This note is to encourage all members of (ISC)2 to understand the nature of Associate status and give advice on how to avoid potentially misleading use of the term, especially in resumes, LinkedIn profiles, and communications with human resources staff.
Summary:
1. Associate of (ISC)2 is not a certification; it is a category of (ISC)2 membership for individuals seeking their first certification from the Consortium by passing one of the exams but still working toward the professional experience requirement.
2. There is no such thing as an “Associate CISSP’ or “Associate of CISSP” (or any other certification).
3. Imprecise use of the terminology by an Associate may be interpreted as an apparent claim to a certification not yet received, a violation of the Code of Ethics, resulting in the Associate being barred from certification.
Information here is based on
An Associate of (ISC)2 is a member of (ISC)2 who has passed any one of six certification exams (CISSP, SSCP, CCSP, CAP, CSLLP, or HCISPP) and paid dues to join the organization, but not yet accumulated sufficient work experience to seek endorsement to (ISC)2 for certification.
Certification applicants who already have the required professional experience before taking one of the exams do not pass through Associate status. They move straight into the endorsement process, and become members upon receiving their first certification from (ISC)2.
There is no such thing as “Associate CISSP,” or “Associate CSLLP,” or “Associate of CISSP.” All Associates of (ISC)2 have the same membership status. However, the (ISC)2 staff does keep records to identify which certification each Associate is working towards by having passed a specific exam. Thus, you may see references to an Associate of (ISC)2 leading to CISSP, or similar language.
Using language in a resume, profile, or biography that includes the name of a certification in a manner that could lead a non-member of (ISC)2 to infer you hold that certification may be a violation of the second canon of the Code of Ethics, “Act honorably, honestly, justly, responsibly, and legally.” Should a formal complaint to the Ethics Committee on such usage result in a finding of violation, the Associate may be barred for life from ever being certified by (ISC)2.
TIdbits from History
When founded, the International Information Systems Security Certification Consortium - (ISC)2 - had only about a half a dozen members: professional organizations who banded together to have one broadly accepted certification instead of each operating their own.
The organizations were the following: “the Canadian Information Processing Society, the Computer Security Institute, the Data Processing Management Association (two special interest groups), Idaho State University, the Information Systems Security Association, and the International Federation for Information Processing.” (https://www.isc2.org/About)
There were no individual memberships; the organizations were the members, not those certified by the Consortium.
Some years later the ISC)2 Board moved to convert the Consortium into its own professional organization, separate from the founding groups, with all certified CISSPs and SSCPs as members. At that time there were no other certifications managed by (ISC)2.
In the early 2000’s another professional organization, ISACA, created a new certification to work along with their longstanding Certified Information Systems Auditor (CISA) certification, the CIS Manager (CISM). The CISA is for line-level auditors. The CISM was designed for managers overseeing the work of CISAs. While there was no apparent intent by ISACA to poach on (ISC)2 territory, it was apparent that the qualifications for CISM were very close to those for CISSP. In fact, during the first year many CISSPs could attain CISM by a grandfathering process, without taking an exam. Reacting to the CISM, (ISC)2 created a new membership status of Associate of (ISC)2, which required passing the CISSP (not SSCP) exam, but not requiring any professional experience in the field. At the same time, eligibility to take the CISSP exam was changed removing the work experience requirement. The idea at the time was to capture young security professionals into the (ISC)2 CISSP pipeline before they had five years experience, ready to choose between CISSP, CISM, or both.
In the years since, (ISC)2 has introduced several additional certifications, now a total of six. The Board further broadened the concept of an Associate of (ISC)2 as a member pursuing a “Path to Certification” for a first certification from (ISC)2 any one of the six certifications. The name of the member status has remained the same as originally established, but now has a broader meaning to support all the available certifications. Nonetheless, posts in the Community of (ISC)2 forums by (ISC)2 staff make it apparent that the staff now maintains records to link each Associate with the certification being sought.
[https://cragins.blogspot.com/2018/08/understanding-associate-of-isc2-status.html[
You can tell the contract/ DoD that you have passed the test and are at associate level status, they will understand as it happens all the time with military members as well. Speaking from experience as a DoD Contractor so long as you have passed the certification test the DoD/CTR's will see you as having the "cert" just show proof with the ISC2 Acclaim badge and you should be good to go.
