You are here

Earning IACE Certification Using a Certified Textbook

CNSS certified to conform to NSTISSI 4011The U.S. government certifies courses of study in information security under the Information Assurance Courseware Evaluation (IACE) program. If a course is certified under one of the approved standards, then students are eligible to receive a certificate that carries the seal of the U.S. Committee on National Security Systems (CNSS, left) to indicate they have completed an approved course of study.

My new textbook, Elementary Information Security, has just earned certification that it conforms fully to the CNSS national training standard for information security professionals (NSTISSI 4011).

It can be challenging for an institution to get its course of study certified. Many of the topics are obvious ones for information security training, but others are relatively obscure. Several topics, like TEMPEST, COMSEC, and transmission security, have lurked in the domain of classified documents for decades.

This new text provides a comprehensive and widely available source for all topics required for NSTISSI 4011 certification. An institution can use the textbook along with the details of its NSTISSI 4011 topic mapping to establish its own certified course of study.

IACE Certification Explained

The U.S. National Security Agency (NSA) operates a program to evaluate programs of study for compliance against published U.S. government training standards. Institutions may apply to have their courseware certified. Numerous two- and four-year colleges, universities, and private training academies have earned this certification under the NSA's Information Assurance Courseware Evaluation (IACE) program. Certified courses of study may issue certificates to their students that carry the seal of the U.S. Committee on National Security Systems (CNSS) and indicate they have completed an approved course of study.

In 2012, the IACE program certified a textbook for the first time: Elementary Information Security was certified to conform fully to the CNSS training standard NSTISSI 4011. Institutions may use this textbook to efficiently develop a course of study eligible for government certification under this same standard. Consult the posted topic mapping to NSTISSI 4011 for further details.

The Curriculum or Courseware Mapping Process

IACE uses a mapping process to show that a particular curriculum or set of courseware complies with a standard. While IACE will certify compliance with several different standards, this discussion focuses on NSTISSI 4011. The mapping process typically goes through the following steps:

  1. Contact IACE to apply for certification. The IACE will establish login credentials on the mapping web site.
  2. Download a copy of the training standard and the spreadsheets provided to assist in mapping.
  3. Identify the courses, current or planned, that will cover the required topics. Consult Elementary Information Security for any topics not covered in existing courses.
  4. Each course should be broken down into separate topics or lectures covered in the course. Each topic required by the training standard must map to at least one of these course topics/lectures.
  5. Fill out a mapping spreadsheet to indicate which courses and which topics/lectures within each course covers each required topic. Consult the Elementary Information Security topic mapping for an example.
  6. If any required topics are not currently covered by a course, either establish a course to cover those topics, or modify lectures in existing courses to cover those topics. Course lecture notes or presentation slides must be available on-line in order to be part of the course mapping.
  7. When all required topics are covered by on-line course notes, the actual mapping may begin. Log in to the IACE mapping web site and start by defining all courses used in the mapping. Each course must be broken into individual topics or lectures, and there should be an obvious relationship between those topics or lectures and the on-line course material (i.e. files or pages containing course notes or lecture slides).
  8. Once all courses are entered, including course topics or lectures, go to “Map Standard” and select NSTISSI 4011. Follow the instructions provided by the site. For each topic, be sure to provide at least one reference to a course topic or lecture. 
  9. Once the standard is 100% mapped, it may be submitted. Double-check the mapping for accuracy and then submit it.

Both the public IACE web site and the mapping web site have help and instructions to guide and simplify the process. However, it will still require several hours of work to enter all of the details.

The mapping instructions sometimes refer to “Entry,” “Intermediate,” and “Advanced” coverage of topics. These do not apply to NSTISSI 4011. To comply with this standard, the curriculum must make the students aware of all topics covered by the standard.

Mapping Schedule

Note that the mapping process is not available at certain times of the year. At present, it is not available between January 15 and March 1. That is the time period during which IACE evaluations take place. Here is the current calendar for IACE certification:

  • January 15: Deadline for the IACE certification cycle. All mappings must be entered and submitted by this time.
  • March 1: Submitted certifications may be complete, and recipients are notified. This is not an official deadline and may vary with circumstances
  • mid-June: Official certificates are presented to successful institutions at the annual Colliquium for Information Systems Security Education (CISSE).
  • Five years later: Certification expires


While Elementary Information Security should make courseware mapping clearer and more accessible for institutions, the process described here is not guaranteed to work. Moreover, the process as described could be changed by IACE without notice. CNSS only certifies that the textbook's contents fully conform to NSTISSI 4011.

Post category: 

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer