Goal National Centers of Academic Excellence in Information Assurance/Cyber Defense for Two-Year Education (CAE2Y) Program Criteria for Measurement Jointly Sponsored by the National Security Agency (NSA) and the Department of Homeland Security (DHS) The goal of the CAE IA/CD for Two-Year Education program is to proactively increase our understanding of robust IA/CD technology, policy and practices that will enable our Nation to effectively prevent and respond to a catastrophic cyber event. This program will contribute significantly to the advancement of state-of-the-art IA/CD knowledge and practice. Vision The vision for the CAE2Y program is to: 1. Provide programs that commit to excellence in the field of Information Assurance and Cyber Defense education at community and technical college and government training institutions. 2. Provide innovative, comprehensive and multidisciplinary education and training in the IA/CD field. 3. Strengthen the cybersecurity workforce by providing IA/CD education and training through degree and certification programs at community and technical colleges and government training centers. 4. Build an effective education pipeline model with K 12 schools to encourage students at an early age to enter IA/CD fields of study. 5. Provide the Nation with a pipeline of qualified students poised to become the future skilled technical workforce. 6. Continuously improve the quality of IA/CD programs, curriculum, faculty, students and other institutions. CAE 2Y Program Eligibility and Summary The CAE2Y Program is open to current regionally accredited two-year community colleges, technical schools, state or federally endorsed IA/Cybersecurity training centers or U.S. Government IA/Cybersecurity training centers. All institutions must hold current regional accreditation as outlined by the Department of Education (http://ope.ed.gov/accreditation). Overall CAE2Y requirements are: Demonstration of program outreach, student development, IA/CD Center establishment and maintenance, IA/CD faculty, and student curriculum path. Successful mapping of the institution s curriculum to the two-year core Knowledge Units (KUs). Completion of these requirements will recognize the institution with designation at the institution level as a NSA/DHS National Center of Academic Excellence for Information Assurance/Cyber Defense for Two-Year Education (CAE2Y). Institutions shall demonstrate that students can successfully complete the CAE2Y course of study and receive recognition on a transcript, diploma, etc. CAE 2Y Criteria Page 1 September 2013
Focus Area (Optional): 2014 NSA/DHS National CAE 2Y Criteria All CAEs have the option to apply for one or more CAE IA/CD Focus Area designations. The criteria include: Successful mapping of the institution s curriculum to all of the KUs identified in the Focus Area. Demonstration that a student can reasonably complete the necessary course of study to include all KUs identified in the Focus Area. The institution must provide student certificates to those that complete the FA course of study. The certificates must clearly identify the specific Focus Area achieved. Knowledge Units: The KU mapping will require the institution to address how it meets each Core and chosen Optional KU. An institution has many ways to demonstrate how a program meets/fulfills a KU. Some examples include: course syllabus, course outline, student assignments, lab assignment, modules in a course/collection of courses, and certifications (CCNA, CISSP, etc.). Required information will include: course syllabi, course outlines and justifications showing where and how the KUs are addressed in the curriculum. One course may fulfill the requirements of multiple KUs, and multiple courses may fulfill the requirements of a single KU. Program Evaluation: Institutions will be evaluated by CAE Program staff with assistance from Subject Matter Experts. The last phase of the criteria may be an on-site evaluation focused on course content, course relevance, laboratory facilities, and faculty involvement. CAE2Y Designation: Successful institutions will be designated as a NSA/DHS National Center of Academic Excellence for Information Assurance/Cyber Defense for Two-Year Education (CAE2Y). Due to the requirement to have all institutions designated by 2014, designation periods granted during this designation cycle will range from three to six years from the institution s application. This will allow a more distributed range of re-applications in the future. Subsequent cycles will revert to a five-year cycle. The initial designation period will be dependent upon timing of the application, with allowances for changes by the program office. Future criteria (including KUs and FAs) will continue to be reviewed annually and strengthened as appropriate to keep pace with the evolving nature of IA/CD. Designation as a CAE2Y does not carry a commitment of funding from NSA or DHS. CAE 2Y Criteria Page 2 September 2013
CAE2Y Program requirements: 2014 NSA/DHS National CAE 2Y Criteria 1. Outreach/Collaboration. The institution must demonstrate how IA/CD is extended beyond the normal boundaries of the Institution. Overall Point value: 16 points minimum/32 points maximum a. Shared Curriculum (e.g., IA/Cybersecurity teaching materials provided to technical schools, universities, community colleges, K-12 schools, etc.) or shared faculty (e.g., Faculty on IA/Cybersecurity curriculum development committee for more than one institution) b. Evidence that the program is providing students with access to IA/Cybersecurity practitioners (e.g., Guest lecturers working in IA/Cybersecurity industry, government, faculty exchange program with industry and/or government, etc.) c. Evidence of Articulation/Transfer agreements with 4 year institutions offering a concentration or IA/Cybersecurity degrees/areas of study/track or certificates d. Evidence of agreements with high schools to facilitate awareness and training for faculty/administration/students Point Value: 2 points per school/6 points maximum e. Sponsorship/participation in Cybersecurity/IA competitions Point Value: 2 points each/6 points maximum f. Community Outreach. Sponsor community events such as cybersecurity education for K-12, adult education centers, senior groups, camps, summer programs, state homeland security, first responders and industry (e.g., Schools in a target region are encouraged to participate in cybersecurity education events, like community computer diagnostic check-ups and IA awareness days) CAE 2Y Criteria Page 3 September 2013
