Mandatory cyber certification: What good is it?

Will mandatory cybersecurity training or licensing make government systems more secure?

Few people would advocate putting cops on the street or soldiers into battle without first giving them proper training. Yet there is no standard governmentwide preparation program required for those who protect the government’s information systems and computer-controlled infrastructure from bad guys intent on mischief or harm.

Whether an obligatory return to the classroom will make a difference in countering those threats is at the heart of a debate spurred by a proposal to license cybersecurity professionals that work for or contract with the government. The mandate is part of an ambitious cybersecurity measure the Senate initiated, and it would affect tens of thousands of information technology workers.

Proponents see the measure as money well spent to improve information security through a more professional, better-trained cybersecurity workforce. But opponents believe mandatory licensing will tie up the industry in red tape and hinder its ability to keep training up-to-date with rapidly changing technology.

The measure, sponsored by Sens. John “Jay” Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine), would direct the Commerce Department to develop or coordinate and integrate a national licensing, certification and periodic recertification program for cybersecurity professionals.

It would then become unlawful for a person lacking the proper license and certification to provide cybersecurity services to an agency or for an information system or network designated as critical infrastructure.

Opinions about the proposal’s potential impact vary, but the different camps agree on one point: There are still many unanswered questions. For example, people wonder how “cybersecurity services” would be defined. They also speculate on which skills would need certification or licensing and whether using company-based certifications would be the right approach.

There are also questions about enforcement, legal liability, the value of certification versus licensing, and how federal requirements would impact states' rights and their traditional role in licensing various professions.

The Senate measure would apply to all federal IT systems and any others the president deems critical infrastructure, which could include privately owned assets such as the electric grid.

It wouldn’t be the federal government’s first attempt at demanding proof of training for cybersecurity professionals. The Defense Department has had a mandatory certification — but not licensing — requirement for its information assurance workforce since 2004. The program has certified only one-third of the department’s information assurance workforce so far, and though officials have yet to complete an extensive assessment of the program’s performance, they see signs that it is having a positive impact.

Licenses vs. certifications

The new proposal would affect the entire federal IT industry — from contractors to government employees and the many companies that provide information assurance certification and training.

The use of certification as a tool for hiring, placing and promoting employees is certainly nothing new. However, a mandatory licensing program would be unprecedented, and that proposal has proven particularly contentious.

“A lot of people have problems with where do you draw the line: Who has to get a license, who doesn’t, who would be the licensing authority, what would be the extra cost, what are the liability issues?” said Lynn McNulty, director of government affairs at (ISC)² and a former federal information security program manager. (ISC)² is one of numerous organizations that constitute an expansive training and certification industry.

McNulty said he’s not hearing a lot of complaints about the certification requirement, but many people have a problem with the licensing requirement.

During a roundtable discussion on certifications (ISC)² hosted in early June, several participants said the licensing requirement would represent a departure from the state-based approach to validating the qualifications of professionals such as doctors and lawyers.

Federal licensing of cybersecurity professionals “would fly against that principle, and it just doesn’t make a lot of good sense in my opinion,” said John Lainhart, public-sector service area leader for security, privacy, wireless and IT governance at IBM’s Global Business Services. He participated in the (ISC)2 roundtable discussion as a representative of the Information Systems Audit and Control Association, which provides cybersecurity training and certifications.

Critics say another problem with licensure and its added layers of federal oversight is that the government’s training and testing programs would not evolve as quickly as industry-driven certification programs.

That would be a significant slowdown for an industry that changes as rapidly as IT does, and could dampen rather than boost the growth of a newly trained cybersecurity workforce, said Dan Liutikas, another roundtable participant and senior vice president, chief legal officer and corporate secretary at CompTIA, an IT industry and training association.

Yet another issue with licensing is what form the testing should take. Alan Paller, director of research at the SANS Institute, a cybersecurity training, certification and research organization, supports the idea of evaluating security professionals’ skills in operational situations, as airplane pilots are tested.

He added that if the government establishes a licensing program for IT security professionals, it shouldn’t belong to the commercial world. “It should be owned by a completely independent organization that isn’t trying to sell something already, and they should not be able to do any training at all — none,” Paller said.

