- Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Advanced Security Practitioner (CASP) - Measuring CASP difficulty - Why Hybrid Testing Approaches Work Best - Mapping the NICE Cybersecurity Workforce Framework

1. • Enterprise Security
• Risk Management and Incident Response
• Research and Analysis
• Integration of Computing, Communications and Business Disciplines
• Technical Integration of Enterprise Components
CASP is an advanced-level certification covering enterprise security;
risk management; incident response; research and analysis;
integration of computing, communications and business disciplines;
and technical integration of enterprise components.
CASP certifies critical thinking and judgment across a broad spectrum of security disciplines and requires
candidates to implement clear solutions in complex environments. It assesses IT pros who work in advanced
technical positions.
CASP addresses the increased diversity of knowledge, skills and abilities (KSAs) required of today’s enterprise
cybersecurity pros and validates what is currently necessary to perform effectively on the job.
The current version of CASP reflects the skills needed to manage modern IT environments, including:
Closing the Gap for Advanced
Enterprise Cybersecurity Skills
with CompTIA Advanced Security Practitioner (CASP)
In this
document:
• Closing the Gap for
Advanced Enterprise
Cybersecurity Skills
with CASP
• Measuring CASP
Difficulty
• Why Hybrid Testing
Approaches Work
Best
• Mapping the NICE
Cybersecurity Work-
force Framework
of the exam
objectives require
application or
analysis of
domain
knowledge
82%
Measuring CASP Difficulty
Using Bloom’s Taxonomy as an organizing principle to discuss the difficulty level of
the exam illustrates the emphasis on the application of KSAs, rather than the simple
recall of information. Looking at the exam objectives, 82 percent require candidates to
demonstrate their knowledge at Bloom’s level 3 (apply) and level 4 (analyze).
The CASP exam is at a high taxonomy level because we carefully track job roles and skills in the IT
industry. We strive to make sure that the exams directly reflect industry standards and best practices.
The following table summarizes the percentage of certification
exam objectives that fall into each of Bloom’s level.
1

2. Bloom’s Level and Description
Level of
Complexity
Percentage of Objectives
(Objective Numbers)
Level 1: Remembering/Recalling Information
The candidate is able to recall, restate and remember learned information.
Basic 0%
Level 2: Understanding/Explaining Ideas or Concepts
The learner grasps the meaning of information by
interpreting and translating what has been learned.
Low 17%
Level 3: Applying Knowledge and Skills
The learner makes use of information in a new situation
from the one in which it was learned.
Moderate 30%
Level 4: Analyzing
The learner breaks learned information into parts to best understand
that information in an attempt to identify evidence for a conclusion.
High 53%
Level 5: Evaluating
The learner makes decisions based on in depth
reflection, criticism and assessment.
High 0%
Level 6: Creating
The learner creates new ideas and information
using what has been previously learned.
High 0%
CASP Executive Summary
Why Hybrid Testing Approaches Work Best
Over the past several years, cybersecurity practitioners and educators have debated as to which of the following is more
important to validate:
1. An individual’s conceptual knowledge, as validated by “linear” multiple choice items, or
2. Performance associated with a particular job or responsibility, as validated by performance-based items.
Advocates for each of these two aspects of validation often hold one of the approaches as superior over the other, with most
individuals favoring only performance-based items.
CompTIA regards this rift in opinion as a false dilemma. Both domain knowledge expertise and practical skills are absolutely vital
and should be a part of any serious competency training and validation process. Both knowledge- and performance-based
aspects are necessary for training, and nothing can substitute for hands-on learning. The same principle applies to assessment.
This is why CompTIA adopted performance-based items into its certification exams starting in 2011.
The following CompTIA exams contain roughly 10 percent performance-based items:
On average, it takes a test taker roughly one-third of the time to complete these performance-based items. Performance-based items include
simulations of technology solutions and story-based items that require advanced cognitive thinking on the part of the successful test taker.
A+ | Network+ | Security+ | Cybersecurity Analyst (CSA+) | CompTIA Advanced Security Practitioner (CASP)
2

