Licensing cybersecurity professionals, II

efforts. “Many times there are high-end training classes and laboratory experiences conducted that have empty seats, and they could offer those seats to other agencies if we were comparing apples to apples,” Oldfield said.

DOD’s experience
As experts weigh the potential value of a government-wide cybersecurity certification or licensing requirement, they are turning to DOD for lessons about how its program has fared. DOD’s certification requirements cover a spectrum of management and technical information assurance roles for some 90,000 military, civilian, and contract employees. Officials created the program in 2004 in response to departmental Directive 8570, released a manual of instructions in 2005 and updated that manual in 2008. Under the program, they identified commercially available, accredited certifications that information assurance employees and contractors need to have to work on DOD systems.

“The idea of a common lexicon that’s provided by these certifications is something that was lacking before,” said George Bieber, director of DOD’s Information Assurance Workforce Improvement Program.

At the launch of the program, Pentagon officials created a working group with representatives from the military services to define the functions or skills the certifications would cover. Then they examined which existing certifications aligned most closely with the desired skills.

DOD’s legal representative originally said they needed to use certifications rather than licensure because the latter is not a federal or DOD function, Bieber said. Officials also decided to take advantage of existing commercial certifications rather than develop custom programs so that employees would have skills they could use in the private sector or at other agencies.

Bain writes that DOD’s program has not moved as quickly as officials had hoped. Their goal was to have about 40 percent of targeted workers certified by now, but only about 30 percent have been. Bieber blamed the shortfall on an aggressive schedule, funding constraints, changing culture and the extra work needed to make changes in supporting systems, such as personnel databases. However, DOD officials still hope to have all 90,000 certifications done by 2011.

Studies conducted by a couple of DOD offices have shown that security seems to improve as more employees are certified. DOD officials are in the process of collecting data to assess the program more broadly. Bieber said he has heard that certifications help increase a cybersecurity staff’s problem-solving abilities by providing them with a common lexicon when addressing incidents. “It’s really enabled the security issues to be handled at a lower level, whereas before it was going up,” he said.

Expanding the DOD model?
It is uncertain whether the requirements outlined in the Rockefeller-Snowe bill would expand the DOD model of using commercial certifications or prompt the development of new standards. And experts disagree on which approach is best. Paller said the way DOD developed its program by surveying commercial certifications was a huge error. He believes a certification program should measure specific skills that people use in specific jobs — something he said DOD’s approach doesn’t do. Rather, it found a lowest common denominator, he said. “My sense is if we care about this enough to make it a national law, we ought to make it much more technical and much more sophisticated,” Paller said.

Others, however, see expanding DOD’s approach as the way to go. Lainhart said DOD’s program, which is based on U.S. and internationally recognized certifications, is preferable. “Let’s not reinvent the wheel,” Lainhart said. “We’ll achieve a global standard that way by using the certifications that are out there, and I think that’s again consistent with [President Barack Obama’s] cybersecurity policy review.”

Indeed, what will follow from the administration’s recently completed 60-day review of cybersecurity policy could be a big factor in determining the new proposal’s fate. The reviewers’ report recommends that the federal government initiate a national public awareness and education campaign. It adds that shared training and rotational assignments across agencies — and potentially with the private sector - would be efficient and beneficial. The administration, however, has not said whether it favors mandatory certifications and licenses for cybersecurity professionals.

Even with all the unanswered questions, some experts are happy just to be having the conversation. Bieber said he thinks all the focus on cybersecurity will turn more attention on training and certification efforts. “One of the things I love about the Rockefeller-Snowe bill is it’s provocative, and it’s creating these discussions,” said Mason Brown, director of the SANS Institute and a participant in the (ISC)2 roundtable discussion. “If we expect something in draft format and out of committee or out of the gates to be perfect, we’re a little bit nutty.”