This free CompTIA SecurityX (CASP+) study guide covers every domain the current CAS-005 exam tests, organized to CompTIA’s official exam objectives.[2] SecurityX is CompTIA’s expert, master-level security certification — it validates the senior practitioner and security-architect skills to architect, engineer, operate, and govern security across complex enterprise environments.
CompTIA rebranded CASP+ as SecurityX in 2024 under its Xpert Series; the current version is CAS-005, which replaced CAS-004. You’ll see “CASP+” and “SecurityX” used interchangeably — they refer to the same advanced credential.
It’s interactive, not a wall of text: every module has built-in checkpoint quizzes, crawlable diagrams, flashcards, and practice questions, so you learn by doing — not just reading.
The CAS-005 exam has four domains, and we teach each one as its own module, leading with the heaviest-weighted content. Read a module, test yourself at each checkpoint, then drill gaps with our free practice test and flashcards. This guide is a high-yield overview mapped to the official objectives — not a full security-engineering textbook.
CompTIA SecurityX (CASP+) is one of the 14 CompTIA certifications — explore our CompTIA study guides to compare and prep across the whole family.
SecurityX (CASP+) CAS-005 Exam Snapshot
| Detail | SecurityX / CASP+ (CAS-005) |
|---|---|
| Questions | Maximum of 90 |
| Format | Multiple-choice + performance-based (PBQs) |
| Time | 165 minutes |
| Passing score | Pass/fail only — no numeric scaled cut score |
| Exam code | CAS-005 (current; replaced CAS-004) |
| Also known as | CASP+ — rebranded SecurityX in 2024 (Xpert Series) |
| Delivered by | Pearson VUE (test center or online proctored) |
| Certifying body | CompTIA |
| Recommended prep | ~10 years of IT experience, including 5 in security (not required) |
| Cost | ≈ $509 USD (single voucher, U.S., 2026) |
| Valid for | 3 years — renew with 75 CEUs (CompTIA CE program) |
Two domains dominate. Security Engineering (31%) and Security Architecture (27%) together are 58% of the exam, so invest there first.[2] Study by weight:
Module 1 · Security Engineering & Cryptography
Domain — 31% of the exam, the single largest domain. This is where SecurityX goes deepest: selecting and integrating the right cryptography and secure technologies for a given constraint. You’ll be asked not just what a control is, but which one fits a scenario’s performance, key-management, or assurance needs. Spend the most time here.
1.1 Applied Cryptography
Start with the three primitive families. uses one shared key () — fast, ideal for bulk data, but key distribution is the hard part. uses a public/private key pair (RSA, ECC) to solve key exchange and enable digital signatures, at the cost of speed. A gives you integrity — a one-way, fixed-length digest — and adding a key turns it into an .
Symmetric encryption
One shared secret key
- AES (the modern standard)
- ChaCha20, 3DES (legacy)
- Fast — bulk data encryption
- Challenge: secure key distribution
Asymmetric encryption
Public + private key pair
- RSA, ECC, ElGamal
- Solves key exchange and enables digital signatures
- Slower — used to wrap keys, not bulk data
- Underpins PKI and TLS handshakes
Hashing
One-way, fixed-length digest
- SHA-256, SHA-3 (avoid MD5/SHA-1)
- Provides integrity, not confidentiality
- Irreversible — no key
- HMAC adds a key for authenticity
Real systems combine all three: asymmetric crypto exchanges a symmetric session key, symmetric crypto encrypts the data, and hashing verifies its integrity — exactly what a TLS handshake does. SecurityX rewards choosing the right primitive for the constraint, not memorizing algorithm names.
1.2 PKI, Keys & Hardware
is the framework that makes public-key crypto usable at scale. A issues and signs that bind an identity to a public key; trust chains up to a trusted root. When a key is compromised, the certificate is revoked and published via a or checked in real time with .[2]
- 1
Key generation
The subject generates a key pair and keeps the private key secret; the public key goes into a certificate signing request (CSR).
- 2
Request & validation
A Registration Authority (RA) verifies the requester's identity before anything is issued.
- 3
Issuance
The Certificate Authority (CA) signs and issues the X.509 certificate, binding the identity to the public key.
- 4
Distribution & use
The certificate is published and used to authenticate, encrypt, and sign — trust chains up to a trusted root CA.
- 5
Renewal
Before expiry, the certificate is renewed or re-keyed so service continuity is maintained.
- 6
Revocation
If a key is compromised, the CA revokes the certificate and publishes it via a CRL or OCSP responder so relying parties stop trusting it.
Protect the keys themselves in hardware. An is a tamper-resistant device that generates and uses keys inside a hardened boundary — keys never leave in plaintext, so even a compromised host can’t extract them (ideal for a root CA’s private key). A is the embedded, per-host equivalent for boot integrity and key storage.
| Component | Scope | Primary use |
|---|---|---|
| HSM | Shared, enterprise-grade appliance | High-assurance key generation/storage; PKI root protection |
| TPM | Embedded in one host | Secure boot measurement; hardware-backed local key storage |
| Key escrow | Trusted third party | Recoverable copy of keys for business continuity / legal access |
| CRL / OCSP | PKI revocation | Withdraw trust from a compromised or retired certificate |
1.3 Secure Protocols & Emerging Crypto
Apply crypto through secure protocols: TLS for transport, SSH for remote administration, SFTP/FTPS for file transfer, and IPsec for VPN tunnels. Prefer ephemeral key exchange to gain , so a future key compromise can’t decrypt recorded sessions.
Look ahead to : large quantum computers could break today’s RSA and elliptic-curve crypto, and adversaries can “harvest now, decrypt later.” NIST has standardized PQC algorithms; the SecurityX response is — designing systems so algorithms can be swapped without re-architecting.[6]
Checkpoint · Security Engineering & Cryptography
Question 1 of 10
Which cryptographic protocol is best suited for securing communication between web servers and browsers?
Module 2 · Security Architecture
Domain — 27% of the exam. This domain is about designing security into the enterprise: the models and patterns that decide how trust, access, and data flow. The recurring exam idea is layered, assume-breach design — no single control is trusted alone.
2.1 Zero Trust & Defense in Depth
Two principles anchor modern architecture. removes implicit trust based on network location and verifies every request on identity, device, and context — “never trust, always verify.”[3] layers overlapping controls so that if one fails, another still protects the asset.
Verify explicitly
Every request
Authenticate and authorize on identity, device health, location, and context — for every request, every time. No implicit trust from network location.
Least-privilege access
Just-enough, just-in-time
Grant the minimum access needed, for the minimum time, using risk-based adaptive policies and microsegmentation to shrink the blast radius.
Assume breach
Design for compromise
Segment to contain, encrypt end to end, monitor continuously, and verify analytics — operate as if an attacker is already inside.
Layer 1
Data
Encryption at rest, DLP, classification, rights management — protect the asset itself.
Layer 2
Application
Secure coding, WAF, input validation, API security, SAST/DAST in the pipeline.
Layer 3
Host / Endpoint
Hardening, EDR, patching, host firewalls, least functionality.
Layer 4
Network
Segmentation, zero trust, firewalls, IPS, NAC, microsegmentation.
Layer 5
Perimeter & Physical
DMZ, secure gateways, air gaps, facility access controls.
Layer 6
People & Policy
Awareness training, least privilege, governance, and acceptable-use policy.