The current state of play

Establishing certification or licensing requirements would force the government to define skill sets and career paths for cybersecurity professionals. Such tracks are common for other government jobs but nonexistent for IT security.

“Everything always points back to the fact that we are calling things apples and oranges and grapes,” said Brenda Oldfield, director of cyber education and workforce development in the Homeland Security Department’s National Cybersecurity Division. “We do not have common terminology across the mission areas. Everything that we attempt to do in developing any plans for training and education of the civilian workforce or of the federal workforce depends upon this common lexicon.”

On that issue, the legislation might be getting ahead of itself, said Patricia Titus, former chief information security officer at the Transportation Security Administration and currently CISO at Unisys Federal Systems.

The Office of Personnel Management still hasn’t designated a job series for IT security professionals, she said. Right now, such workers are categorized as IT specialists, managers or program analysts.

“I think OPM needs to develop an IT security job series, and part of that series then would be the requirements of what the individuals have to do,” Titus said. Those might include certification, appropriate training and relevant job responsibilities, she added.

Oldfield has been working for years to establish a common set of skills for information security professionals in the government. Most recently, that effort has been folded into the education component of the Comprehensive National Cybersecurity Initiative, the multiyear, multibillion-dollar program launched by the Bush administration. Oldfield co-leads the education initiative for DHS in cooperation with DOD.

“We have to be able to validate that cyber professionals have the skills needed, but we have to identify what those skills are uniformly,” she said.

Officials have identified numerous federal documents that specify different IT security competencies that workers should possess. The challenge is to bring them all together. That’s the job of an interagency work group being established to identify critical roles and unify agencies’ training efforts. Such consolidation will also likely produce cost savings by eliminating duplicative efforts.

“Many times there are high-end training classes and laboratory experiences conducted that have empty seats, and they could offer those seats to other agencies if we were comparing apples to apples,” Oldfield said.

DOD’s experience

As experts weigh the potential value of a governmentwide cybersecurity certification or licensing requirement, they are turning to DOD for lessons about how its program has fared.

DOD’s certification requirements cover a spectrum of management and technical information assurance roles for some 90,000 military, civilian and contract employees. Officials created the program in 2004 in response to departmental Directive 8570, released a manual of instructions in 2005 and updated that manual in 2008. Under the program, they identified commercially available, accredited certifications that information assurance employees and contractors need to have to work on DOD systems.

“The idea of a common lexicon that’s provided by these certifications is something that was lacking before,” said George Bieber, director of DOD’s Information Assurance Workforce Improvement Program.

At the launch of the program, Pentagon officials created a working group with representatives from the military services to define the functions or skills the certifications would cover. Then they examined which existing certifications aligned most closely with the desired skills.

DOD’s legal representative originally said they needed to use certifications rather than licensure because the latter is not a federal or DOD function, Bieber said. Officials also decided to take advantage of existing commercial certifications rather than develop custom programs so that employees would have skills they could use in the private sector or at other agencies.

DOD’s program hasn’t moved as quickly as officials had hoped. Their goal was to have about 40 percent of targeted workers certified by now, but only about 30 percent have been. Bieber blamed the shortfall on an aggressive schedule, funding constraints, changing culture and the extra work needed to make changes in supporting systems, such as personnel databases. However, DOD officials still hope to have all 90,000 certifications done by 2011.

Studies conducted by a couple of DOD offices have shown that security seems to improve as more employees are certified. DOD officials are in the process of collecting data to assess the program more broadly.

Bieber said he has heard that certifications help increase a cybersecurity staff’s problem-solving abilities by providing them with a common lexicon when addressing incidents.

“It’s really enabled the security issues to be handled at a lower level, whereas before it was going up,” he said.

The DOD model expanded?

It’s uncertain whether the requirements outlined in the Rockefeller-Snowe bill would expand the DOD model of using commercial certifications or prompt the development of new standards. And experts disagree on which approach is best.

Paller said the way DOD developed its program by surveying commercial certifications was a huge error. He believes a certification program should measure specific skills that people use in specific jobs — something he said DOD’s approach doesn’t do. Rather, it found a lowest common denominator, he said.

