News

Security Certification Rules Could Shake Up IT Management

Requirements for professional security certification for IT workers in civilian agencies, now being readied by the Office of Management and Budget.

• By William Jackson
• June 25, 2008

"They are going to affect every one of us in the field," contractors and government employees, said George Datesman, a senior manager at Noblis Inc., a nonprofit high-tech consultant.

Datesman -- who holds a master's degree in criminology and has 30 years experience in law enforcement, including a stint with the Justice Department -- said at a Digital Government Institute conference on cybersecurity that OMB is finalizing minimum requirements for professional certification. He had no time frame for their release.

As IT security has become professionalized, a number of certifications have achieved general recognition industrywide, including a suite from the International Information Systems Security Certification Consortium (ISC2). ISC2 maintains and administers examinations for:

• CISSP: Certified Information Systems Security Professional
• ISSEP: Information Systems Security Engineering Professional
• ISSAP: Information Systems Security Architecture Professional
• SSCP: Systems Security Certified Practitioner

Organizations awarding certifications would have to be accredited to meet a federal mandate. Datesman likened the situation to the law-enforcement field, which still is sorting out how to fully implement requirements for increased professional training and education 30 years after the movement began. Not only would there be new hiring requirements, there also could be increased responsibility and legal liability for workers and their employers.

"This is a change we have not faced in the IT security industry before," he added.

The closest parallel has been in the Defense Department, which anticipated OMB's reaction in this area. The DOD's Directive 8570 on information assurance, approved in December 2005, requires all of the department's information assurance workers to obtain an accredited commercial certification in computer security. The DOD has approved 13 certifications for the directive.

The DOD requirement already has thrown what one conference attendee called a giant monkey wrench into the IT security manpower market.

"If OMB issues a similar requirement, it's going to throw the supply-and-demand curve even more out of balance," he said.

Datesman agreed, saying it probably would take years for the supply of certified workers to catch up with demand. A CISSP certification, for example, requires five years' experience. "You don't mint them out of college," he said.

The requirement is likely to drive up the cost of recruiting professionals, not only in government but among government contractors, who also would have to meet the requirements in staffing government contracts. Government contract language also would have to change to reflect the requirements.

Other practical considerations would be the need to formally define IT security roles and jobs and spell out the knowledge, skills and abilities needed for each. Certification and training also would have to be verified by employers, possibly creating a backlog much like that for background checks in issuing personal-identity verification cards to government workers and contactors under Homeland Security Presidential Directive 12.

No amount of education and certification will completely fulfill the need for IT security professionalism, Datesman said.

"When we did this in law enforcement 30 years ago, what we learned was that 60 percent of what they needed to know is learned on the job," he said.