Security Certification Rules Could Shake Up IT Management
Requirements for professional security certification for IT workers in civilian agencies, now being readied by the Office of Management and Budget.
- By William Jackson
- June 25, 2008
Requirements for professional security certification for IT workers in civilian
agencies, now being readied by the Office of Management and Budget (OMB), would
have a major impact on how government and industry recruit, train and manage
their IT staffs, a security expert said Wednesday.
"They are going to affect every one of us in the field," contractors
and government employees, said George Datesman, a senior manager at Noblis Inc.,
a nonprofit high-tech consultant.
Datesman -- who holds a master's degree in criminology and has 30 years experience
in law enforcement, including a stint with the Justice Department -- said at
a Digital Government Institute conference on cybersecurity that OMB is finalizing
minimum requirements for professional certification. He had no time frame for
As IT security has become professionalized, a number of certifications have
achieved general recognition industrywide, including a suite from the International
Information Systems Security Certification Consortium (ISC2). ISC2 maintains
and administers examinations for:
- CISSP: Certified Information Systems Security Professional
- ISSEP: Information Systems Security Engineering Professional
- ISSAP: Information Systems Security Architecture Professional
- SSCP: Systems Security Certified Practitioner
Organizations awarding certifications would have to be accredited to meet a
federal mandate. Datesman likened the situation to the law-enforcement field,
which still is sorting out how to fully implement requirements for increased
professional training and education 30 years after the movement began. Not only
would there be new hiring requirements, there also could be increased responsibility
and legal liability for workers and their employers.
"This is a change we have not faced in the IT security industry before,"
The closest parallel has been in the Defense Department, which anticipated
OMB's reaction in this area. The DOD's Directive 8570 on information assurance,
approved in December 2005, requires all of the department's information assurance
workers to obtain an accredited commercial certification in computer security.
The DOD has approved 13 certifications for the directive.
The DOD requirement already has thrown what one conference attendee called
a giant monkey wrench into the IT security manpower market.
"If OMB issues a similar requirement, it's going to throw the supply-and-demand
curve even more out of balance," he said.
Datesman agreed, saying it probably would take years for the supply of certified
workers to catch up with demand. A CISSP certification, for example, requires
five years' experience. "You don't mint them out of college," he said.
The requirement is likely to drive up the cost of recruiting professionals,
not only in government but among government contractors, who also would have
to meet the requirements in staffing government contracts. Government contract
language also would have to change to reflect the requirements.
Other practical considerations would be the need to formally define IT security
roles and jobs and spell out the knowledge, skills and abilities needed for
each. Certification and training also would have to be verified by employers,
possibly creating a backlog much like that for background checks in issuing
personal-identity verification cards to government workers and contactors under
Homeland Security Presidential Directive 12.
No amount of education and certification will completely fulfill the need for
IT security professionalism, Datesman said.
"When we did this in law enforcement 30 years ago, what we learned was
that 60 percent of what they needed to know is learned on the job," he
William Jackson is the senior writer for Government Computer News (GCN.com).