Licensing cybersecurity professionals, I
There is a move in Congress to require the Commerce Department to develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals
We would not put cops on the street or soldiers into battle without first giving them proper training — but there is no standard government-wide preparation program required for those who protect the U.S. government’s information systems and computer-controlled infrastructure from bad guys intent on mischief or harm
FCW’s Ben Bain writes that whether an obligatory return to the classroom will make a difference in countering those threats is at the heart of a debate spurred by a proposal to license cybersecurity professionals that work for or contract with the government. The mandate is part of an ambitious cybersecurity measure the Senate initiated, and it would affect tens of thousands of information technology workers.
Bain writes that proponents see the measure as money well spent to improve information security through a more professional, better-trained cybersecurity workforce. Opponents believe mandatory licensing will tie up the industry in red tape and hinder its ability to keep training up-to-date with rapidly changing technology.
The measure, sponsored by Senators John “Jay” Rockefeller (D-West Virginia) and Olympia Snowe (R-Maine), would direct the Commerce Department to develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals. It would then become unlawful for a person lacking the proper license and certification to provide cybersecurity services to an agency or for an information system or network designated as critical infrastructure.
Opinions about the proposal’s potential impact vary, but the different camps agree on one point: There are still many unanswered questions. For example, people wonder how “cybersecurity services” would be defined. They also speculate on which skills would need certification or licensing and whether using company-based certifications would be the right approach.
Bain writes that there are also questions about enforcement, legal liability, the value of certification versus licensing, and how federal requirements would impact states’ rights and their traditional role in licensing various professions.
The Senate measure would apply to all federal IT systems and any others the president deems critical infrastructure, which could include privately owned assets such as the electric grid.
It would not be the federal government’s first attempt at demanding proof of training for cybersecurity professionals. The Defense Department has had a mandatory certification — but not licensing — requirement for its information assurance workforce since 2004. The program has certified only one-third of the department’s information assurance workforce so far, and though officials have yet to complete an extensive assessment of the program’s performance, they
