Security certs required for IT staff soon says US gov

astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
Security Certification Rules Could Shake Up IT Management
June 25, 2008 • by William Jackson

Requirements for professional security certification for IT workers in civilian agencies, now being readied by the Office of Management and Budget (OMB), would have a major impact on how government and industry recruit, train and manage their IT staffs, a security expert said Wednesday.

"They are going to affect every one of us in the field," contractors and government employees, said George Datesman, a senior manager at Noblis Inc., a nonprofit high-tech consultant.

Datesman -- who holds a master's degree in criminology and has 30 years experience in law enforcement, including a stint with the Justice Department -- said at a Digital Government Institute conference on cybersecurity that OMB is finalizing minimum requirements for professional certification. He had no time frame for their release.

As IT security has become professionalized, a number of certifications have achieved general recognition industrywide, including a suite from the International Information Systems Security Certification Consortium (ISC2). ISC2 maintains and administers examinations for:

* CISSP: Certified Information Systems Security Professional
* ISSEP: Information Systems Security Engineering Professional
* ISSAP: Information Systems Security Architecture Professional
* SSCP: Systems Security Certified Practitioner

Organizations awarding certifications would have to be accredited to meet a federal mandate. Datesman likened the situation to the law-enforcement field, which still is sorting out how to fully implement requirements for increased professional training and education 30 years after the movement began. Not only would there be new hiring requirements, there also could be increased responsibility and legal liability for workers and their employers.

"This is a change we have not faced in the IT security industry before," he added.

The closest parallel has been in the Defense Department, which anticipated OMB's reaction in this area. The DOD's Directive 8570 on information assurance, approved in December 2005, requires all of the department's information assurance workers to obtain an accredited commercial certification in computer security. The DOD has approved 13 certifications for the directive.

The DOD requirement already has thrown what one conference attendee called a giant monkey wrench into the IT security manpower market.

"If OMB issues a similar requirement, it's going to throw the supply-and-demand curve even more out of balance," he said.

Datesman agreed, saying it probably would take years for the supply of certified workers to catch up with demand. A CISSP certification, for example, requires five years' experience. "You don't mint them out of college," he said.

The requirement is likely to drive up the cost of recruiting professionals, not only in government but among government contractors, who also would have to meet the requirements in staffing government contracts. Government contract language also would have to change to reflect the requirements.

Other practical considerations would be the need to formally define IT security roles and jobs and spell out the knowledge, skills and abilities needed for each. Certification and training also would have to be verified by employers, possibly creating a backlog much like that for background checks in issuing personal-identity verification cards to government workers and contactors under Homeland Security Presidential Directive 12.

No amount of education and certification will completely fulfill the need for IT security professionalism, Datesman said.

"When we did this in law enforcement 30 years ago, what we learned was that 60 percent of what they needed to know is learned on the job," he said.

Source: http://redmondmag.com/news/rss.asp?editorialsid=10000
Interesting and especially relevant if you plan on working for the government or a government contractor in the US.

Comments

  • KasorKasor Member Posts: 933 ■■■■□□□□□□
    I was a ex-Fed IT guys. If the Govn't start to hire the right person to fix their IT issue in the beginning, this process will cut 50% the time that need to get done.

    If the freaking process don't take that long, the Fed can hire the right person for the right job.

    The Fed need to get rid off all the old manager that don't want to adapt and make change. I worked with a GS-14 before and he know nothing about IT management. Not surprising...!

    Most likely more than half of the Fed IT workforce will not even pass MCSA or MCSE! And they want them to pass CISSP...! We definitely need a new Fed CIO because the current CIO = Career Is Over.
    Kill All Suffer T "o" ReBorn
  • TalicTalic Member Posts: 423
    Sounds like they are attempting to get ready to go to cyber war with China icon_twisted.gif

    I think "require" is a bit to strong to do, rather tell someone that you need to get this and this before this deadline since it takes hands on experience to actually learn.

    edit: what do those certifications require you to know before you take them? Are they for configuring firewalls or something else?
  • mysql1988mysql1988 Member Posts: 115
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    DoD 8570.01 also means the price of certifications will be going up and up because of the demand. Look at how the Security+ has gone up in price since DoD 8570.01 was first published in 2005. With the latest addendum to DoD 8570.01-M in May 2008, better certify now before the gov'ment pricing takes effect!
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    JDMurray wrote:
    DoD 8570.01 also means the price of certifications will be going up and up because of the demand. Look at how the Security+ has gone up in price since DoD 8570.01 was first published in 2005. With the latest addendum to DoD 8570.01-M in May 2008, better certify now before the gov'ment pricing takes effect!
    Fair enough, maybe I'll have a look at taking that guy in the fall.
  • SieSie Member Posts: 1,195
    Hmm.... Wonder if the UK will adopt this?....

