a few new terms.  “C&A” will be replaced with assessment and authorization.  Even though “information assurance (IA) controls” will be call “security controls”, the definition and work is still the same, but the hope is that its done continuously and more cost-effective.


Certification (NIST Assessment) – Comprehensive evaluation of an information system assessment of IA Controls/Security Controls to determine the extent to which the controls are implemented correctly and operating as intended. That means when evaluated, they produce the desired outcome.  An assessment is about gathering information to providing the factual basis for an authorizing official (Designated Accrediting Authority) to render a security accreditation decision

Accreditation (NIST Authorization) – Security accreditation is the official management decision to operate (DAA – Formal approval of the system). Authorization is given by a senior agency official (upper-management/higher head quarters/combat commander). The official should have the authority to oversee the budget and business operations of the information system explicitly accept the risk to operations, assets, individuals. They accept responsibility for the security of the system and are fully accountable for the security of the system.

The official management decision given by a senior organization“The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.”

– NIST SP 800-37 rev 1

March 14, 2014, UPDATE RMF – DoD IT:

DIARMF will be known as Risk Management Framework for DoD IT.


How to get a certification: CAP Exam part 1

CAP Exam

passed the cap exam

me with picture of CAP notificaiton

I had studied all night after freaking out about the test. I was sick and had to drive to another city to take that damn test. I was exhausted and tired.. lame excuse for being ugly lol. Its all good.. I still get laid.. but enough about ME.. lets talk about the test 😀

How to get a certification

– ISC2 Certified Authorization Professional (ISC2 CAP)
– Risk Management Certification
– Passing Score 700 out of 1000 points (125 questions on the test *25 test questions not counted toward the results)
– Application Fee: $419
– Verify 2 years experience in this field
– Endorsement Form
– Answer questions to criminal history and background
– Other Info: its a CBT, 3 hours to test, based on NIST 800 series

How Hard is the CAP Exam

I just took the ISC2 Certified Authorization Professional test (CAP Exam). I just want to give others who are about to take this test some idea of what they are up against. I noticed there is not a lot of Security Professionals talking about it. I keep hearing that there are only *1000 CAP certified people on Earth (circa 2011). I don’t think its because of the difficulty level (lol.. i mean i would not call it an EASY test, but its no CISSP or CCIE.. btw CCIE has about 25,000 certified as of about 2010 individuals on early despite being around for since 1993… according to Cisco, “fewer than 3% of Cisco certified individuals attain CCIE certification”). I think there are so few CAP certified people because its not a well know certification and its in a specialized field. Perhaps the numbers of CAP certified individuals will always be low.

My overall impression is that it is much harder than Security+ but much easier than CISSP. If you have recent experience with DoD Information Assurance Certification & Accreditation Process (DIACAP) you should have an easy time grasping the National Institute of Standards & Technology (NIST) Special Publication 800 series concepts allowing you to pass the CAP exam. I would say the same about all the C&A frameworks, NIACAP, NISPOM, DCID 6/3, DITSCAP etc. If you know the certification & accreditation process well than you will pick up risk management framework fast. If you have been doing the NIST C&A and/or Risk Management Framework, the test should be a mere refresher course for you and a couple of weeks of reviewing NIST 800 regulations and OMBs you already know might be enough for you to pass the CAP Exam and get this certifications. You should know, however, that quite a bit has changed since 2009 in the certification & accreditation process of getting authorization.

The test is in the style of the CISSP in that you must choose what is MOST right in many cases. All questions are 4-multiple choice type questions.

Study Material for the Certified Authorization Professional

One of my biggest issues about the CAP material is that is has almost NO decent study material. There is “The CISSP and CAP prep guide” by Russell Dean & Ronald L. Krutz, this is the ONLY book I have found aside from one or two lame ebooks (as of 2011).

What I used to get a CAP Certification

The very first thing you should do is become a member of Isc2.org and download the ISC2 CAP Candidate Information Bulletin. The CAP Exam CIB breaks down all the objectives that you need to be knowledgeable in.