2.2 Network Architecture & Segmentation
divides the network into isolated zones so traffic between them must pass through controls — limiting lateral movement and shrinking the blast radius of a breach. takes this to the workload level. A isolates public-facing services; an is the extreme physical control for the most sensitive systems. Enforce posture at the edge with , , and a for web apps.
| Control | What it does |
|---|---|
| Segmentation / VLAN | Isolates zones so cross-zone traffic passes through controls; limits lateral movement |
| DMZ | Buffer segment between the internal network and untrusted external networks |
| NAC | Admits devices only if they meet security policy (patch level, posture, identity) |
| IPS | Inline detection that actively blocks identified threats (vs. IDS, which only alerts) |
| WAF | Filters and blocks malicious HTTP traffic to/from a web application |
| Air gap | Physical isolation — no network connection at all, for the most sensitive systems |
2.3 Cloud, Hybrid & Data-Centric Security
In the cloud, the splits duties: the provider secures the cloud infrastructure; you secure your data, identities, and configurations. The split shifts across IaaS, PaaS, and SaaS — and most breaches trace to customer-side misconfiguration, not provider failure. converges networking and security for distributed access.
Protect the data itself. monitors and blocks unauthorized movement of sensitive data across network, endpoint, and storage — but it only works on data you’ve classified. Pair DLP with encryption, rights management, and accurate data classification for a data-centric architecture.
| Service model | Provider secures | Customer secures |
|---|---|---|
| IaaS | Physical, hypervisor, network fabric | OS, apps, data, identities, configuration (the most) |
| PaaS | Up through the runtime/platform | Apps, data, identities, access policy |
| SaaS | Almost everything (app + infra) | Data, user access, and configuration (the least) |
Checkpoint · Security Architecture
Question 1 of 10
Which of the following best describes a Zero Trust security model in network architecture?
Module 3 · Security Operations
Domain — 22% of the exam. This domain is the running of security: monitoring and detecting threats, responding to incidents, performing forensics, and validating defenses through testing and teaming. It’s where architecture and engineering meet the live adversary.
3.1 Monitoring, SIEM & Threat Detection
Visibility is everything. A aggregates and correlates logs from across the enterprise to detect threats and support investigations — but it must be tuned to control false positives and ingest data at scale. layers automation on top, running playbooks so response is faster and consistent. Use to map detection coverage and a to lure and study attackers.[7]
| Capability | SIEM | SOAR |
|---|---|---|
| Primary job | Aggregate, correlate, detect, alert | Automate and orchestrate the response |
| Output | Alerts and investigative context | Executed playbooks and actions |
| Key concern | Tuning false positives; ingestion scale | Playbook quality; safe automation |
| Improves | Detection coverage | Mean time to respond (MTTR) |
3.2 Incident Response & Forensics
CompTIA follows the NIST (SP 800-61): preparation; detection & analysis; containment, eradication & recovery; and post-incident activity.[4] In a live incident, containment usually comes first — stop the spread before you eradicate and recover.
Phase 1
Preparation
Build the team, tooling, playbooks, logging, and communication plan before any incident — plus hardening and tabletop exercises.
Phase 2
Detection & Analysis
Identify and validate the incident from SIEM alerts, IoCs, and correlated logs; determine scope and impact.
Phase 3
Containment, Eradication & Recovery
Limit the spread first, then remove the threat (malware, footholds, accounts), and restore systems from known-good state.
Phase 4
Post-Incident Activity
Lessons learned, root cause analysis, IoC generation, and reporting — improvements feed back into Preparation.
Forensics preserves evidence so it stays admissible: maintain a (who handled what, and when), collect by (memory and network state before disk), and analyze a hash-verified forensic image rather than the original.
3.3 Testing, Teams & Threat Hunting
Validate defenses through structured exercises. A emulates real adversaries; a defends through the ; and a integrates the two so each attack finding becomes a durable detection. Go further with — the proactive, hypothesis-driven search for adversaries who slipped past your detections, before any alert fires.
Red Team
Offense
Emulates real adversaries — performs realistic attacks and penetration tests to find exploitable gaps before attackers do.
Blue Team
Defense
Detects, responds, and hardens — runs the SOC, tunes the SIEM, hunts threats, and contains incidents.
