PenTest+: DoDD 8570 overview
In November 2020, the US Department of Defense (DoD) has selected CompTIA PenTest+ as an approved certification for military personnel and defense contractors working in DoD information assurance roles. Anyone interested in a career as penetration tester and aspiring to opportunities in government can definitely look at the PenTest+ certification as a viable option for access to new opportunities.
This article explores how PenTest+ is an important addition to the DoD Directive 8570 (see DoD 8570.01 pdf) and why it can represent an important asset for professionals who want to progress in the field of pentesting and ethical hacking or be part of the government’s information assurance workforce.
What is PenTest+?
Excellence in penetration testing requires the right aptitude and passion for increasing the safety and security of network connected systems and preventing others from attacking it. These sought-after IT and security experts have the right mix of formal knowledge and practical skills to take preventive, corrective and protective measures in order to safeguard at-risk systems. Pentesting includes familiarity with carrying out repeated attacks on computer systems and networks with the sole intention of identifying loopholes in the security system, which could potentially provide access to cyber attackers.
So, what does it take to be a certified pentester? First and foremost, a professional ethical hacker needs technical abilities and passion for information security. Such experts come from different backgrounds and not all have advanced degrees or many years of expertise. It is then even more important that these professionals choose the right industry-recognized certification to prove their worth to potential employers or clients. A great option is PenTest+.
This certification is a good option for prospective and current penetration testers. This is due to its unique mix of hands-on activities, performance-based questions and multiple-choice questions that heavily test the practical skills of the professionals, as well as their all-important management skills. It demonstrates that the tester is not only capable of finding weaknesses in systems but is also capable of suggesting appropriate countermeasures and preparing plans for defense. PenTest+ also focuses more and more on new environments such as the cloud and mobile, in addition to traditional desktops and servers.
As stated on the official CompTIA website, the successful candidate has the knowledge and skills required to gain “a thorough understanding of pentesting methodologies and vulnerability assessments, as well as the ability to exploit systems and effectively communicate findings.”
The test is taken at a Pearson VUE testing center. To pass, pentesters need to be familiar with current exam objectives and prepared to show practical expertise, so it’s a good idea to enroll in specific courses that privilege hands-on activities in intelligence gathering, exploitation and stealth techniques.
What is DoDD 8570?
As CompTIA explains, the “DoD 8570 [issued in 2005] was created to identify, tag, track and manage the information assurance, or cybersecurity, workforce. It also established a manual [see the DoD 8570.01-m] that includes an enterprise-wide baseline IT certification requirement to validate the knowledge, skills and abilities of people working in cybersecurity roles.”
In 2015, however, it was clear that adjustments needed to be made to account for advancements in technology and changes in the cybersecurity realm. The result of this effort was DoD 8140, the Information Assurance Workforce Improvement Program. This leveraged the Defense Cybersecurity Workforce Framework (DCWF), which draws from the original National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NCWF) and the DoD Joint Cyberspace Training and Certification Standards (JCT&CS).
DoD 8140 does cancel DoD 8570/01, as it updates it and expands it. In reality, its manual (8570.01-M) is still in place today, pending the publication of the new one related to the updated directive. The new document is expected to place a clearer focus on hands-on training and practical knowledge; therefore, certifications and training highlighting that aspect will definitely be considered within the essentials for new cybersecurity professionals.
How PenTest+ applies to DoDD 8570
With its addition to DoD Directive 8570.01-Manual, titled “Information Assurance Workforce Improvement Program,” PenTest+ joins the DoD-approved baseline certifications required to satisfy certain job requirements of professionals tasked with penetration testing and vulnerability management in three workforce categories: Cybersecurity Service Provider Analyst (CSSP-A), Cybersecurity Service Provider Incident Response (CSSP-IR) and Cybersecurity Service Provider Auditor (CSSP-AU).
Benefits of PenTest+ with regard to DoDD 8570
The recent approval of PenTest+ as a baseline certification offers some significant benefits to the DoDD 8570 program. These benefits are presented below.
Knowledge, Skill & Ability (KSA) competencies
One of the first benefits that can be identified lies in the hands-on nature of this certification. Through it, professionals can prove up-to-date practical skills and abilities in testing systems, identifying vulnerabilities and making plans for mitigation. With its recommended prerequisite of 3-4 years of hands-on information security or related experience, this credential is able to also qualify professionals with an intermediate level of experience.
The certification also covers the all-important communication skills pentesters must possess: from writing detailed reports of the findings to presenting them to management and providing recommendations. It essentially ensures that the professional is well-rounded and capable of handling not only technical aspects but also all that is required once problems are found.
Evidence of tool use
Penetration testing tools are widely covered in the test in the fourth domain. This ensures the tester has direct knowledge of them and can use the newest versions of all that is required for effective pentesting: from debuggers to credential testing, scanners and wireless-specific tools.
The ability to use hacking tools is paramount, and all aspects need to be covered: not only packet capturing tools such as Wireshark but also endpoint security assessment tools to prevent intrusion, as well as tools for social engineering and the protection of mobile devices.
Certifies a real world-ready skill set
CompTIA PenTest+ requires candidates to have specific abilities also in new environments such as the cloud and mobile, and not just the traditional on-site network environments. It ensures, then, that the professionals are truly ready to withstand the challenges they will face in real-world scenarios.
By also including management skills, that are essential in dealing with stakeholders but also in communicating effectively with other sections of the cyberteam and plan for the managing of weaknesses, it recognizes that today’s professionals cannot just be technical wizards ready to spot problems, but they also have to be an integral component of the team that is expected to prevent or respond to issues.
Performance-based certification for practitioners
With its performance-based assessment focus, this certification really measures the students’ ability to solve real-world problems and apply knowledge to practical cases. Certified personnel can give assurance, then, that they not only have the know-how required to discover and manage issues but that they truly have the hands-on experience that can help them be more effective in their job.
A career in penetration testing can be exciting, rewarding and challenging! This article explored why the PenTest+ certification is an important addition to the DoD 8570 and why it is a suitable option for professionals that are looking for credentials that can help them advance in their career.
DoD 8570 CSSP categories do not include skill levels because the positions are very specific to their duties. In fact, CompTIA PenTest+ is 8570.01-m approved for CSSP Analyst, CSSP Incident Responder and CSSP Auditor. The CompTIA PenTest+ ensures personnel are appropriately trained and certified, have the appropriate knowledge required specifically by those positions and can truly show the hands-on abilities and skills required today.
As the Department of Defense Directive 8570 for cybersecurity workforce identification eventually gives way to DoDD 8140 for the training, certification, and management of all government employees who conduct information assurance functions, PenTest+ seems to fit perfectly with the new scope and the intended effort that DoD is putting forward. DoD 8140 manual is expected to be released December 2020, or in early 2021.
PenTest+, CompTIA, Inc.
CompTIA PenTest+ Approved by U.S. Department of Defense, CompTIA, Inc.
CompTIA PenTest+ Is Now DoD Approved: Why It Matters, CompTIA, Inc.
U.S. DoD 8570 vs. 8570.01-m vs. 8140: What’s the Difference…, CompTIA, Inc.
DoD Approved 8570 Baseline Certifications, DoD Cyber Exchange