Read and/or be very familiar with the following NIST & OMB documents:
– NIST 800-37
– NIST 800-53
– NIST 800-53A
– NIST 800-64
– NIST 800-30
– NIST 800-100
– NIST 800-83
– NIST 800-53
OMB circular A-130
Privacy Act of 1974
FISMA Act of 2002
**The full list of documents & regs to be familiar with are located in CAP CIB

Another great resource is practice tests. Ucertify.com has GREAT content for the CAP, some of the best you will find for the Certified Authorization Professional.

Areas to Spend a LOT of time on:

I would definitely know and fully understand the Risk Management Framework (800-37). You need to know the tasks on each of the six steps of the Risk Management Framework (800-37). System Development Lifecycle is also HUGE on this test(800-64). I would know how Risk Management Framework lines up with SDLC and Risk Assessment process (800-37, 64, 30). Risk Assessment process, Risk Management Framework and SDLC are all interconnected. You should know how they work together. Tasks that are done at each stage and step in all those process and what role does each task is a need to know. Roles and Responsibilities should be fully understood and memorized. Although everyone of the steps in the Risk Management framework are covered pretty good, I feel like the following two steps were beaten to death: Continuous Monitoring & assessments (security control assessor)

The test is computer based and randomized so you might get a completely different set of subject areas. Your best bet is to study what is in the CAP-CIB and use a bunch of practice tests.

What I DID NOT see on the Exam:

I was surprised not to see anything on the NIACAP, DIACAP, FITSAP, DCID 6/3 and DITSCAP. I was fully expecting it and prepared for it. Many of the practice test go on and on about Project/Program Management subject areas. But the only question I recall on that had to do with knowing the role of a Program Manager… thats about it.

Pro & CON on the ISC2 CAP Cert

CONS: I feel like the CAP is currently (2011) not in great demand. If you do a search on any job database (monster, indeed, simplyhired) you see that there are not many employees listing it as a requirement. For example, a 2011 search on isc2 CAP anywhere in the US gives 49 results — http://jobsearch.monster.com/search/?q=isc2-cap
I also think that the certification is WAY over priced. Its $419 which I think is even more than the ISC2 CISSP concentrations.
There is almost no study material for it.

PROS: Covers very important risk management framework material. Its computer based, so the results are instant. Its good lead up and practice for the ISSEP. The ISSEP covers a lot of what is in the CAP. NIST will get increasingly more important as DoD, NSA and other national security system agencies take on the NIST.

*CAP Exam: CAP certified people in the world (circa 2011):
Canada 6
Germany 1
Korea, Republic of 2
Puerto Rico 2
United States 997
reference: https://www.isc2.org/member-counts.aspx#cap

**Certification Authorization Professional Candidate Information Bulletin is on ISC2.org. May have to be a member to get the document

Training & Certification: CAP – Security Authorization of Federal Information Systems

Understanding the Security Authorization of federal information systems

The ISC2 CAP candidate needs to understand the multitier approach to evaluating strategic & tactical risk across an organization/enterprise. This is discussed thoroughly in NIST SP 800-39, Managing Information Security Risk. 800-39 explains risk management from the organization, mission, and system perspective.

800-39 explains how and organization does risk framing by making risk assumptions, knowing risk constraints, risk tolerance, priorities & tradeoffs. Implementation of an organizations risk management strategy is also based its governance structure.

Security Authorization is a risk management process that based on identification of threats, vulnerabilities and countermeasures. 800-39 and 800-37 explains what must be included in a risk assessments that will evaluated residual risks and determine if they are acceptable or unacceptable to the organization as whole. Unacceptable risks can be reduced by implementing security controls.