Purple Team
Integration
Bridges Red and Blue so attack findings immediately improve detections — a function, not always a standing team.
White Team
Governance
Sets rules of engagement, referees the exercise, and scores the outcome impartially.
Checkpoint · Security Operations
Question 1 of 10
In a security architecture context, what is the role of a Security Information and Event Management (SIEM) system?
Module 4 · Governance, Risk & Compliance
Domain — 20% of the exam. This domain elevates security from technical controls to business decisions: managing risk in dollars and probabilities, governing through policy, and meeting regulatory obligations. It’s the smallest domain, but it’s what makes a senior practitioner.
4.1 Risk Management
Risk management is a continuous cycle: frame, identify, assess, respond, monitor, and report. Once a risk is assessed, you choose a treatment — mitigate (controls), transfer (insurance/contract), accept (within ), or avoid (stop the activity). Whatever you choose, must still fall within tolerance.[5]
- 1
Frame
Establish the context — risk appetite, tolerance, and the assets, threats, and regulatory obligations in scope.
- 2
Identify
Enumerate assets, threats, and vulnerabilities — including third-party and supply-chain risk.
- 3
Assess
Determine likelihood and impact (qualitative or quantitative — SLE × ARO = ALE) to rank each risk.
- 4
Respond
Choose a treatment: mitigate (controls), transfer (insurance/contract), accept (within appetite), or avoid (stop the activity).
- 5
Monitor
Track residual risk and control effectiveness continuously as the environment and threat landscape change.
- 6
Report
Communicate risk posture to stakeholders and leadership so they can make informed, accountable decisions.
Quantify where you can. × = gives the annualized loss a control’s cost is justified against — a control is worth it when its annual cost is less than the ALE reduction it delivers. Qualitative (high/medium/low) analysis is faster when precise dollars aren’t available.
| Treatment | What it means | Example |
|---|---|---|
| Mitigate | Apply controls to reduce likelihood or impact | Patch, segment, add MFA |
| Transfer | Shift the financial loss to a third party | Cyber insurance; contractual indemnity |
| Accept | Tolerate it — it's within risk appetite | Document and accept a low-impact risk |
| Avoid | Eliminate the risk by stopping the activity | Retire a risky legacy service entirely |
4.2 Governance & Compliance
Governance turns intent into accountability. is investigating and evaluating risk; is acting reasonably on that knowledge — diligence is knowing, care is doing, and failing either creates liability. splits sensitive tasks so no one person can complete them alone, preventing fraud. An inventories software components to manage supply-chain risk.[8]
Know the major frameworks and regulations by purpose: (EU personal-data privacy), PCI DSS (cardholder data), HIPAA (U.S. health data), ISO 27001 and the NIST Cybersecurity Framework (program structure), and CMMI/ITIL (process maturity and service management). The exam tests which applies to a scenario, not memorized clauses.
| Concept / framework | What it governs |
|---|---|
| Due diligence vs. due care | Investigating risk vs. acting reasonably on it |
| Separation of duties | Splitting tasks so no single person can commit fraud alone |
| GDPR | Privacy and personal data of EU residents |
| PCI DSS | Protection of payment-card (cardholder) data |
| ISO 27001 / NIST CSF | Structuring and maturing an information-security program |
| SBOM | Inventorying software components for supply-chain risk |
Checkpoint · Governance, Risk & Compliance
Question 1 of 10
What is the primary purpose of conducting a security gap analysis in an organization?
How to Use This SecurityX (CASP+) Study Guide
This guide is built to be worked, not just read. The most efficient path to a pass:
- Study by weight. Security Engineering (31%) and Security Architecture (27%) are nearly 60% of the exam — start there, then Security Operations and Governance, Risk and Compliance.
- Check off as you go. Use the Study Guide Contents to mark each section done; it raises your exam-readiness score.
- Take every checkpoint. The end-of-module quizzes show you exactly which domains need another pass.
