Cisco Announces Changes to CCNP Security

Voted Number 1 Future Technology Area in a Survey of CCIEs

Cisco announced changes to the CCNP Security certification track today, in addition to the big changes to CCNA and CCNP Voice. (Yes, Cisco is changing the name from CCSP to CCNP Security.) At first glance, the changes almost seem minor - no changes to CCNA Security, still four exams, with names that look like the same topics as the old CCSP. Cisco claims the associated courses have changed quite a bit, along with the exams. Regardless, the biggest change may well be the addition of solid study resources by Cisco Press.

Quick Links:

Main CCNP Security page at

Main CCNP Security page at the Cisco Learning Network

Transition Exam Paths - Tool to find out what combinations work

Exam Changes:

CCSP remains a 4-exam certification with these changes, but now with no electives. The old CCSP had three required exams: SNRS (router/switch security), SNAF (Firewall fundamentals), and IPS (uhhh... about IPS). Cisco has updated all three of these exams, renaming two, creating the SECURE, Firewall, and IPS, exams, respectively.

Besides the three required exams, the old CCSP then also required one additional elective exam, with three choices. The new CCNP Security removes the options, and simply requires one new exam: the VPN 642-647 exam. 

The one new exam, the VPN 642-437 exam (the full name is Deploying Cisco ASA VPN Solutions (VPN 1.0), has some similarities to the former advanced firewall exam (SNAA, 642-525). Note that the full name does include ASA, Cisco's firewall product series. The older SNAA exam covered some non-VPN topics, but also covered IPSec and SSL VPNs as implemented on an ASA firewall. The new VPN exam includes these topics, and expands VPN coverage.

After seeing these changes, I wondered if there was much of a story here. CCNA Security doesn't change, three of the four exams are obviously upgrades from earlier exams, and the new VPN exam has obvious similarities to the SNAA exam. So I asked Fred Weiller, Director of Marketing for Learning@Cisco, and Tejas Vashi, Senior Manager Responsible for Product Management for Learning@Cisco, if they could give me a wild guess about the amount of the change in these exams (and courses). Surprisingly, they said about 50%. To be fair, it was indeed a guess. That tells me these new exams aren't just version upgrades to the old similar exams. I'm looking forward to digging in to the books once they reach the market and getting a closer look at what the changes.

Aside: the version numbering in the official exam names matches the idea that these exams have gone through big changes. Three exams (SECURE, FIREWALL, and VPN) have a 1.0 version number in the official exam names, treating these as totally new exams. The new IPS exam lists a version 7.0, with the old exam as V6.0.

Another interesting related fact I heard while talking to Fred and Tejas was that in a recent survey of CCIEs, Cisco asked what technology areas the CCIEs thought would be the best place to focus for career growth. The answer: Risk Assessment and Security. As a result, Cisco really looked hard at the role of a network security engineer, and Cisco sees that role as one where the engineer takes the ball at the risk assessment stage, gathers requirements, builds and tests prototypes, deploys, verifies it is working, and troubleshoots the problems after deployment. (Whew!)

Transition Plan

As usual, Cisco will have a transition period in which the old exams still exist, and the new exams also exist. The big date of note appears to be April 8, 2011 - the (currently-posted) last exam date for several of the old CCSP exams. You can always pass all the old exams before they go away, or wait and pass all the new exams. The interesting cases happen when you want to use some old and some new exams.

While the new CCNP Voice transition path is clear and obvious, the CCSP to CCNP Security transition is a bit messier due to the CCSP electives. Rather than try to list it as a buch of if..then..else statements here, just use Cisco's tool that tells you what else you need to take if you've passed one of the old CCSP Exams.

Cisco Press Publication Plan

The biggest news with this cert might not be the exam changes made by Cisco, but the improved study resources from Cisco Press. For the old CCSP exams, Cisco Press published Quick Reference products for the four CCSP exams (SNRS, SNAF, IPS, and SNAA), plus some general technology products for the other two elective exams. Cisco Press will publish both Quick Reference products and Official Certification Guides for each of the four new CCSP Security exams.

It may be useful to consider some background on the style of products. The Quick Refs, a downloaded PDF, summarize reference info for each exam, about 100 pages (+-50%). The Official Certification Guides (OCG) is the new naming convention for what Cisco Press used to call Exam Certification Guides - print books with around 500 pages on average (don't know how big these new CCSP books will be). These books will have assessment questions, review tools, and other exam prep tools.

Finally, Cisco Press makes an electronic version of these OCGs available early, for those who don't want to wait for the printed book, in a format called Rough Cuts. It's a download of the book, but before some of the final editing is done. So, it's rough... but you get it early.

So, here are the currently planned date ranges (varies slightly from product to product):

OCG Rough Cut dates (planned): December 2010

OCG Print dates (planned): April 2011

Quick Ref dates (planned): Jan 2011

Click here to see a list of the CCSP Official Certification Guide and Quick Reference products. Note that the links may not be available immediately on announcement day, so I've linked to a page on my web site. I'll update those links in one place as they become available. Finally, on the full disclosure front: while I haven't written any of these CCNP Security books, I do have an indirect interest in seeing Cisco Press succeed.

Quick Opinions

What do you think? Hoorah, ho hum, oh no?

I personally see it as cleaner, and I like that.

I can't tell whether the new CCNP Security is more or less difficult than CCSP, but having more book resources available will hopefully help.

Hmmm... CCNP has a TSHOOT exam. CCNP Voice has a TVOICE exam (troubleshooting voice). CCNP Security has troubleshooting spread over the four courses/exams. I don't know that it matters, but I find it interesting.

Cisco's October Certification Announcements:

Cisco Announces Changes to CCNP Voice

Cisco Adds Another Exam to CCNA Voice

Cisco Announces Changes to CCNP Security

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10