3. Work Role Description Matching CompTIA CASP Objectives (Samples)
Enterprise Architect
SP-ARC-001
Develops and maintains business, systems
and information processes to support
enterprise mission needs; develops information
technology (IT) rules and requirements that
describe baseline and target architectures.
2.3 — Compare and contrast security, privacy policies
and procedures based on organizational requirements
3.2 — Analyze scenarios to secure the enterprise
5.1 — Given a scenario, integrate hosts,
storage, networks and applications into
a secure enterprise architecture
Security Architect
SP-ARC-002
Designs enterprise and systems security throughout
the development life cycle; translates technology
and environmental conditions (e.g., law and
regulation) into security designs and processes.
1.3 — Given a scenario, analyze network and security
components, concepts and architectures
4.3 — Implement security activities
across the technology life cycle
5.1 — Given a scenario, integrate hosts,
storage, networks and applications into
a secure enterprise architecture
Systems
Requirements
Planner
SP-RP-001
Consults with customers to evaluate functional
requirements and translate functional
requirements into technical solutions.
2.1 — Interpret business and industry influences
and explain associated security risks
4.1 — Given a scenario, facilitate collaboration across
diverse business units to achieve security goals
4.2 — Given a scenario, select the appropriate control to
secure communications and collaboration solutions
Research and
Development
Specialist
SP-RD-001
Conducts software and systems engineering
and software systems research in order to
develop new capabilities, ensuring cybersecurity
is fully integrated. Conducts comprehensive
technology research to evaluate potential
vulnerabilities in cyberspace systems.
3.1 — Apply research methods to determine
industry trends and impact to the enterprise
3.2 — Analyze scenarios to secure the enterprise
3.3 — Given a scenario, select methods
or tools appropriate to conduct an
assessment and analyze results
Information Systems
Security Developer
SP-SYS-001
Designs, develops, tests and evaluates
information system security throughout
the systems development life cycle.
1.1 — Given a scenario, select appropriate
cryptographic concepts and techniques
2.2 — Given a scenario, execute risk mitigation
planning, strategies and controls
4.3 — Implement security activities
across the technology life cycle
Mapping the NICE Cybersecurity Workforce Framework
CASP aligns with the following 11 work roles of the National Initiative for Cybersecurity Education
(NICE) Cybersecurity Workforce Framework (NCWF), draft NIST special publication 800-181:
This mapping is a sample of how CompTIA’s certification standards map to key elements of the NICE framework.
CASP Executive Summary
• Enterprise Architect, SP-ARC-001
• Security Architect, SP-ARC-002
• Systems Requirements Planner, SP-RP-001
• Research and Development Specialist, SP-RD-001
• Information Systems Security Developer, SP-SYS-001
• Security Control Assessor, SP-RM-002
• Cyber Defense Analyst, PR-DA-001
• Cyber Defense Incident Responder, PR-IR-001
• Vulnerability Assessment Analyst, PR-VA-001
• Warning Analyst, AN-TA-001
• Cyber Crime Investigator, IN-CI-001
3

4. Work Role Description Matching CompTIA CASP Objectives (Samples)
Security Control
Assessor
SP-RM-002
Conducts independent comprehensive assessments
of the management, operational and technical
security controls and control enhancements employed
within or inherited by an information technology
(IT) system to determine the overall effectiveness
of the controls (as defined in NIST SP 800-37).
1.4 — Given a scenario, select and troubleshoot
security controls for hosts
1.5 — Differentiate application vulnerabilities
and select appropriate security controls
3.3 — Given a scenario, select methods
or tools appropriate to conduct an
assessment and analyze results
Cyber Defense
Analyst PR-DA-001
Uses data collected from a variety of cyber-
defense tools (e.g., intrusion detection system (IDS)
alerts, firewalls, network traffic logs) to analyze
events that occur within their environments
for the purposes of mitigating threats.
1.3 — Given a scenario, analyze network and security
components, concepts and architectures
2.2 — Given a scenario, execute risk mitigation
planning, strategies and controls
3.2 — Analyze scenarios to secure the enterprise
Cyber Defense
Incident Responder
PR-IR-001
Investigates, analyzes and responds to cyber-incidents
within the network environment or enclave.
2.4 — Given a scenario, conduct incident
response and recovery procedures
3.1 — Apply research methods to determine
industry trends and impact to the enterprise
3.3 — Given a scenario, select methods
or tools appropriate to conduct an
assessment and analyze results
Vulnerability
Assessment
Analyst PR-VA-001
Performs assessments of systems and networks
within the network environment or enclave and
identifies where those systems/networks deviate
from acceptable configurations, enclave policy or
local policy. Measures effectiveness of defense-in-
depth architecture against known vulnerabilities.
1.3 — Given a scenario, analyze network and security
components, concepts and architectures
1.5 — Differentiate application vulnerabilities
and select appropriate security controls
3.3 — Given a scenario, select methods
or tools appropriate to conduct an
assessment and analyze results
Warning Analyst
AN-TA-001
Develops unique cyber indicators to maintain constant
awareness of the status of the highly dynamic
operating environment. Collects, processes, analyzes
and disseminates cyber-warning assessments.
1.3 — Given a scenario, analyze network and security
components, concepts and architectures
3.1 — Apply research methods to determine
industry trends and impact to the enterprise
3.2 — Analyze scenarios to secure the enterprise
3.3 — Given a scenario, select methods
or tools appropriate to conduct an
assessment and analyze results
Cyber Crime
Investigator
IN-CI-001
Identifies, collects, examines and preserves
evidence using controlled and documented
analytical and investigative techniques.
2.3 — Compare and contrast security, privacy policies
and procedures based on organizational requirements
2.4 — Given a scenario, conduct incident
response and recovery procedures
3.3 — Given a scenario, select methods
or tools appropriate to conduct an
assessment and analyze results
LEARN MORE
For government inquiries contact: GovernmentSales@CompTIA.org.
For corporate inquiries contact: Jennifer Herroon at jherroon@CompTIA.org
© 2017 CompTIA Properties, LLC, used under license by CompTIA Certifications, LLC. All rights reserved. All certification programs and
education related to such programs are operated exclusively by CompTIA Certifications, LLC. CompTIA is a registered trademark of
CompTIA Properties, LLC in the U.S. and internationally. Other brands and company names mentioned herein may be trademarks or
service marks of CompTIA Properties, LLC or of their respective owners. Reproduction or dissemination prohibited without written
consent of CompTIA Properties, LLC. Printed in the U.S. 03724-Apr2017
CASP Executive Summary
4