Curriculum and Courseware Certification

NSA sealThese articles are for instructors or curriculum developers who want to have their courseware certified by the National Security Agency's Information Assurance Courseware Evaluation (IACE) program. These articles focus on certifying compliance with NSTISSI 4011, the national training standard for information security (INFOSEC) professionals.

NOTE: This information is based on the previous CNSS standards. The government has replaced those standards. They have also changed the process, rendering this discussion irrelevant.

I recommend that instructors adopt Elementary Information Security for one or more courses in their curriculum and take advantage of the textbook's NSTISSI 4011 mapping information. Existing courses may already cover many of the training standard's required topics, and the mapping information makes it easy to develop course notes and to identify assigned readings that fill the remaining gaps.

NSTISSI 4011 was issued in 1994. This predates the widespread use of technologies like firewalls and SSL. To ensure up-to-date coverage of essential topics, the book also incorporates information from curriculum recommendations published jointly by the ACM and the IEEE Computer Society. Specifically, the book covers the topics and core learning outcomes listed in the Information Security and Assurance knowledge area of the Information Technology 2008 curriculum recommendations.

To best ensure up-to-date coverage, the book also reflects a review of recent malware implementations and techniques, and of web server vulnerabilities. Additional coverage of cryptographic techniques serves as a sort of update to a different, aging book I wrote, Internet Cryptography.

Here are some resources to support the mapping effort:

The following articles further outline the certification process.

Earning IACE Certification Using a Certified Textbook

CNSS certified to conform to NSTISSI 4011The U.S. government certifies courses of study in information security under the Information Assurance Courseware Evaluation (IACE) program. If a course is certified under one of the approved standards, then students are eligible to receive a certificate that carries the seal of the U.S. Committee on National Security Systems (CNSS, left) to indicate they have completed an approved course of study.

My new textbook, Elementary Information Security, has just earned certification that it conforms fully to the CNSS national training standard for information security professionals (NSTISSI 4011).

It can be challenging for an institution to get its course of study certified. Many of the topics are obvious ones for information security training, but others are relatively obscure. Several topics, like TEMPEST, COMSEC, and transmission security, have lurked in the domain of classified documents for decades.

This new text provides a comprehensive and widely available source for all topics required for NSTISSI 4011 certification. An institution can use the textbook along with the details of its NSTISSI 4011 topic mapping to establish its own certified course of study.

IACE Certification Explained

The U.S. National Security Agency (NSA) operates a program to evaluate programs of study for compliance against published U.S. government training standards. Institutions may apply to have their courseware certified. Numerous two- and four-year colleges, universities, and private training academies have earned this certification under the NSA's Information Assurance Courseware Evaluation (IACE) program. Certified courses of study may issue certificates to their students that carry the seal of the U.S. Committee on National Security Systems (CNSS) and indicate they have completed an approved course of study.

In 2012, the IACE program certified a textbook for the first time: Elementary Information Security was certified to conform fully to the CNSS training standard NSTISSI 4011. Institutions may use this textbook to efficiently develop a course of study eligible for government certification under this same standard. Consult the posted topic mapping to NSTISSI 4011 for further details.

The Curriculum or Courseware Mapping Process

IACE uses a mapping process to show that a particular curriculum or set of courseware complies with a standard. While IACE will certify compliance with several different standards, this discussion focuses on NSTISSI 4011. The mapping process typically goes through the following steps:

  1. Contact IACE to apply for certification. The IACE will establish login credentials on the mapping web site.
  2. Download a copy of the training standard and the spreadsheets provided to assist in mapping.
  3. Identify the courses, current or planned, that will cover the required topics. Consult Elementary Information Security for any topics not covered in existing courses.
  4. Each course should be broken down into separate topics or lectures covered in the course. Each topic required by the training standard must map to at least one of these course topics/lectures.
  5. Fill out a mapping spreadsheet to indicate which courses and which topics/lectures within each course covers each required topic. Consult the Elementary Information Security topic mapping for an example.
  6. If any required topics are not currently covered by a course, either establish a course to cover those topics, or modify lectures in existing courses to cover those topics. Course lecture notes or presentation slides must be available on-line in order to be part of the course mapping.
  7. When all required topics are covered by on-line course notes, the actual mapping may begin. Log in to the IACE mapping web site and start by defining all courses used in the mapping. Each course must be broken into individual topics or lectures, and there should be an obvious relationship between those topics or lectures and the on-line course material (i.e. files or pages containing course notes or lecture slides).
  8. Once all courses are entered, including course topics or lectures, go to “Map Standard” and select NSTISSI 4011. Follow the instructions provided by the site. For each topic, be sure to provide at least one reference to a course topic or lecture. 
  9. Once the standard is 100% mapped, it may be submitted. Double-check the mapping for accuracy and then submit it.