2014 NSA/DHS National CAE 2Y Criteria 2. Center for IA/CD Education. The institution must have a formal organization for use as a resource for faculty and students. The Center should provide program guidance, general IA/CD information and promote collaboration and interaction with other students, faculty, and programs. The Center and website must be operational, dynamic and current. (For the purpose of this document, the word Center is used in a general sense). Overall Point Value: 14 points minimum/20 points maximum a. Show formal documentation of the designation of the IA/CD/Cybersecurity Center and provide a hyperlink to the Center. Point Value: 5 points required b. Demonstrate the Center website is operational, dynamic and current: contains up-to-date links to key IA/CD resources such as other academic institutions, government sites, conferences, workshops, cyber competitions, IA/CD news, center POCs, IA/CD courses, etc. The website must be easy to find and easily accessible. Demonstrate how current and potential students are informed of the website. Point Value: 5 points required c. Provide evidence that subscription-based IA/CD journals are available for student and faculty use on the website. Demonstrate that hyperlinks to key IA/CD websites are provided in course syllabus and/or professors webpage or provided to students during class instruction. /2 points required d. Demonstrate that physical and/or virtual IA/CD labs and equipment are available and used for hands-on learning (provide examples of student lab projects/exercises/case studies syllabus, links to assignments, etc.). /2 points required CAE 2Y Criteria Page 4 September 2013
2014 NSA/DHS National CAE 2Y Criteria 3. IA/CD Student Development. The program provides development opportunities for students that lead to a two year associate s degree or a certificate in an IA/CD discipline. Overall Point Value: 12 points minimum /31 points maximum a. Provide evidence of IA/Cybersecurity degrees/areas of study/track or certificates (e.g., List of IA/Cybersecurity Associates degrees and/or certificates in IA/Cybersecurity curriculum as listed on the institution s website or catalog) b. Demonstrate how the institution provides applied training to students (e.g., Courses containing hands-on or lab training) Point Value: 2 points per course/6 points maximum c. Provide evidence that students who participate sufficiently in the IA/CD curriculum (i.e., take and pass courses that satisfy all of the mandatory KU requirements) will receive a certificate, or a reference to completing the CAE2Y course of study on their transcript and/or degree. Provide evidence in the form of a letter, transcript notation, and/or degree (may be redacted) Point Value: 10 points/students are taking the CAE2Y curriculum path 5 points/students have an opportunity to take the IA/CD path d. Provide evidence that students who participate sufficiently in the IA/CD curriculum for a Focus Area (i.e., take and pass courses that satisfy all of the mandatory KU requirements for that Focus Area) will receive certificate, or a reference to a focus area on their transcript and/or degree (may be redacted). Point Value: 10 points/students are taking the IA/CD curriculum path 5 points/students have the opportunity to take the IA/CD path 4. IA/CD as a Multidisciplinary Science. The institution demonstrates that IA/CD is not treated as a separate discipline, but as a multidisciplinary science with elements of IA/CD knowledge incorporated into various disciplines. Overall Point Value: 10 points minimum/15 points maximum a. Evidence that IA/CD is taught as modules in existing non-ia courses and that nontechnical/non-ia students are being introduced to IA/CD (e.g., business courses teaching Information Security modules, health courses incorporating HIPAA regulations, etc.) b. Evidence that IA/CD programs (certificate and/or degree programs) require non-technical courses of study (e.g., ethics, policy, and business) c. Availability of non-credit/credit professional development courses in IA/CD (e.g., First responders, K-12 teachers) CAE 2Y Criteria Page 5 September 2013
2014 NSA/DHS National CAE 2Y Criteria 5. Practice of IA/Cybersecurity Encouraged Throughout the Institution: The academic program must demonstrate how the institution encourages the practice of IA, not merely that it teaches IA. Overall Point Value: 8 points minimum/20 points maximum a. Provide a link to the institution s IA security plan and/or policies b. Provide evidence of institution designated Information System Security Officer or equivalent. Provide name, position and job description for person or persons responsible for information security. c. Provide evidence of the implementation of the institution IA security plan to encourage IA awareness throughout the campus (e.g., Students, faculty and staff are required to take computer based training or on-line tutorials; a security banner statement present on institution computers; security related help screens are available; institution-wide seminars are held on the importance of IA, etc - 2pts awarded per item). Point Value: 2 points minimum (required)/10 points maximum 6. IA/CD Faculty. Faculty assigned specifically to teach and/or develop IA/CD courses/curriculum/modules. Overall Point Value: 11 points minimum/15 points maximum a. Identify, by name, faculty member with overall responsibility for the IA/Cybersecurity instructional program. Provide evidence, i.e., verification letter and/or job description. Provide link to biography or CV. b. Identify, by name, additional IA/Cybersecurity faculty members teaching IA/Cybersecurity courses within the department that sponsors IA/Cybersecurity programs. Provide link to biography or CV. Point Value: 1 point per faculty/5 points maximum c. Provide evidence in the form of curriculum vitae supporting the faculty member s qualifications to teach IA/Cybersecurity. At least one IA/Cybersecurity faculty member will be expected to be professionally certified with at least one of the IA/Cybersecurity certifications listed under DOD Directive 8570, such as CISSP, CISA, CISM, CEH, etc. (see attached DoD 8570 list). A minimum of 15 hrs of graduate coursework and/or appropriate experience in a related field could be considered in lieu of a professional certification. Note: Can be same individual as 5a/b. CAE 2Y Criteria Page 6 September 2013