Security+: Earning continuing education units (CEUs) [updated 2021]
What are Continuing Education Units (CEU) and why do you need them? The title provides the definition but their raison d'être is an entirely different matter. In this business there’s always something new to learn: we might occasionally pull ahead of the cyber criminals, but a large part of the time were playing catch up.
If we’re lucky and some other company gets the wrong end of the stick, we get to learn from their experiences. The new attack vector gets disseminated to the computer security community and we get to protect our networks before the crooks get around to applying that technique to us.
In this industry, it is absolutely essential to stay up to date. CEUs are required to keep your certifications current; if you want to maintain your professional certified status, obtaining those CEUs is obligatory.
Now, of course, different certifications require differing numbers of CEUs specific to the qualification. For example, the CompTIA A+ certification only requires 20 Continuing Education Units while Network+ requires 30 CEUs. On the other hand, CompTIA Security+ and Cloud+ both require 50 CEUs whereas CSA+ requires 60 CEUs, and the CompTIA Advanced Security Practitioner (CASP) requires 75 CEUs for every renewal period.
It's also important to understand Intent Levels. Your highest certification automatically renews all the ones below it when you complete the highest certification. If you have the CompTIA A+ and the Security+ certifications, you only need to renew the Security+ to renew both of them. Just be aware that if your A+ expires first, then you will need to renew your Security+ certification before the A+ expires, after which they will both be concurrent.
The CompTIA Security+ certifications require 50 CEUs over a three year cycle to maintain your certification. Let’s look at how you can meet the requirements.
These can generally take the form of:
- Completing the CompTIA Security+ certification training course (including the exam) for an automatic full qualification. The course itself provides the entire 50 CEUs necessary;
- Earning any more advanced non-CompTIA security-related certification (such as CISSP, CEH, CHFI, ECSA, ISSAP, and many more) for 50 CEUs which can all be applied to the Security+ for instant re-qualification;
- Being an active member of an IT Association, which can generate up to 6 CEUs per three year cycle;
- Being an IT board/chapter participant that can create nine CEUs for you per three year cycle;
- Attending a 1 hour webinar, which will provide 1 CEU (to a maximum of 10 webinars over the three year period, for 10 CEUs);
- Attending a conference (again, to a maximum of 10 CEUs over the three year cycle), providing 1 CEU per hour;
- Completing up to 50 hours of training courses, providing 1 CEU per hour;
- Completing a college course, with 3–4 credit hours, will earn you 10 CEUs, to a triannual maximum of 40 CEUs;
- Completing an American Council on Education (ACE) accredited course, with 3–4 credit hours, will also earn you 10 CEUs, to a triannual maximum of 40 CEUs;
- Work experience, gaining three CEUs per year, for a total of 9 CEUs over the three year period, requiring only that you list your activities that relate to IT Security on company letterhead and get it signed by your boss;
- If you're truly brilliant you could pick up 20 CEUs per triannual cycle by teaching a course, an additional 20 by creating instructional materials and another 16 by publishing a relevant industry article, blog post or White Paper, at 1 CEU each, provided it relates to IT Security (blog posts are the easiest, requiring only 50% content and 500 words or more);
- You can make another big contribution to our industry by completing a CompTIA Exam Development Workshop as a Subject Matter Expert (SME) gaining an instant 50 CEUs;
- If you publish a relevant industry book, that is good for another 40 CEUs.
As you can see there are plenty of ways to obtain the necessary CEUs, and some of them cost nothing at all. Once you earn those 50 credits, you are all done!
What form can these credits take?
Many of the required CEUs are derived from the Training courses, so let's talk about those now. CompTIA provides a list of pre-approved courses. These are not requisite to obtaining the certification or to qualifying for the credit.
If you select from the approved list, you should always check to make sure that programs on the list are still acceptable for the qualification. The approved list contains 28 vendors, trainers and certification authorities. You can peruse the list of offerings for each member below. The number in parentheses is the number of courses each offers [see illustration].
Not on the list
Now, that provides a total of 269 different approved courses that you can avail yourself of, based on the CompTIA Security+ SY0-401 objectives. But let's imagine for a moment that you have found a course that you want to take which is not included in the above list. Can it still qualify?
You are not restricted to that list. Any course is acceptable for credit, provided the activity content covers at least 50% of the exam objectives for which you are seeking certification. Since we're currently talking about the Security+ certification, the course material must be relevant to IT security.
The best way to ascertain that your course or activity qualifies for CEU credit is to go to CompTIA’s CEU assessment site and answer the five easy questions. The fifth question requires that you assess the course or activity relative to the current CompTIA Security+ SY0-401 exam objectives, which for your reference, are right here (also see Staying up-to-date below).
Training can be expensive, and conferences aren't free, so keep your eyes open for bargains. Look for free online webinars, which are widely available.
Some security organizations have monthly, quarterly or semiannual meet-ups where you attend an hour-long tech session, learn something new and pick up 1 CEU while you're there.
Not enough? If you are spending your lunch hour at your desk, go over to ISACA and see what they have to offer in terms of free webinars. They're all pre-approved for CEUs (provided they are related to security) so have some interesting facts to go with that sandwich. And don't forget to check out (ISC)², the EC-Council site, Cisco and the Armed Forces Communications and Electronics Association (AFCEA) for more free security-related webinars.
A lot of people and organizations offer online training for free as well, as in the following example. You can complete this course called Mastering Security Basics online, and, upon completion, be able to print out a document certifying your success. This course has been fully approved by CompTIA for a total of three CEUs which qualify for A+, Network+, and, most importantly for us, the Security+ certification.
Of course, the CompTIA CEUs requirements evolve, and you'll not necessarily be notified. You are partially protected however: if an approved activity is already submitted to your record prior to that change it remains applicable for your CEUs for the period of renewal, even though no one else can use it beyond that date of change.
There are some significant changes which you will be expected to take into account. Rather than making it more difficult to acquire CEUs, it will make it easier with a broader range of materials that it encompasses. More courses and activities will qualify, giving you a terrific opportunity to broaden your knowledge base.
DoD employees and contractors
Since the beginning of 2011, in order to comply with DoD 8570.01-M, the DoD no longer recognizes GFL (Good For Life) certifications from CompTIA. Individuals need to meet the normal requirements for certification and they must pay the annual fee as part of their certification. The DOD can buy bulk tokens from CompTIA (minimum 10) to be used to pay for their employees' annual fees.
Candidate code of ethics
The CCoE reflects not only your personal ethics, but also the integrity of the entire CompTIA program, and all of its members. All earned CEUs can be revoked. There must be consequences to those who violate the ethics policy.
These can include:
- denial of certification, decertification and revocation of all previously granted certifications;
- removal of eligibility to register and/or schedule any CompTIA certification examination, or to receive any CompTIA certification for a 12 month period;
- being subject to suspension of the current continuing education program cycle for 12 months; and
- being subject to any and all appropriate actions (including legal remedies) that CompTIA deems necessary or appropriate to enforce its Ethics Policy.
Ready for a security+ certification training overview? The Security+ Boot Camp teaches you information security theory, and reinforces it, with hands-on exercises to help you learn by doing.