Both the public IACE web site and the mapping web site have help and instructions to guide and simplify the process. However, it will still require several hours of work to enter all of the details.

The mapping instructions sometimes refer to “Entry,” “Intermediate,” and “Advanced” coverage of topics. These do not apply to NSTISSI 4011. To comply with this standard, the curriculum must make the students aware of all topics covered by the standard.

Mapping Schedule

Note that the mapping process is not available at certain times of the year. At present, it is not available between January 15 and March 1. That is the time period during which IACE evaluations take place. Here is the current calendar for IACE certification:

  • January 15: Deadline for the IACE certification cycle. All mappings must be entered and submitted by this time.
  • March 1: Submitted certifications may be complete, and recipients are notified. This is not an official deadline and may vary with circumstances
  • mid-June: Official certificates are presented to successful institutions at the annual Colliquium for Information Systems Security Education (CISSE).
  • Five years later: Certification expires


While Elementary Information Security should make courseware mapping clearer and more accessible for institutions, the process described here is not guaranteed to work. Moreover, the process as described could be changed by IACE without notice. CNSS only certifies that the textbook's contents fully conform to NSTISSI 4011.

Post category: 

Elementary Information Security Topic Mapping for NSTISSI 4011

Elementary Information SecurityElementary Information Security has been certified to conform fully to  to the Committee on National Security System’s national training standard for information security professionals (NSTISSI 4011). To do this, I had to map each topic required by the standard to the information as it appears in the textbook. Instructors who map their courses to the standard must map the topics to lectures, readings, or other materials used in those courses.

I have exported the textbook's mapping to an Excel spreadsheet file. Curriculum developers may use this information to develop a course of study that complies with NSTISSI 4011 and is eligible for certification. I'm describing the courseware mapping process in another post. Read that post first.

The topic mapping for Elementary Information Security relates a single “course,” the textbook itself, to the required topics in the NSTISSI 4011 standard. The mapping is made available in a spreadsheet. The first column contains row numbers. The next three columns, Subsection, Element, and Topic, contain topic identifiers from the standard. The Chapters column lists the chapters by number that cover a particular topic. The column may also contain the letter “B” to point to Appendix B.

The Notes column points directly to each topic by section number and page number. These were placed in the “Additional Comments” field of the mapping. This is because the textbook focuses primarily on readability and an appropriate progression of topics. Detailed comments were provided to ensure that appropriate information about every topic appeared in the mapping.

Most mappings should not require additional comments, or at least require this level of detail. If the course and topic mappings link to files in which the material is easily found, then additional comments shouldn't be required.

The phrase “summary justification” is used when an earlier or higher-level topic covers several subtopics as well. The mapping web site allows summary justification for selected topics. When used, the mapping only needs to specify the earlier or higher-level topic. The subsequent, related topics are then filled in automatically and locked from editing.

The Elementary Information Security mapping may be downloaded in spreadsheet form, and used as a starting point for mapping the institution's curriculum. However, this particular spreadsheet maps all topics to a single “course,” the Elementary Information Security textbook. Mapping is by chapter numbers in the Chapters column.

In a curriculum containing several courses, the spreadsheet should be modified to allow mapping of multiple courses and the topics they contain. One approach is to include a column with two-part entries, one part indicates a course and the other part selects a particular course topic. Another approach is to provide a separate column for each course. If a particular course covers a particular required topic, then the course's column identifies the corresponding course topic.

Post category: 

The First Textbook Certified by the NSA

CNSS LogoI received an email this morning announcing that Elementary Information Security has been certified by the NSA's Information Assurance Courseware Evaluation program as covering all topics required for training information security professionals. Here is the certification letter.

This is the first time thay have certified textbooks. In the past they've only certified training programs and degree programs.

The evaluation is based on the national training standard NSTISSI 4011. The book also covers the core learning outcomes for Information Assurance and Security listed in the Information Technology 2008 Curriculum Recommendations from the ACM and IEEE Computer Society.

The textbook is currently available from the publisher, Jones and Bartlett, and I notice that they offer a PDF-ish version as well as the 890-page hardcopy edition.

It was a bit of a challenge trying to fit all of that information into a single textbook, and to target it at college sophomores and two-year college programs. The book contains a lot of tutorial material to try to bridge the gap between the knowledge of introductory students and the required topics.


Wordpress tag: 
Post category: