The Information Assurance Courseware Evaluation (IACE) Program implements a process to systematically assess the degree to which the courseware from commercial, government, and academic sources maps to the national standards set by the Committee on National Security Systems (CNSS).
The IACE Program is currently managed by the National Information Assurance Education and Training Program Office within the Information Assurance Directorate at NSA. The goal of the IACE Program is to expand the use of national standards in information assurance education and training throughout the nation. These standards were developed for the government, but have been kept unclassified to share with the greater IA community.
The IACE process certifies that an institution meets all of the requirements of a specific CNSS standard within its courseware set of instruction. The certification process does not address the quality of the presentation of the material within the courseware; it simply ensures that all of the elements of a specific standard are included.
Certified institutions meet the minimum national training and education standards for the duties and responsibilities of:
Successful IACE mapping is a prerequisite for applying to the National Centers of Academic Excellence in IA Education Program.
***Institutions applying for designation/redesignation as a National Center of Academic Excellence in Information Assurance Education (CAE/IAE) must have current certification for NSTISSI 4011 and one other CNSS standard. To meet this prerequisite, courseware mapping must be submitted by no later than 31 August.***
The IACE Process
Applicants electronically enter courseware information via a secure interactive website. This information includes thorough course descriptions (including syllabi) for the minimum number of courses needed to map to all elements of the CNSS standard for which the applicant is seeking certification, and justifications that clearly indicate where each element is covered within a course.
An institution will receive formal certification of its courseware after validation that all of the specific standard elements are met. IACE certificates are awarded during the Committee on National Security Systems (CNSS) Awards Ceremony at the annual Colloquium for Information Systems Security Education Conference. The certificates are valid for a period of five years (June - June).
The IACE submission cycle begins on 1 March and runs through 15 January of the following year:
Obtaining an Account
An institution may begin IACE mapping as soon as an account is established. An account and password can be obtained by sending an email to AskIACE@nsa.gov containing the following information:
The institution's POC is the only one who can grant access (add the names of the other individuals to the list of data entry people) and submit the institution's application. The application will not be reviewed and validated until after it has been formally submitted.
IACE Recertification
Recertification is required every five years. It is the responsibility of the organization or institution to re-apply. In order to receive an updated IACE certificate in June of the year the current certificate expires, the courseware must be mapped to the most up-to-date version of each standard, and submitted by 15 January of that year.*
*The deadline for submitting courseware as a pre-requisite for designation/ re-designation as a National Centers of Academic Excellence in IA Education (CAE) is 31 August.
History/Resources
Presidential Decision Directive 63 (PDD 63) "Critical Infrastructure Protection," dated May 22, 1998, highlighted the critical shortage of well-trained information assurance professionals, and the need for national standards. In January 2000, the National Security Telecommunications and Information Systems Security Committee (NSTISSC), the predecessor to today's Committee on National Security Systems (CNSS), initiated the IACE Program to establish those standards. The CNSS standards were developed for the government from input provided by government, academia, and private sector subject matter experts.
FAQs
1. I've forgotten my IACE application URL, username and password - what should I do?
Send an email to AskIACE@nsa.gov containing the name of the institution as it appears on the IACE account. The email should state the type of information (URL, username and/or password) that has been forgotten.
2. I would like others to access my account or help with data input, who do I contact?
The institutions point of contact (POC) controls access to the account. The POC grants access by logging into the IACE database and selecting "Organization Information" from the 'Main Menu' and "Request New Data Entry Person" from the 'Secondary Menu'. The POC would then fill in the new user form. All fields on this form are mandatory. The new user will receive an email with his/her login name, password, and IACE application URL.
3. I've submitted my mapping for review, why can't I edit the other data in my account?
When courseware is submitted for review, the application is placed in a "read-only" state to retain the integrity of the data. Once the reviews are finalized, the application will be reopened for editing.
4. I am no longer the point of contact for my institution, how do I transfer the account to my replacement?
Send an email to AskIACE@nsa.gov to include the name of the institution and an email address, first name, middle initial, last name for the replacement.
5. The head of our IA department has left or retired. How do I find out if my institution has an existing IACE account, and if so, change the point of contact information to mine or my associate?
Send an email to AskIACE@nsa.gov to include the name of the institution and the circumstances. If applicable, the email should contain the email address, first name, middle initial, last name for the new POC.
1. There are three mapping levels: E (entry), I (intermediate) and A (advanced); for some of the standards, must I map to all three levels or is the E level is sufficient to receive a certificate?
The E level is sufficient to receive a certificate. The CNSS certificate indicates the level (E, I, A) to which mapping was verified.
2. What does mapping to ALL of the elements mean?
All elements = 100% of the elements.
Exception: Some standards may have elements that state "Government Only." This means that only government institutions need to map courseware to these elements.
3. When there are references to "agency" in the standards, e.g. "explain "agency" policy, describe "agency" control points, is replacing "agency" with "organization" appropriate when mapping?
Yes. The standards state "agency" as they were developed for the government.
4. Would certified courseware need to meet every objective for each major subject area, or could curriculum covering one portion of the objectives to the stated standards be certified?
There is only one certification for each national standard, or level of a standard, and that is to certify that the courseware meets 100% of the objectives. Once courseware is formally submitted, it is reviewed by subject matter experts to validate that 100% of the objectives are met.
5. What is an acceptable number of courses to map to one standard? Is 10 too many?
There is no definitive number, but limiting the number of courses to just those that are needed, saves wasted time and effort and helps to demonstrate that students can reasonably complete the courseware set of instruction.
6. Can I use the course textbooks and supplemental reading in my courseware mapping?
Yes. When referencing textbooks, the chapter & chapter title need to be included. Since textbooks become rapidly outdated in the computer field, it is increasingly common to use supplemental reading. The supplemental reading must be truly "supplemental" in that it is required vs. optional for the course.
7. Can someone from the NIETP Office preview and consult my mapping before I submit it for review?
The NIETP Office does not preview IACE submissions. Some applicants have a third party review it, or ask other institutions that have successfully mapped courseware to perform a quality check.
8. What happens if I've entered mapping into my account, but am not ready to submit it by the 31 August or 15 January deadlines?
There are no extensions to the existing deadline(s), but whether mapping is submitted or not, it is retained in the IACE account until the CNSS standards are updated, superseded, or cancelled. IF one of the standards has been updated, superseded, or cancelled, the mapping to that standard will no longer be in the database when it reopens for mapping on 1 March. Exception: If the IACE database itself is unavailable (IACE server down, etc.) just prior to a deadline, an extension will be granted to all based on the length of the outage. (day for day)
9. I would like to certify both our graduate and undergraduate programs, should I map all of the courses from both programs?
Yes - If all of the courses are all needed to fully map to a standard, or level of a standard.
No - If all of the courses are not needed. The IACE program certifies an institution's courseware, not its courses or programs. Only the minimum number of courses containing the courseware needed to fully map to a standard are required.
10. My 4011 certificate expires this year and I must re-certify our courseware. Since 4011 has not changed, my original mapping is still in our IACE application. This mapping was done when our certified courseware was scattered throughout many courses. We have since consolidated the courseware into fewer courses. Do we need to re-map the courseware to the new courses or can I resubmit what is currently in the IACE database?
The CNSS standards and IACE program were designed with maximum modularity and flexibility in mind, to allow certified courseware to be consolidated/evolved into a more robust set of core IA courses or programs. What is currently in the database can be resubmitted as long as the certified courseware is still being taught.
11. I am in the beginning stages of creating a new program for Information Systems Security, do you have any suggestions for getting started?
A good place to start is the National IA Training & Education Center (NIATEC) website. The website contains IA teaching & curriculum materials at: http://niatec.info/teachmatl.htm. After thoroughly reviewing the NIATEC information, consider obtaining an IACE account. The six current Committee on National Security Systems (CNSS) national training standards (4011-4016 http://www.cnss.gov/instructions.html ) are loaded into the IACE database and may be helpful in guiding the effort. IACE can be used as a tool to consolidate current IA courseware, or for developing new courseware.
12. Is there any publicly available information on OPSEC?
Yes. Information such as the "Glossary of OPSEC Terms" and a copy of National Security Decision Directive 298, which established the National OPSEC Program, can be found on the Interagency OPSEC Support Staff's website at http://www.ioss.gov/.
1. Can an institution be certified in only 4011, or is an additional CNSS standard required?
An institution can be certified for only one standard. An additional standard is only required as a prerequisite to apply for designation as a National Center of Academic Excellence in IA Education. (4yr colleges & graduate level universities only)
2. Can you please provide information on becoming accredited for certification training?
The IACE Program does not accredit training institutions. IACE certifies that an institution's courseware meets all of the requirements of a specific CNSS standard within the courseware set of instruction.
3. Can we still issue CNSS certificates to our students, if they don't take the specific courses we used to map our courseware?
Yes - As long as all of the material is covered in the courses they do take. The CNSS standards and IACE program were designed with maximum modularity and flexibility in mind, to encourage the inclusion of the courseware modules in other courses/programs.
4. There is a reporter for a local magazine doing an article on our CNSS mapping. Would it be possible for him to contact the NIETP Office and ask a few questions about the mapping?
The NIETP Office can not talk directly to the press. The reporter can contact the NSA Public Affairs Office at 301-688-6524. Another option is to refer the reporter to our website: http://www.nsa.gov/ia/academia/acade00001.cfm