Question: What is ABET accreditation, and how does ABET evaluate cybersecurity degree programs?

Answer: ABET is an independent nonprofit organization that provides accreditation to post-secondary programs in science, engineering, and technology. This includes programs specifically in engineering, as well as programs in engineering technologies, the natural and applied sciences, computer science, and cybersecurity. ABET’s Computing Accreditation Commission and Engineering Accreditation Commission grant accreditation to cybersecurity programs that meet specific criteria. While pursuing ABET accreditation is optional for schools that offer cybersecurity programs, ABET accreditation is an indicator that a program has chosen to meet the accreditation standards of a third-party organization whose mission is to prepare students to enter the cybersecurity workforce.

ABET (abet.org), which was founded as the Accreditation Board for Engineering and Technology, but which has operated under the acronym ABET since 2005, accredits undergraduate and graduate programs in science and engineering, encompassing cybersecurity degree programs at the bachelor’s and master’s levels. ABET has 34 member societies whose technical professionals help develop programmatic accreditation standards to ensure program curricula align with the needs of professionals working in the field. The CSAB, The International Council on Systems Engineering (INCOSE), and the IEEE are three societies that lead or co-lead accreditation for cybersecurity programs.

ABET accredits programs through four accrediting commissions, which include:

• The Computing Accreditation Commission (CAC)
• The Engineering Accreditation Commission (EAC)
• The Applied and Natural Science Accreditation Commission (ANSAC)
• The Engineering Technology Accreditation Commission (ETAC)

Bachelor’s in cybersecurity programs with a computer science focus are accredited through the CAC, while EAC accredits cybersecurity bachelor’s and master’s degree programs that focus on cybersecurity engineering. For more information on CAC and EAC accreditation, and the differences between the types of programs that each commission accredits, refer to the sections below.

CAC Accreditation vs. EAC Accreditation

The distinction between CAC-accredited programs and EAC-accredited programs is that the CAC accredits undergraduate programs that have a computer science focus, including bachelor’s programs in cybersecurity, information security, software and systems security, and computer science with concentration or specialization options in cybersecurity. Computer science-oriented cybersecurity programs prepare students to engage in the tactical work of responding to cyber threats, proactively identifying and addressing network security vulnerabilities, and ensuring organizational compliance with cybersecurity regulations.

Meanwhile, EAC accreditation is designed for engineering programs at the bachelor’s and master’s levels, which includes programs in cybersecurity engineering. Cybersecurity engineering is a specific field within cybersecurity that focuses on designing, building, and maintaining the software and hardware systems that protect information systems from cyber threats. While the fields of cybersecurity and cybersecurity engineering overlap, the former is more tactical and centers on computing principles and methods, whereas the latter focuses on building security systems and evaluating them on a more macro level.

CAC is ABET’s primary accreditation commission for undergraduate programs in cybersecurity, and has currently accredited over 30 programs in the US that have a cybersecurity focus. At present, EAC has provided accreditation to six undergraduate programs in cybersecurity engineering in the US. (Note: The EAC has not yet accredited any master’s degrees in cybersecurity engineering.)

CAC Accreditation of Bachelor’s in Cybersecurity Programs

The Computing Accreditation Commission is the primary body within ABET that provides accreditation for cybersecurity programs. To earn CAC accreditation, cybersecurity bachelor’s programs (which includes programs in computer security, information security, information assurance, computer forensics, and other related areas) must require at least 45 credit hours of computing and cybersecurity-specific coursework that covers the following core topics:

• Data Security: Protection of data stores as well as data transfers and processing.
• Software Security: Design, development, use, and assessment of security software that guards sensitive information and networks.
• Component Security: The role that different security components play in a larger security system or network, and how professionals can design, create, test, analyze, repair, and improve these components.
• Connection Security: Maintaining security of the connections between different security components.
• System Security: Managing security systems and understanding their composition as a dynamic network of security connections and components.
• Human Security: Understanding human behavior and its central role in data privacy, data protection, cybersecurity threat prevention, and crisis prevention and intervention.
• Organizational Security: The unique security needs of organizations, and principles of protecting various organizations from cybersecurity threats.
• Societal Security: The societal need for cybersecurity systems, and the impact of cyber threats and cybersecurity on larger society.

In addition to teaching courses that specifically cover the individual topics listed above, CAC-accredited bachelor’s programs in cybersecurity must integrate these topics with discussions of cybersecurity ethics, confidentiality, risk assessments, and systems thinking. Furthermore, programs are required to include at least six credits of advanced mathematics including statistics and discrete mathematics.

EAC Accreditation of Bachelor’s in Cybersecurity Programs

The Engineering Accreditation Commission accredits bachelor’s degree programs in cybersecurity engineering and related areas. To earn and maintain EAC accreditation, bachelor’s degrees in cybersecurity engineering must include at least 45 credits of coursework that cover:

• Discrete and Specialized Mathematics: Algebra, number theory, finite fields, information theory, probability, statistics, and cryptography as they relate to cybersecurity engineering.
• Fundamentals of Cybersecurity Engineering: Engineering principles and concepts that enable students to design, develop, test, analyze, and protect cybersecurity systems, devices, and components (both software and hardware).
• Cybersecurity Components and Systems: Development, analysis, and assessment of cybersecurity components and systems that protect information systems and networks to maintain organizational operations across various industries.
• Information Security Technologies: The use of protective technologies and forensic methods for data protection and threat identification and mitigation.
• Cybersecurity Ethics and Law: Cybersecurity policies and regulations, as well as the ethics and integrity of cybersecurity engineering work.
• Human Behavior and Cybersecurity: Human psychology and behavior, and how they relate to the creation, prevention, and mitigation of cybersecurity threats.

In covering the topics above, EAC-accredited cybersecurity engineering programs must prepare students to apply engineering and information security principles to designing, creating, and implementing security software and hardware for organizations, while also addressing the human elements of security systems and vulnerabilities.

For more information on ABET’s accreditation standards and procedures, and to access their database of accredited programs in both computing/computer science and engineering, refer to their Accreditation Criteria webpage and their Accredited Programs Search Tool, respectively.

---