News

Security Certification Rules Could Shake Up IT Management

Requirements for professional security certification for IT workers in civilian agencies, now being readied by the Office of Management and Budget.

Requirements for professional security certification for IT workers in civilian agencies, now being readied by the Office of Management and Budget (OMB), would have a major impact on how government and industry recruit, train and manage their IT staffs, a security expert said Wednesday.

"They are going to affect every one of us in the field," contractors and government employees, said George Datesman, a senior manager at Noblis Inc., a nonprofit high-tech consultant.

Datesman -- who holds a master's degree in criminology and has 30 years experience in law enforcement, including a stint with the Justice Department -- said at a Digital Government Institute conference on cybersecurity that OMB is finalizing minimum requirements for professional certification. He had no time frame for their release.

As IT security has become professionalized, a number of certifications have achieved general recognition industrywide, including a suite from the International Information Systems Security Certification Consortium (ISC2). ISC2 maintains and administers examinations for:

  • CISSP: Certified Information Systems Security Professional
  • ISSEP: Information Systems Security Engineering Professional
  • ISSAP: Information Systems Security Architecture Professional
  • SSCP: Systems Security Certified Practitioner

Organizations awarding certifications would have to be accredited to meet a federal mandate. Datesman likened the situation to the law-enforcement field, which still is sorting out how to fully implement requirements for increased professional training and education 30 years after the movement began. Not only would there be new hiring requirements, there also could be increased responsibility and legal liability for workers and their employers.

"This is a change we have not faced in the IT security industry before," he added.

The closest parallel has been in the Defense Department, which anticipated OMB's reaction in this area. The DOD's Directive 8570 on information assurance, approved in December 2005, requires all of the department's information assurance workers to obtain an accredited commercial certification in computer security. The DOD has approved 13 certifications for the directive.

The DOD requirement already has thrown what one conference attendee called a giant monkey wrench into the IT security manpower market.

"If OMB issues a similar requirement, it's going to throw the supply-and-demand curve even more out of balance," he said.

Datesman agreed, saying it probably would take years for the supply of certified workers to catch up with demand. A CISSP certification, for example, requires five years' experience. "You don't mint them out of college," he said.

The requirement is likely to drive up the cost of recruiting professionals, not only in government but among government contractors, who also would have to meet the requirements in staffing government contracts. Government contract language also would have to change to reflect the requirements.

Other practical considerations would be the need to formally define IT security roles and jobs and spell out the knowledge, skills and abilities needed for each. Certification and training also would have to be verified by employers, possibly creating a backlog much like that for background checks in issuing personal-identity verification cards to government workers and contactors under Homeland Security Presidential Directive 12.

No amount of education and certification will completely fulfill the need for IT security professionalism, Datesman said.

"When we did this in law enforcement 30 years ago, what we learned was that 60 percent of what they needed to know is learned on the job," he said.

About the Author

William Jackson is the senior writer for Government Computer News (GCN.com).

Featured

  • Microsoft Offers Support Extensions for Exchange 2016 and 2019

    Microsoft has introduced a paid Extended Security Update (ESU) program for on-premises Exchange Server 2016 and 2019, offering a crucial safety cushion as both versions near their Oct. 14, 2025 end-of-support date.

  • An image of planes flying around a globe

    2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Notebook

    Microsoft Centers AI, Security and Partner Dogfooding at MCAPS

    Microsoft's second annual MCAPS for Partners event took place Tuesday, delivering a volley of updates and directives for its partners for fiscal 2026.

  • Microsoft Layoffs: AI Is the Obvious Elephant in the Room

    As Microsoft doubles down on an $80 billion bet on AI this fiscal year, its workforce reductions are drawing scrutiny over whether AI's ascent is quietly reshaping its human capital strategy, even as official messaging avoids drawing a direct line.