- Practice the PBQs. Performance-based questions reward hands-on skill — configuring controls, analyzing logs, and modeling threats, not just definitions.
- Drill the weak domain. Send your weak area into the flashcards and a practice test until you can handle complex, scenario-level questions confidently.
SecurityX (CASP+) Concept Questions
Core SecurityX concepts candidates search while studying — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.
SecurityX (CASP+) Glossary
The high-yield SecurityX terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.
- AES
- Advanced Encryption Standard — the modern, widely trusted symmetric block cipher used for bulk data encryption.
- Air gap
- A physical control isolating a system or network so it has no connection to other networks, used for the most sensitive environments.
- ALE
- Annualized Loss Expectancy — SLE × ARO; the expected yearly loss a control's cost is justified against.
- ARO
- Annualized Rate of Occurrence — how many times per year a given loss event is expected to happen.
- Asymmetric encryption
- Encryption using a public/private key pair (e.g., RSA, ECC) — solves key exchange and enables digital signatures, but is slower than symmetric.
- Blue team
- A defensive security team that detects, responds to, and hardens against attacks through the SOC.
- CA
- Certificate Authority — the trusted entity in a PKI that signs and issues digital certificates and can revoke them.
- Chain of custody
- The documented, unbroken record of who handled evidence and when — what keeps it admissible in legal proceedings.
- CRL
- Certificate Revocation List — a published list of certificates a CA has revoked before their expiry.
- Crypto-agility
- Designing systems so cryptographic algorithms can be swapped out without re-architecting — essential for the post-quantum transition.
- Cryptographic hash function
- A one-way function mapping input to a fixed-length, irreversible digest (e.g., SHA-256) — provides integrity, not confidentiality.
- Defense in depth
- Layering multiple, overlapping controls (data, app, host, network, perimeter, people) so that if one fails, others still protect the asset.
- Diffie-Hellman
- A key-exchange algorithm letting two parties derive a shared secret over an insecure channel; the ephemeral variant provides forward secrecy.
- Digital certificate
- An X.509 document binding a verified identity to a public key, signed by a CA so relying parties can trust the key.
- DLP
- Data Loss Prevention — monitoring and blocking unauthorized movement of sensitive data across network, endpoint, and storage based on classification.
- DMZ
- Demilitarized Zone — a network segment placed between the internal network and untrusted external networks to host public-facing services.
- Due care
- The reasonable actions and controls a prudent organization implements based on its due-diligence findings.
- Due diligence
- The investigation and ongoing evaluation of risk involved in a decision, such as a vendor or acquisition.
- GDPR
- General Data Protection Regulation — the EU law protecting the privacy and personal data of EU residents.
- HMAC
- Hash-based Message Authentication Code — a hash combined with a secret key to provide both integrity and authenticity of a message.
- Honeypot
- A decoy system designed to lure, detect, and analyze attackers, diverting them from real assets and revealing their techniques.
- HSM
- Hardware Security Module — a tamper-resistant device that generates, stores, and uses cryptographic keys inside a hardened boundary; keys never leave in plaintext.
- Incident response lifecycle
- NIST's four phases: preparation; detection & analysis; containment, eradication & recovery; post-incident activity.
- IPS
- Intrusion Prevention System — inline monitoring that actively blocks identified threats, unlike an IDS, which only alerts.
- Microsegmentation
- Segmentation pushed down to individual workloads or hosts, enforcing zero-trust policy at a fine granularity.
- MITRE ATT&CK
- A knowledge base of real-world adversary tactics (goals) and techniques (methods) used to map detections and drive threat hunting.
- NAC
- Network Access Control — controls device access to the network based on compliance with security policy (patch level, posture, identity).
- Network segmentation
- Dividing a network into isolated zones (VLANs, subnets, microsegmentation) so traffic between them passes through controls, limiting lateral movement.
- OCSP
- Online Certificate Status Protocol — a real-time query to check whether a single certificate has been revoked, instead of downloading a full CRL.
