Blog Banner

DoD CSSP: A Unique Component of Defense–in–Depth Strategy

NHLG Update on Pentagon Security Measures (6)

An effective cybersecurity posture is achieved when there is confidence that information and information systems are protected against attacks. This is done through the application of security services in such areas as availability, integrity, authentication, confidentiality, and non-repudiation. Since technical mitigation has no value without trained people to use them and operational procedures to guide their application, it is paramount that in implementing an effective and enduring cybersecurity framework, organizations achieve a synergistic balance from all three facets of a Defense in Depth strategy: people, operations, and technology. Within the Department of Defense (DOD), Cybersecurity Service Providers (CSSPs) play a unique component of the Department of Defense’s defense in-depth strategy.


A CSSP is an organization that provides one or more cybersecurity services to implement and protect the Department of Defense Information Network (DODIN).  Cybersecurity services include capabilities in four main categories:

  • Protect— this includes vulnerability analysis and assessment, red teaming, virus protection, subscriber protection and training, information operations condition implementation, and IA vulnerability management;
  • Monitor, Detect, Analyze and Diagnose— this includes network security monitoring and intrusion detection; attack sensing, warning, and indications; and situational awareness;
  • Respond—includes containment, eradication, recovery, and incident reporting;
  • Sustain Capability—includes memoranda of understanding and contracts; policies and procedures; cyber technology development, evaluation, and implementation; personnel levels and training/certification; security administration; and the primary information systems that support the CSSP.

Within the Department of Defense, there are 23 approved (certified and accredited) CSSPs authorized to provide cybersecurity services to DOD organizations in accordance with DOD Instruction (DODI) 8530.01, Cybersecurity Activities Support to DOD Information Network Operations and the Evaluator Scoring Metrics (ESM), DOD Cybersecurity Services.

As defined in DOD O-8530.1-M, DOD Computer Network Defense Service Provider Certification and Accreditation Process, General Service (GENSER) CSSPs (provision cybersecurity services to unclassified networks) and Special Enclave (SE) CSSPs (provision cybersecurity services to classified networks) use the ESM to provision and conduct self-assessments of its provisioned services.  The ESM contains the criteria for which GENSER and SE evaluations are conducted. ESM metrics are built from the required cybersecurity functions of the DODI 8530.01 and include requirements from other DOD and Federal documents, which govern cybersecurity operations in DOD.

What is the DoD CSSP?

The DoD CSSP is a certification issued by the United States Department of Defense that indicates a candidate’s fitness for the DoD Information Assurance (IA) workforce. CSSP certifications are dependent on the job role and require completing a third-party certification and DoD-specific training and requirements. This guide will describe the various job-specific CSSP certifications, the requirements for achieving each version, and the third-party certifications that are accepted for each job role. 

What are the CSSP levels?

The DoD Cyber Security Service Professional levels are broken out by job role. The five possible roles for a holder of a DoD CSSP certification include:

  • Analyst
  • Infrastructure support
  • Incident responder
  • Auditor
  • Service provider manager

NHDoD Interactive Course Schedule - Click Here to Download  >>

What are the DoD CSSP requirements?

The majority of requirements for a certified DoD CSSP are the same across all job roles. However, the amount of recommended experience varies by job role, and the service provider manager is exempt from some of the requirements.

  • Initial training: All CSSP job roles require initial training – in-class, distributed, blended, government and commercial provider options are all acceptable.
  • CSSP certification: All CSSP roles require earning a CSSP certification within six months.
  • OJT evaluation: The analyst, infrastructure support, incident responder and auditor job roles are required to complete on-the-job training evaluations.
  • CE certifications: The analyst, infrastructure support, incident responder and auditor job roles are required to complete a Computing Environment (CE) certification.
  • Maintaining certification status: All CSSP job roles are required to maintain their certification based on the requirements of their particular certification.
  • Continuing education: All CSSP job roles must fulfill their certification’s continuing education requirements.
  • Background investigation: Applicants may need to undergo a background investigation based upon their IA level (computer environment, network environment or enclave) and the requirements outlined in DoDI 8500.2.
  • Signed privileged access statement: CSSP auditors, infrastructure support, incident responders and auditors must sign a privileges access statement.

Experience: Experience varies based on job role:

  • Auditor: Two years in CSSP technology or related field.
  • Infrastructure support: At least four years supporting CSSP and/or network systems and technology.
  • Incident responder: five years in CSSP technology or related field.
  • Auditor: two years in CSSP technology or related field.
  • Manager: At least four years in CSSP management or related field.

What are the DoD CSSP certifications?

Certified DoD CSSPs have a choice between different third-party certifications to fulfill their requirements. The certifications accepted depend on the job role sought (analyst, infrastructure support, incident responder, auditor, or manager). 

The certification requirement for the CSSP Analyst job role provides the largest choice of options for a prospective candidate:

The certification options for CSSP Infrastructure Support applicants include:

The certification options for CSSP Incident Responders include:

The certification options for CSSP Auditors include:

CSSP Managers have fewer options:

The number of options may seem overwhelming, but narrowing down to a targeted position may help. From there, experience level and certification focus are good deciding factors. 

For example, the EC Council’s Certified Ethical Hacker (CEH) or CompTIA’s Comptia Cybersecurity Analyst (CySA+) are worth a look as they are accepted for any role except CSSP Manager.

Final thoughts on the DoD CSSP

The DoD CSSP certification demonstrates a worker is qualified for work as part of the IA workforce. The CSSP certification is broken up by job role (analyst, infrastructure support, incident responder, auditor, and manager) and the primary requirement is that an applicant completes and maintains the requirements for an external certification relating to the selected field. For each job role, the DoD provides at least two options for certification.

10% Off NHDoD Courses

William Jordan

William Jordan

Other posts by William Jordan

Contact author

Related articles

Contact author


Subscribe for Future Blog Notifications