    Time to get some security certs added to go with clearance.
    Foolproof systems don't take into account the ingenuity of fools
  • Vassago68Vassago68 Member Posts: 49 ■■□□□□□□□□
    JD, You beat me to the punch, I was about to post the same thing.

    Pretty much by the end of this fiscal year going into next they want all persons with at least A+, N+ and Sec+. In an effort to help out (since majority of the people working for the gov are ex military) most units are trying to get their 25B's to meet that standard. Course, that is proving to be difficult with the deployment rotations throwing wrenches in everything.
  • pwjohnstonpwjohnston Member Posts: 441
    As of about April everyone at our office is required to have Security+ by . . . . . . 2010. Hahaha.
    Most here don't even have A+ or N+, let alone MCSA or MCSE. People with the MCDST are considered an advanced user in our dept.

    Gotta love the gov'ment.
  • cbigbrickcbigbrick Member Posts: 284
    I have worked with some govenment employees that are dumb as rocks and make me cringe when they suggest something. But then again I have worked with some that are extremely smart and quick. But over all I think it's a step in the right direction for IT in US government. The company I am currently work for as mandated that anyone on a DHS contact must have their CISSP by 2009 or within a year of starting. That's fine by me.

    DOD had started something similar back in 2005/2006 with the Security+ exam for personal working in IT Security.
    And in conclusion your point was.....???

    Don't get so upset...it's just ones and zeros.
  • KasorKasor Member Posts: 933 ■■■■□□□□□□
    Passing certification, working toward experience and a IT guru are something the Feb will never understand....

    This will bring another stupid issues, they called "OPM"
    Kill All Suffer T "o" ReBorn
  • ironlungironlung Member Posts: 97 ■■□□□□□□□□
    I heard this from my security Instructor a while back I guess it is going to happen.It makes sense in a way.
    Sometimes you just gotta bite the bullet.
  • brad-brad- Member Posts: 1,218
    Does anyone know if Sec+ will suffice for this requirement?
  • oldbarneyoldbarney Member Posts: 89 ■■□□□□□□□□
    I believe, although could be wrong, that Security+ currently meets some DoD requirements for its civilian contractors in certain positions. At least, that's how the structure was explained to me when I worked as a DoD contractor a few years back. As a matter of fact, A+ and Network+ qualifies a member as "Tech I" while Security+ qualifies for "Tech II" and "Management I" under the DoD guidelines. This is DoD only. Your mileage may vary with other government agencies.
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    From the 8570.01 chart it looks like Security+ with CISSP is the sweet cert combo to have.
  • mog27mog27 Member Posts: 302
    Will this in any way devalue the CISSP certification since it is being required by the DoD? More and more people will be getting their CISSP now.
    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Ben Franklin

    "The internet is a great way to get on the net." --Bob Dole
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    mog27 wrote:
    Will this in any way devalue the CISSP certification since it is being required by the DoD? More and more people will be getting their CISSP now.
    Certs aren't valuable based upon how many people do or don't have a cert, or how difficult a cert is to achieve. A cert's value is instead determined by how necessary and desirable it is for increasing personal credibility and employment prospects.

    DoD 8570.01 makes several certs more necessary and desirable, which increases their value (and is also a reason to increase their cost of achieving). The value of a cert is hurt by the ease in which it may be obtained by presenting a very easy exam (e.g., the A+ exam with adaptive testing) or by cheating. These factors are mitigated by the cert vendor applying stronger controls to awarding the cert (as the (ISC)2 as recently done).