Understanding the Security Authorization of federal information systems covers the following key areas:

Understand the Risk Management Approach to Security Authorization
Understanding and distinguishing among the Risk Management Framework (RMF) steps
Define and Understand Roles & Responsibilities
Understand the Relationship between the RMF and SDLC
Understand Legal, Regulatory, and Other Requirements for Security Authorization
Understand Common Controls and Security Control Inheritance
Understand Ongoing Monitoring Strategies
Understand How the Security Authorization Process Relates to:

1. Organization-wide risk management
2. System Development Life Cycle (SDLC)
3. Information system boundaries
4. Authorization decisions

Training and Certification: certified authorization professional (1)

The Certified Authorization Professional (CAP) is a certification that indicates a professional level of knowledge/skill on the subject of federal information system authorization (formerly certification & accreditation). In the US federal government, Authorization to operate a federally owned information system is a formal acceptance of risk from an Authorization Officer (AO). An AO is a high ranking official granted the authority to make major risk related decisions for an entire branch/or unit within a federal organization. The AO accepts or rejects the risks that information systems poses to his or her organization based on the recommendations of a security control assessors audit and accompanied Security Authorization Package.

The CAP is based almost entirely on federal information security/protection laws, National Institute of Standards & Technology (NIST), and Office of Management & Budget regulations.

There are seven domains the CAP exam focuses on:
1. Understanding the Security Authorization of Information Systems
2. Categorize Information Systems
3. Establish the Security Control Baseline
4. Apply Security Controls
5. Assess Security Controls
6. Authorize Information System
7. Monitor Security Controls

Cisco Cert Beginner Part-2: Setting up a Network Lab (Rack)

One of the reasons I failed the CCENT was that I didn’t prepare for router/switch simulators that are on the test. I knew the theory and concepts behind Interconnecting Cisco network devices, but I hadn’t spent much time on the command line of an actual router. Since the test is timed you don’t have a lot of time to try to figure commands out on the fly. You certainly can, because Cisco command line is pretty user friendly.

To prepare for the test you must be comfortable in the Internetwork Operating System (IOS). That is why my CCNA, CCNP buddies encouraged me to set up my own Cisco network. They told me how to buy them cheap, what components to buy and how I should actually network them to prep for the Cisco certs.

Cheap Cisco Equipment:
Talking about what actual Cisco models to buy in this post will not be effective since anything I name will be completely obsolete by the time you read this. But I will tell you that my CCNA/CCNP friends recommended buying old Cisco equipment from ebay and Craig’s list. And even schooled me on what was a good deal. In some cases I would just give them money and they would buy if for me. I ended up buying a lot of stuff I don’t need but you are more than likely much smarter with your money.

What to Buy:
They told me that it was important to buy two switches and two routers to practice with routing protocols and spanning tree. They explained that it is important to understand the behavior of the technologies in order to know how to troubleshoot. Theory is important too, but to prepare for the CCENT you must get comfortable with the command line interface so you don’t waste time figuring out basic stuff on the fly.

courtesy of Cisco land

Build a diagram first! This is difficult for me because I like to just jump in and try things. But creating a network diagram and understanding what it is you want to set up is very important.

from rate my network diagram

Virtual Cisco LAB:
Another very useful tool for those who really can not afford to drop $100 dollars on old Cisco equipment is the use GNS3. Its like a VM Ware for Cisco IOS. It allows you to create a virtual network and mess around with actual Cisco IOS. Its really pretty cool… and (best of all) it free!! Aside from air, I am not sure there is anything more useful. Its is a great tool if you are serious about studying for the CCENT/CCNA/CCNP.

courtesy of gns3.net

Cisco Cert Beginner Part-1: where to start

Since I failed the Cisco Certified Entry Networking Technician (CCENT) (lol), I have decided to get smart on Cisco again. I have been out of it a long time doing mostly DoD Certification & Accreditation work. I used to be a network engineer with a CCNA, until I found a career that pays better with less competition. So now, I am just doing Cisco stuff for fun.

After failing the CCENT, I talk to my resident networking GURU’s (a CCNA Security, a CCNP and a CCIE). I wanted to know what was the best approach on attacking the CCNA again. They told me what they did.. set up a Cisco lab in the house was he most common answer.

