NSA, (ISC)2 creating new information security certification

The National Security Administration plans to require a new credential of its staff and contractors working in information security.

The nonprofit International Information Systems Security Consortium Inc., or (ISC)2, won a five-year contract with the NSA's Information Assurance Directorate to develop and administer the new Information Systems Security Engineering Professional credential, which will focus on the technical knowledge required of government information systems security engineers.

Officials of (ISC)2 based in Framingham, Mass., announced the deal today. There are minimal costs attached to the (ISC)2 and NSA relationship, according to (ISC)2. When exams and training begin for the new credential begin, (ISC)2 will collect fees for them.

The National Strategy to Secure Cyberspace, published by the White House this month, highlighted the need for highly trained information security personnel, and for private-sector support for widely recognized professional cybersecurity certifications and guidelines for certification.

The new certification is an extension of the Certified Information Systems Security Professional credential offered by (ISC)2 for information security professionals with four years cumulative work experience in the field. People who want to take the ISSEP exam will be required to hold the CISSP credential.

"NSA has started outsourcing a lot of their IT infrastructure work. This [certification] will give them a better feel for the qualifications and skills of people contractors are bringing through the door," said Lynn McNulty, government liaison for (ISC)2.

The certification could become a best practice for people who want to do highly sophisticated information security work within the national security sector, and ultimately throughout government and private sector, McNulty said. (ISC)2 plans to offer the new certification to all federal agencies and private-sector companies that do business with the federal government.

CISSP certification covers 10 domains of knowledge in forming security policies, standards and procedures. The domains are: access control systems and methodology; applications and systems development; business continuity planning; cryptography; law, investigation and ethics; operations security; physical security; security architecture and models; security management practices; and telecommunications, network and Internet security.

The four new domains for the ISSEP certification are certification and accreditation, government policy and regulation, systems security engineering process and protection needs determination.

"The U.S. government has a unique set of standards for information security," said Patricia Moreno, chief of staff for NSA's Information Assurance Directorate. "We believe (ISC)2's longtime international expertise in professional certification best suits our training needs within NSA."

NSA directs and performs activities to protect U.S information systems and produce foreign intelligence information.