    Unless there is a major improvement in cert-exam-cheating technology, I think this (very slow) push by the DoD will only increase the value of the certs listed in 8570.01. And I'm sure the cert vendors themselves are banking on this too.
  • LarryDaManLarryDaMan Member Posts: 797
    JDMurray wrote:
    mog27 wrote:
    Will this in any way devalue the CISSP certification since it is being required by the DoD? More and more people will be getting their CISSP now.
    "Certs aren't valuable based upon...how difficult a cert is to achieve..."

    "The value of a cert is hurt by the ease in which it may be obtained..."

    Maybe I misunderstood the context, but those seem statements seem to contradict eachother. Certs, like anything else work on supply and demand, but I understand and agree with the premise of the orginal question.

    Currently, the CISSP is still somewhat rare and revered in terms of mainstream certifications, but if every other Tom, Dick, and Harry have it...it will in a sense lose value.
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    larrydaman wrote:
    JDMurray wrote:
    mog27 wrote:
    Will this in any way devalue the CISSP certification since it is being required by the DoD? More and more people will be getting their CISSP now.
    "Certs aren't valuable based upon...how difficult a cert is to achieve..."

    "The value of a cert is hurt by the ease in which it may be obtained..."

    Maybe I misunderstood the context, but those seem statements seem to contradict eachother. Certs, like anything else work on supply and demand, but I understand and agree with the premise of the orginal question.

    Currently, the CISSP is still somewhat rare and revered in terms of mainstream certifications, but if every other Tom, Dick, and Harry have it...it will in a sense lose value.

    How is every Tom, Dick, and Harry going to obtain it? The CISSP has been hot for awhile, but people aren't rushing to it. It's a difficult exam that has pretty hefty requirements. I don't see how requiring more of them is going to do anything but make it more valuable.

    I think what JD was saying is that there's more to an exam than its difficulty. I could make a really difficult exam, but that wouldn't mean it was valuable. However, even if the content of an exam is good, too many people easily picking it up will decrease it's value.
  • LarryDaManLarryDaMan Member Posts: 797
    dynamik wrote:
    larrydaman wrote:
    JDMurray wrote:
    mog27 wrote:
    Will this in any way devalue the CISSP certification since it is being required by the DoD? More and more people will be getting their CISSP now.
    "Certs aren't valuable based upon...how difficult a cert is to achieve..."

    "The value of a cert is hurt by the ease in which it may be obtained..."

    Maybe I misunderstood the context, but those seem statements seem to contradict eachother. Certs, like anything else work on supply and demand, but I understand and agree with the premise of the orginal question.

    Currently, the CISSP is still somewhat rare and revered in terms of mainstream certifications, but if every other Tom, Dick, and Harry have it...it will in a sense lose value.

    How is every Tom, Dick, and Harry going to obtain it? The CISSP has been hot for awhile, but people aren't rushing to it. It's a difficult exam that has pretty hefty requirements. I don't see how requiring more of them is going to do anything but make it more valuable.

    I think what JD was saying is that there's more to an exam than its difficulty. I could make a really difficult exam, but that wouldn't mean it was valuable. However, even if the content of an exam is good, too many people easily picking it up will decrease it's value.

    Good points. Tom, Dick, and Harry will have a tough time passing the test for sure. Maybe I was over-analyzing JD's post... I sure hope the CISSP isn't devalued, because I plan on being one in October!
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    The DOD's Directive 8570 on information assurance, approved in December 2005, requires all of the department's information assurance workers to obtain an accredited commercial certification in computer security. The DOD has approved 13 certifications for the directive.

    There really is a lot more to 8570 than this little blurb, and also includes statements such as "In addition to the baseline IA certification requirement for their level, IATs with privileged access MUST OBTAIN APPROPRIATE COMPUTING ENVIRONMENT (CE) CERTIFICATIONS for the operating system(s) and/or security related tools/devices they support as required by their employing organization."

    So in addition to all the focus on Sec+ and CISSP, if you work as a Helpdesk Tech in a Windows environment, you may need to be MCDST certified (or 70-270 or Vista, whatever you support). If you are a Network Tech, you may need CCNA. Just a firewall administrator? Okay, maybe you need the CCSP if it's an ASA, or maybe you need to be certified by Secure Computing to manage a Sidewinder. There are lots of possibilities here. As a DoD contractor, our company is working with the government staff at our locations to come up with an agreement on minimum certifications based on job positions and responsibilities for each location, as requirements are somewhat open to interpretation. In all, this is a good thing. It got some of our lazy techs off their butts and away from surfing the web all day to actually reading/studying.