“My sense is if we care about this enough to make it a national law, we ought to make it much more technical and much more sophisticated,” Paller said.

However, others see expanding DOD’s approach as the way to go.

Lainhart said DOD’s program, which is based on U.S. and internationally recognized certifications, is preferable.

“Let’s not reinvent the wheel,” Lainhart said. “We’ll achieve a global standard that way by using the certifications that are out there, and I think that’s again consistent with [President Barack Obama’s] cybersecurity policy review.”

Indeed, what will follow from the administration’s recently completed 60-day review of cybersecurity policy could be a big factor in determining the new proposal’s fate.

The reviewers’ report recommends that the federal government initiate a national public awareness and education campaign. It adds that shared training and rotational assignments across agencies — and potentially with the private sector — would be efficient and beneficial. However, the administration hasn’t said whether it favors mandatory certifications and licenses for cybersecurity professionals.

Even with all the unanswered questions, some experts are happy just to be having the conversation. Bieber said he thinks all the focus on cybersecurity will turn more attention on training and certification efforts.

“One of the things I love about the Rockefeller-Snowe bill is it's provocative, and it’s creating these discussions,” said Mason Brown, director of the SANS Institute and a participant in the (ISC)2 roundtable discussion. “If we expect something in draft format and out of committee or out of the gates to be perfect, we’re a little bit nutty.”

Reader Comments

Tue, Dec 28, 2010 DoD 8750

CISSP - Information Security Training -Department of defense 8570,DoD 8570,8570,Dod 8570-a,Dodd 8570 CISSP Certification - CISSP Training - Security Training- Logical Security - Shon Harris,Two new reports--from the Center forStrategic and International Studies (CSIS), and from the consulting firm Booz Allen and the non-profit Partnership for Public Service (PPS)--highlightserious shortfalls among the federal government’s cyber security work force.

Sun, Sep 27, 2009

If certifications are so great then they need to make the exams free for anybody to take. This exposes the certification to a wider variety of people. After all unless you have the money you are not going to take the test. If the cert is truly valid there should be no worry of just anybody taking the exam. As far as those people who use boot camps or dumps to pass the test, they are going to do it anyways. But for those borderline people who dont have money to waste but generally want to learn, having money riding on the line and having to pay for a retake just gives more incentive to cross over to the dark side and use dumps. So to sum it up, FREE Certifications will mean more people are given the opportunity and there is less reliance on boot camps or dumps. All this will lead to a more diverse and skillful workforce.

Thu, Sep 17, 2009

now the uncertified hackers/crackers will gain an edge because all the certified people will be thinking the same. So everyone studied hard and passed the security+, so everyone now has the exact same skillset. Heaven forbid someone comes up with an exploit that is outside that skillset. If you are going to rely on certifications then for goodness sakes, take it out of the hands of the commercial world because to them money comes first. The certifications should never ever be knowledge based( cheap trivia like what is the max length of cat 5). Instead evaluation should be on the job over the course of time( sit someone down in front of a computer and ask them to tell you as much about the network as they can using the operating systems built in tools.)

Mon, Jul 6, 2009 jm

The problem is not woth certification or licensing per se, but with the unwarranted belief that having certified/licensed people in place protects your systems over time...or is it envisioned that re-testing takes place every year?

Tue, Jun 30, 2009 d nc

i think that certifications are the most adequate means of proving one's abilities. Licensing is just another bureaucratic means of generating income for the Feds and also slowing down progress in the IT sector because of it's ever accelerating and changing technology, the red tape of govn't has proven in the past that it can't keep up with the pace of changing software/hardware technology

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here


  • POWER TRAINING: How to engage your customers

    Don't miss our Aug. 2 Washington Technology Power Training session on Mastering Stakeholder Engagement, where you'll learned the critical skills you need to more fully connect with your customers and win more business. Read More


    In our latest Project 38 Podcast, editor Nick Wakeman interviews Tom Romeo, the leader of Maximus Federal about how it has zoomed up the 2019 Top 100. Read More

contracts DB

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.