Department of Defense Gives Unsurprising Stamp of Approval to PenTest+
At the end of November, tech industry CompTIA announced that its PenTest+ certification has now officially joined the growing collection of CompTIA credentials officially listed under DoD Directive 8570.01 Manual as an "approved baseline certification."
What this means, in plain English, is that individuals who earn the PenTest+ can qualify, in whole or in part, for jobs in three specific workplace categories, all of which require one or more certifications for incoming workers:
? Cybersecurity Service Provider Analyst (CSSP-A)
? Cybersecurity Service Provider Incident Response (CSSP-IR)
? Cybersecurity Service Provider Auditor (CSSP-AU)
For those unfamiliar with this still-new CompTIA credential, PenTest is short for "penetration testing," and represents a white hat hacking discipline where trained security professionals use hacking tools and techniques to attempt break-ins and compromises for specific organizations.
The point of this is to practice the "Inverse Golden Rule" of cybersecurity: "Do unto yourself before others can do unto you." Thus a penetration tester's job is to attack in order to find and document weaknesses so they can be remediated or mitigated. A pen tester does not wreak havoc and does not steal information, money, intellectual property, personally identifiable information, and so forth.
You can get more information about PenTest+ on the CompTIA website, but I'll walk through it for you right here. PenTest+ seeks to confirm and validate skills and knowledge in security professionals tasked with penetration testing and vulnerability management responsibilities.
The exam also covers management skills needed to assess the resiliency of a network and IT infrastructure against attack. Ditto for planning, scoping, and managing or mitigating cybersecurity vulnerabilities and exposures. In general, penetration testing takes a proactive stance toward finding, documenting and fixing vulnerabilities and exposures as a way of fending off or avoiding malicious attacks.
The PenTest+ exam costs $359 (discounts are available to employees of CompTIA member organizations; bundles with training and exam prep materials are also available). The exam ID is PT0-001 and the exam, which runs 2 hours and 45 minutes, includes a maximum of 85 questions with multiple choice and performance-based (hands-on, lab/simulation-based) content. It's available through Pearson VUE at testing centers or online (through a properly configured PC).
DoD 8570.01 Directive and Certifications
The DoD 8570.01 Directive (PDF format) identifies, tags, tracks, and manages the information assurance (i.e., cybersecurity or information security) workforce for the U.S. Department of Defense, including all branches of the military, and all contractors and contracting firms that provide workers to the Department or its agencies and arms.
An estimated 10 percent of the total U.S. workforce falls under this umbrella. And actually 8570.01 was supplanted by DoD Directive 8140 (PDF format) in 2015 — but because the 8570 directive is so firmly linked with related IT certifications, the old nomenclature is still used to this day to refer to the approved baseline certifications applicable to cybersecurity jobs within the massive DoD workforce infrastructure.
For a complete list of the certifications involved, please visit the DoD Approved 8570 Baseline Certifications page at the DoD Cyber Workforce site.
CompTIA's 8570 Compliant Cert Roster
CompTIA has one of the biggest, if not the biggest, slate of certifications that qualify under 8570 – a total of 7 in all (SANS GIAC may be the only organization with more). Here's that list, in all its glory:
? CompTIA A+
? Cybersecurity Analyst (CySA+)
? CompTIA Advanced Security Practitioner (CASP+)
As you can see, most of these entries are low-level credentials (everything up to and including Cloud+) so they provide an excellent stepping stone into this realm of IT work. For more information, please explore the CompTIA Certifications page.