    PS - Thanks for the link JD, I can never find that thing when I'm not at work. icon_lol.gif
    All things are possible, only believe.
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    larrydaman wrote:
    JDMurray wrote:
    mog27 wrote:
    Will this in any way devalue the CISSP certification since it is being required by the DoD? More and more people will be getting their CISSP now.
    "Certs aren't valuable based upon...how difficult a cert is to achieve..."

    "The value of a cert is hurt by the ease in which it may be obtained..."

    Maybe I misunderstood the context, but those seem statements seem to contradict eachother. Certs, like anything else work on supply and demand, but I understand and agree with the premise of the orginal question.

    Currently, the CISSP is still somewhat rare and revered in terms of mainstream certifications, but if every other Tom, Dick, and Harry have it...it will in a sense lose value.
    Making a cert exam very difficult to pass does not significantly increase the value of a cert, but having a cert exam that's too easy to pass (because of cheats or it's just too simple) does significantly decrease the value of the cert. IMHO, of course.

    And Mark is quite correct. In addition to vendor-neutral certs, vendors-specific certs and on-the-job training are also required by 8570. Here's a good blog article that explains it.
  • ElleReElleRe Member Posts: 2 ■□□□□□□□□□
    okay maybe i'm a bit late on this one, but for newbie gov't employees obtaining these certfications (i.e. someone right out of college), how does this change which jobs/GS level a person will qualify for when applying for jobs? i.e. is a Tech1 a GS-5through9 a Tech2 GS-9
  • TechJunkyTechJunky Member Posts: 881
    This is very interesting information. I have done work for the DoD and I dont have a Sec+. All my employer asked for as a requirement for hire was an MCSE. Very interesting topic.
  • ElleReElleRe Member Posts: 2 ■□□□□□□□□□
    I read through the document (and by read i mean, skimmed quickly and could very well have missed something) and didn't see how, or if this will effect which jobs, grade levels, or pay bands a person will qualify for with said certifications.

    If a person has a college degree (BS or higher) in IT Security, then does that not qualify someone as a Tech level 1, 2, etc.? and would that person still need to obtain additional certifications?

    I'm looking at this from the perspective of someone graduating with a BS in IT security, working towards certifications (to remain competitive), and working for people who have no college degrees... which i have no problem with, but wouldn't making certifications mandatory (and not college) undermine undergraduate efforts? Plus, with the government, you can't even be considered for a job (i.e. a palty GS-5 with a BS) unless you have a degree or know someone.

    I could be completely wrong and have missed something all together, i'm mostly just mishmashing thoughts together wondering how, or if this changes quals. (me in particular, but i also understand i'm in a unique situation).
  • TurgonTurgon Banned Posts: 6,308 ■■■■■■■■■□
    Talic wrote:
    Sounds like they are attempting to get ready to go to cyber war with China icon_twisted.gif

    I think "require" is a bit to strong to do, rather tell someone that you need to get this and this before this deadline since it takes hands on experience to actually learn.

    edit: what do those certifications require you to know before you take them? Are they for configuring firewalls or something else?

    I think it's probably more for internal security awareness rather than taking on external threats directly which is a bit futile. There are no doubt better approaches to tackling that directly than having more CISSPs on staff. By the time security certs are defined and it becomes policy to have them the threats have been around years and well exploited. I recall watching an IT documentary what nearly 10 years ago when the hackers, many of them youngsters in the US who disparagingly said their companies 'were so stupid'. This group were promptly hired to advise on defence measures. Russians have said they new US secrets for years when they were surrounded by hitech security measures. On that note cyber attacks on Estonia last year were particularly severe when many Russians were insensed about events concerning a Soviet war memorial that was removed there. The attacks were proxied from all over the globe and not inconsequencial.

    So I think it's probably a push for hightened general security awareness as opposed to taking hackers on.
Sign In or Register to comment.