Best way might be to contact the company program manager to obtain information from the agency contracting officer. Reason being is government contracts are written to specific labor category and position requirements. I have not seen any acceptance of Associate status from any government website.
FYI that every contract I have been on always required the nice and shiny embossed certificate or a copy of it (pdf).
As others mentioned include it on the resume, LinkedIn, etc.
Best of luck and keep charging ahead.
@RRoach wrote:Best way might be to contact the company program manager to obtain information from the agency contracting officer. Reason being is government contracts are written to specific labor category and position requirements. I have not seen any acceptance of Associate status from any government website.
It is highly unlikely that any DoD contract specifically requires a CISSP. Rather, I would wager that the contract language requires the participating cybersecurity employees hold the appropriate credentials under the doD 8570 or DoDR 8140 workforce program to perform at specified IAT or IAM levels.
In that case, it has been clear for many years that "CISSP (or Associate)" meets all IAT and IAM levels.
So, I am quite confident that holding Associate of (ISC)2 status will fully meet the contractual requirement.
Added 5/7/21: You will not find the language mandating cybersecurity certification explicitly in the contracts from DoD. The requirements are specified in section 239.7102-1 of the DFARS (Defense Federal Acquisition Regulation Supplement) which cites DoD Directive 8140.01, and are stated by an inclusion citation in the contact itself. This is a common practice for many common requirements for all DOD contracts. Similar procedures citing sections of the FAR are found in contracts with other federal departmetns and agencies.
Craig
Confirmed on gov website and wasn't able to post yesterday after my initial comment.
CISSP (associate) is listed for:
IAT (III) note: "not IAT I or II"
IAM (II/III)
IASAE (I/II).
And yes, contracts I have seen usually just have the 8570 disclaimer.
Recommend:
-get a copy of the 8570 website page (pdf) showing all the certs per IAT/IAM level
-get a copy of the status/associate cert from ISC2
a. If on contract: Provide the info to the PM to work it out with the COTAR. COTAR is the one who approves any new/replacement staff on contract.
b. If not on contract: Provide to recruiter/staffing company for position you are applying for.
Let us know how you make out,
Rob
@RRoach wrote:Confirmed on gov website and wasn't able to post yesterday after my initial comment.
CISSP (associate) is listed for:
IAT (III) note: "not IAT I or II"
IAM (II/III)
IASAE (I/II).
Rob,
CISSP (Associate) DOES qualify for IAT I and IAT II, and also for IAM I. Higher certs trickle down to lower levels, but not for CSSP and IASAE levels.
See the notes on DoD Approved 8570 Baseline Certifications
"Higher level IAT and IAM certifications satisfy lower level requirements. Certifications listed in Level II or III cells can be used to qualify for Level I. However, Level I certifications cannot be used for Level II or III unless the certification is also listed in the Level II or III cell."
...
"Higher level CSSP and IASAE certifications do not satisfy lower level requirements"
Craig
Verified below the table. Thanks for adding that in as well.
I can recall actually having this convo a few years back and even though I had a CISSP, I was informed the position would need a Security +.
Just in case, because the way the contracts are written and interpretation of PMs and COTARS as well as even recruiters, I would recommend getting a copy of the web page that includes those disclaimers as well (which is the same page listing all the certs) and/or send them the link or maybe just a snippet of the CERTs, disclaimer, and URL to the website for the gov peeps to verify.
Kind of funny but I will probably end up making something similar for myself as well.
If I am an ISC(2) member as a fully-endorsed SSCP, what happens if I pass other certification tests for which I do not have the requisite experience? Like CCSP and CISSP, for example?
Would I still be given the opportunity to apply for endorsement up to six years after my pass as with an Associate of ISC(2)? During that time, would I still be restricted from mentioning my CCSP/CISSP test pass until fully endorsed for each specific certification?
David,
If an ISC(2) member (for example, SSCP or CAP) is pursuing CCSP or CISSP that they do not yet have the requisite experience for but have passed the exam - is there any authorized designation in this case? Some sort of "digital badge" or verbiage that we can use to express that an ISC(2) member is pending endorsement of another cert?