DoD 8570

What is the DoD CSSP (cyber security service provider)?

May 4, 2018 by Howard Poston

The DoD Cyber Security Service Provider (CSSP) is a certification issued by the United States Department of Defense (DoD) that indicates a candidate’s fitness for the DoD Information Assurance (IA) workforce. CSSP certifications are dependent on job role and require completing a third-party certification and DoD-specific training and requirements. This guide will describe the various job-specific CSSP certifications, the requirements for achieving each version, and the third-party certifications that are accepted for each job role.

What are the CSSP levels?

The DoD Cyber Security Service Professional levels are broken out by job role. The five possible roles for a holder of a DoD CSSP certification include:

  • Analyst
  • Infrastructure support
  • Incident responder
  • Auditor
  • Service provider manager

What are the DoD CSSP requirements?

The majority of requirements for a certified DoD CSSP are the same across all job roles. However, the amount of recommended experience varies by job role, and the service provider manager is exempt from some of the requirements.

  • Initial training: All CSSP job roles require initial training – in-class, distributed, blended, government and commercial provider options are all acceptable
  • CSSP certification: All CSSP roles require earning a CSSP certification within six months
  • OJT evaluation: The analyst, infrastructure support, incident responder and auditor job roles are required to complete on-the-job training evaluations
  • CE certifications: The analyst, infrastructure support, incident responder and auditor job roles are required to complete a Computing Environment (CE) certification
  • Maintaining certification status: All CSSP job roles are required to maintain their certification based on the requirements of their particular certification
  • Continuing education: All CSSP job roles must fulfill their certification’s continuing education requirements
  • Background investigation: Applicants may need to undergo a background investigation based upon their IA level (computer environment, network environment or enclave) and the requirements outlined in DoDI 8500.2
  • Signed privileged access statement: CSSP auditors, infrastructure support, incident responders and auditors must sign a privileges access statement
  • Experience: Experience varies based on job role:
    • Auditor: Two years in CSSP technology or related field
    • Infrastructure support: At least four years supporting CSSP and/or network systems and technology
    • Incident responder: five years in CSSP technology or related field
    • Auditor: two years in CSSP technology or related field
    • Manager: At least four years in CSSP management or related field

What are the DoD CSSP certifications?

Certified DoD CSSPs have a choice between different third-party certifications to fulfill their requirements. The certifications accepted depend on the job role sought (analyst, infrastructure support, incident responder, auditor or manager). The certification requirement for the CSSP Analyst job role provides the largest choice of options for a prospective candidate:

The certification options for CSSP Infrastructure Support applicants include:

The certification options for CSSP Incident Responders include:

The certification options for CSSP Auditors include:

CSSP Managers have fewer options:

The number of options may seem overwhelming, but narrowing down to a targeted position may help. From there, experience level and certification focus are good deciding factors.

For example, the EC Council’s Certified Ethical Hacker (CEH) or CompTIA’s CompTIA Cybersecurity Analyst (CySA+) are worth a look as they are accepted for any role except CSSP Manager.

Final thoughts on the DoD CSSP

The DoD CSSP certification demonstrates a worker is qualified for work as part of the IA workforce. The CSSP certification is broken up by job role (analyst, infrastructure support, incident responder, auditor and manager) and the primary requirement is that an applicant completes and maintains the requirements for an external certification relating to the selected field. For each job role, the DoD provides at least two options for certification.

Posted: May 4, 2018
Howard Poston
View Profile

Howard Poston is a cybersecurity researcher with a background in blockchain, cryptography and malware analysis. He has a master's degree in Cyber Operations from the Air Force Institute of Technology and two years of experience in cybersecurity research and development at Sandia National Labs. He currently works as a freelance consultant providing training and content creation for cyber and blockchain security.