The book they recommended to start with was CCNA-CCNENT ICND1. Its really not the most fun book in the world to read, but if your starting out or starting over with this stuff it should be like your networking bible. Among technical Cisco books, its a solid first start.. which is much more than I can say about any of the first start Cisco’s 5500 ASA books– there is just now such thing. You will be expected to have a solid understanding of networking, the OSI model and TCP/IP. If you have a Comptia Network+, the CCENT might be the logical next step. If you do networking pretty regularly, have been doing it for about a year and are familiar to Cisco equipment, you might be better off going straight to the Cisco Certified Network Associate (CCNA). If you’re going for the fully blown CCNA, the book to get is the CCNA ICND2. I have been warned that you need to very, very good at subneting!! The CCNA is much harder than it was when I took it in 2001. I would even say that the CCENT is harder than the CCNA used to be.

In addition to getting the right books to read, the Cisco Gurus told me to set up a lab.

When does a DoD Information System require a re-accreditation

How do you determine when a DoD Information System should have a full re-accreditation?

We are not talking about the obvious:
-3 year expiration
-completely new version and/or overhaul of a system

We are talking about a single client on within an Information System getting an upgraded operating systems, or a firewall being upgraded or the addition of 4 Cisco internetworking devices and a VLAN change.

How do we know what is a basic sustaiment change, a configuration management changed (approved by the Configuration Board members) or a full blown 100,000 dollar re-accreditation.

You would think there was some kind of matrix that could match up modifications to a DoD IS with what actions must be performed. If there is one, I have not seen it.

All we have is high level regs that tell us IA Workforce peons (who must deal with details, schedules and limited funds) almost nothing we don’t already know.

Assessing the IA Impact & Maintaining Situational Awareness:
DoD 8500.2, Information Assurance gives us IA Controls such as
DCII-1, dealing with IA Impact Assessment. Its states, “Changes to the DoD information system are assessed for IA and accreditation impact prior to implementation.” The DoD instruction also tells us the we are supposed conduct comprehensive annual reviews of our systems process, procedures and IA Control status.

How are we supposed to monitor “Changes to the DoD information system?

We know that we are supposed monitor all DoD IS’s to keep track of the baseline. And according to the regs, we are supposed to do this by a configuration management process (DCPR-1, CM Process). That configuration management process is supposed to have a “configuration control board that implements procedures to ensure a security review and approval of all proposed DoD information system changes, to include interconnections to other DoD information systems.”

So Configuration Management gives us oversight on changes to DoD IS but who within the CM process determines whether changes to a system should have a re-accreditation?
IA Control DCCB-2, Control Board tells us that” all information systems are under the control of a chartered Configuration Control Board that meets regularly according to DCPR-1.” Is also tells us that the Information Assurance Manager (IAM) is a member of the CCB.

From my interpretation of these high level statements, the IAM is the subject matter expert who has a lot of say so on the IA impact of modifications to a given DoD IS.


I did not find anything for that in 8500.2 so I moved on to CJCSI 6510.01, but it only says the same things that 8500.2 says (Configuration Management, CCB, having a baseline). But it did say this:

“Ensure a configuration management (CM) process is implemented and establish appropriate levels of configuration management to maintain the accredited security posture. The security impact of each change or modification to an information system or site configuration will be assessed against the security requirements and the accreditation conditions issued by the DAA..”

Still pretty high level, but we are getting closer since the instruction is telling us: “..security impact of each change or modification to an information system or site configuration will be assessed against the security requirements and the accreditation conditions issued by the DAA“.

I thought that the only way to get more insight is to look at the lower level regulations within specific branches. Air Force’s Certification & Accreditation Program, 33-210, for example talks specifically about reaccreditation. It states, Information system owner (ISO) “Alerts AFNetOps of any changes to the topology or software affecting the security posture of the enclave boundaries so that the gateway package can be reaccredited if necessary. (” And in table 3.2. it states “PM/SM/ISO will enter information in EITDR, host an initial stakeholder meeting, and initial security review to determine if a new version is to be created.” It mentions different reaccreditation actions for Networked and Standalone systems. Its goes on say that “if changes will not affect the security posture of the IS, the PM/SM/ISO will annotate the outcome of the meeting and make necessary edits to the C&A package.”

The Army’s AR 25-2, Information Assurance regulation, has an entire section on Accrediation & Reaccreditation (5-5), but offers still no specifics. The Army does have AR 380-19, AIS Information System Security and it is pretty specific (see excerpt below).. but it is now OBSOLETE and replaced by AR 25-5.

All regulation and instructions are inline as far as the need to reaccredit if there is an IA IMPACT, but no specifics on what constitues an “IA Impact”. 8510, DIACAP mentions that the IA posture of an IS must remain acceptable, in order to retain its Authorization to Operate (ATO). If I were the IAM for a day.. I would hang my hat of this important statement.

We have to work with what we have!!
Based on what we have:
Changes in a DoD IS’s IA Controls determine whether or not a system will need a reaccrediation. There is no specifics on what can force a reaccrediation. So we must conclude that there is no “magic bullet” that will instantly create the need for a reaccreditation. In other words, no modifications to a certain hardware or software or certain subsystems or even the changes to network architecture will be the reason for reaccreditation every single time.

Significant changes to IA Controls are the only thing we can really put our finger on.

So lets say that IA Control, DCCS-2, Configuration Specification was changed on an Information System. This IA Control deals with making sure the all IA Enabled and IA Products have the DISA Security Technical Implementation Guides (or equivalent) applied. Maybe an example will help us understand the process of determining reaccreditation: A DoD Information System Owner requests the addition of four new storage devices to the system enclave. Lets say, that these storage devices will have an adverse affect on the security posture of the overall system because they are not in compliance with DCAS-2, Acquisition Standards… so the storage devices have not gone through NSA/Common Criteria. Additionally the storage devices will not be compliant with DCCS which means they will not have security in accordance with DISA/NSA checklists and guidance.

Prior to being implemented or even tested the request for this change should go through the configuration management process where the IAM will tell the Program Manager and System Owner (or is representative) the security impact to the over all system. He or she would have to explain to them that the change may affect the current ATO, because they will now be non-compliant on two (possibly more controls) that were previously compliant. The IAM would also be wise to get in contact with other subject matter experts such as the system administrator and/or IAO would be in charge of implementing and testing the system. The IAM might also contact the Certifying Authority (or representative) to determine if such a change would create the need for a reaccreditation.

One thing the IAM does NOT want to do is simply sign the Program Managers and System Owners up for some changes to the system that would jeapordise the Authorization to Operate. The IAM should do their homework and present the real risk of the modifications to the system owner. CYA is paramount.

Once the IAM determine the impact, and the modification are made:
According to DoD 8500.2, 5.8.5. “ensure that IA-related events or configuration changes that may impact accreditation are reported to affected parties, such as Information Owners and DAAs of interconnected DoD information systems.”

Some older regulations are more specific. AR 380-19, AIS System Security for example:
3-6. Reaccreditation

a. All AIS, except those designated as nonsensitive, will be formally reaccredited within 3 months after any of the following occurs:

(1) Addition or replacement of a mainframe or significant part of a major system.

(2) A change in sensitivity designation (para 2-2a).

(3) A change in security mode of operation (para 2-2b).

(4) A significant change to the operating system or executive software.

(5) A breach of security, violation of system integrity, or unusual situation that appears to invalidate the accreditation.

(6) A significant change to the physical structure housing the AIS that affects the physical security described in the accreditation.

(7) Three years has elapsed since the effective date of the existing accreditation.

b. Reaccreditation will include the same steps accomplished for the original accreditation; however, those portions of the documentation that are still valid need not be redone.

AR 380-19 has been replaced with AR 25-5 which is pretty high level.

1 2 3 4