- Order of volatility
- Collecting evidence most-volatile-first (memory, network state) before less-volatile data (disk) so nothing is lost.
- Perfect forward secrecy
- Use of ephemeral session keys so that compromise of a long-term private key cannot decrypt previously recorded sessions.
- PKI
- Public Key Infrastructure — the CAs, RAs, and policies that create, distribute, validate, and revoke digital certificates binding identities to public keys.
- Post-quantum cryptography
- Algorithms designed to resist attacks by large quantum computers, which could break today's RSA and elliptic-curve cryptography.
- Purple team
- A function that integrates Red and Blue teams so attack findings immediately improve detections.
- Red team
- An offensive security team that emulates real adversaries to find exploitable gaps before attackers do.
- Residual risk
- The risk that remains after a chosen treatment (mitigate, transfer, accept, avoid) has been applied.
- Risk appetite
- The amount and type of risk an organization is willing to accept in pursuit of its objectives, set by leadership.
- SASE
- Secure Access Service Edge — converges networking (SD-WAN) and security (SWG, CASB, ZTNA, FWaaS) into one cloud-delivered service.
- SBOM
- Software Bill of Materials — a machine-readable inventory of every component and dependency in software, key to supply-chain risk.
- Separation of duties
- Splitting a sensitive task across multiple people so no single person can complete it alone, preventing fraud.
- Shared responsibility model
- The cloud security split where the provider secures the cloud infrastructure and the customer secures their data, identities, and configurations.
- SIEM
- Security Information and Event Management — aggregates and correlates logs across the enterprise to detect threats, alert, and support investigations.
- SLE
- Single Loss Expectancy — the monetary loss from one occurrence of a risk (asset value × exposure factor).
- SOAR
- Security Orchestration, Automation, and Response — automates and coordinates incident response via playbooks and tool integrations.
- SOC
- Security Operations Center — the team and facility that monitors, detects, and responds to security events around the clock.
- Symmetric encryption
- Encryption using one shared secret key for both encrypting and decrypting — fast and ideal for bulk data (e.g., AES), but key distribution is the challenge.
- Threat hunting
- The proactive, hypothesis-driven search for adversaries that have evaded existing detections, before any alert fires.
- TPM
- Trusted Platform Module — a chip embedded in a host for secure boot integrity measurement and hardware-backed key storage.
- WAF
- Web Application Firewall — filters, monitors, and blocks HTTP traffic to and from a web application to defend against web attacks.
- Zero trust
- A security model that removes implicit trust based on network location and verifies every request on identity, device, and context — 'never trust, always verify.'
SecurityX (CASP+) Study Guide FAQ
The SecurityX CAS-005 exam has a maximum of 90 questions — a mix of multiple-choice and performance-based questions (PBQs) — and you get 165 minutes to complete it. The PBQs are hands-on simulations (configuring controls, analyzing logs, modeling threats), so manage your time and consider saving them for last.
There is no numeric passing score. CompTIA scores CAS-005 on a pass/fail basis only — it publishes no scaled cut score. You either demonstrate mastery across the four domains or you don't, which is why broad, scenario-level competence matters more than chasing a percentage.
CompTIA rebranded the CASP+ certification as SecurityX in 2024 as part of its Xpert Series of expert-level credentials. The exam is the same advanced security practitioner certification; the current version is CAS-005, which launched in December 2024 and replaced CAS-004. You'll still see both 'CASP+' and 'SecurityX' used interchangeably.
There are four domains: Security Engineering (31%), Security Architecture (27%), Security Operations (22%), and Governance, Risk, and Compliance (20%). Security Engineering and Security Architecture together are nearly 60% of the exam, so master applied cryptography, secure architecture, and zero trust first.
Study by weight. Security Engineering (31%) and Security Architecture (27%) are almost 60% of the exam, so master applied cryptography, PKI, zero trust, segmentation, and cloud architecture first, then Security Operations and Governance, Risk and Compliance. Read each module, take the checkpoint, and drill gaps with our free practice test and flashcards.
A single SecurityX (CAS-005) exam voucher is about $509 in the United States (Pearson VUE, 2026); prices vary by region and bundle. Always confirm the current price on CompTIA's store before you buy, as promotions and voucher-plus-training bundles change.
The certification is valid for three years. You renew through CompTIA's Continuing Education (CE) program by earning 75 Continuing Education Units (CEUs) over the three years, plus the annual CE fee. Because SecurityX is CompTIA's top-tier security cert, it does not renew lower certs the way a stacked path would in reverse.
Security+ is the baseline cybersecurity certification; CySA+ is the analyst-level credential focused on detection and response; PenTest+ focuses on offensive testing. SecurityX (CASP+) is the expert, master-level certification above all of them — it validates the senior practitioner and security-architect skills to design, engineer, and govern security across complex enterprise environments. CompTIA recommends roughly 10 years of IT experience, including 5 in security, before attempting it.
SecurityX is CompTIA's most advanced security exam — the challenge is applying broad, senior-level knowledge to complex enterprise scenarios and the hands-on PBQs, not rote memorization. This study guide, the checkpoints, the glossary, the practice test, and the flashcards are all 100% free with no account required.
References
- 1.CompTIA. “CompTIA SecurityX (CASP+) Certification.” comptia.org. ↑
- 2.CompTIA. “SecurityX (CAS-005) Exam Objectives.” comptia.org. ↑
- 3.National Institute of Standards and Technology. “SP 800-207, Zero Trust Architecture.” csrc.nist.gov. ↑
- 4.National Institute of Standards and Technology. “SP 800-61, Computer Security Incident Handling Guide.” csrc.nist.gov. ↑
- 5.National Institute of Standards and Technology. “SP 800-30 Rev. 1, Guide for Conducting Risk Assessments.” csrc.nist.gov. ↑
- 6.National Institute of Standards and Technology. “Post-Quantum Cryptography Project.” csrc.nist.gov. ↑
- 7.The MITRE Corporation. “MITRE ATT&CK.” attack.mitre.org. ↑
- 8.Cybersecurity and Infrastructure Security Agency. “Software Bill of Materials (SBOM).” cisa.gov. ↑
- 101.National Institute of Standards and Technology (NIST). “Public Key Infrastructure (CSRC Glossary).” csrc.nist.gov, accessed 20 June 2026. ↑
- 102.National Institute of Standards and Technology (NIST). “Hardware Security Module (CSRC Glossary).” csrc.nist.gov, accessed 20 June 2026. ↑
- 103.National Institute of Standards and Technology (NIST). “Cryptographic Hash Function (CSRC Glossary).” csrc.nist.gov, accessed 20 June 2026. ↑
- 104.National Institute of Standards and Technology (NIST). “Perfect Forward Secrecy (CSRC Glossary).” csrc.nist.gov, accessed 20 June 2026. ↑
- 105.National Institute of Standards and Technology (NIST). “Network Segmentation (CSRC Glossary).” csrc.nist.gov, accessed 20 June 2026. ↑
- 106.National Institute of Standards and Technology (NIST). “Data Loss Prevention (CSRC Glossary).” csrc.nist.gov, accessed 20 June 2026. ↑
- 107.National Institute of Standards and Technology (NIST). “Security Information and Event Management (CSRC Glossary).” csrc.nist.gov, accessed 20 June 2026. ↑
- 108.National Institute of Standards and Technology (NIST). “Chain of Custody (CSRC Glossary).” csrc.nist.gov, accessed 20 June 2026. ↑
- 109.National Institute of Standards and Technology (NIST). “Separation of Duties (CSRC Glossary).” csrc.nist.gov, accessed 20 June 2026. ↑

Career Employer
Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.
All PostsCareer Employer’s Editorial Process
Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.
