Security Certification Rules Could Shake Up IT Management

Requirements for professional security certification for IT workers in civilian agencies, now being readied by the Office of Management and Budget.

Requirements for professional security certification for IT workers in civilian agencies, now being readied by the Office of Management and Budget (OMB), would have a major impact on how government and industry recruit, train and manage their IT staffs, a security expert said Wednesday.

"They are going to affect every one of us in the field," contractors and government employees, said George Datesman, a senior manager at Noblis Inc., a nonprofit high-tech consultant.

Datesman -- who holds a master's degree in criminology and has 30 years experience in law enforcement, including a stint with the Justice Department -- said at a Digital Government Institute conference on cybersecurity that OMB is finalizing minimum requirements for professional certification. He had no time frame for their release.

As IT security has become professionalized, a number of certifications have achieved general recognition industrywide, including a suite from the International Information Systems Security Certification Consortium (ISC2). ISC2 maintains and administers examinations for:

  • CISSP: Certified Information Systems Security Professional
  • ISSEP: Information Systems Security Engineering Professional
  • ISSAP: Information Systems Security Architecture Professional
  • SSCP: Systems Security Certified Practitioner

Organizations awarding certifications would have to be accredited to meet a federal mandate. Datesman likened the situation to the law-enforcement field, which still is sorting out how to fully implement requirements for increased professional training and education 30 years after the movement began. Not only would there be new hiring requirements, there also could be increased responsibility and legal liability for workers and their employers.

"This is a change we have not faced in the IT security industry before," he added.

The closest parallel has been in the Defense Department, which anticipated OMB's reaction in this area. The DOD's Directive 8570 on information assurance, approved in December 2005, requires all of the department's information assurance workers to obtain an accredited commercial certification in computer security. The DOD has approved 13 certifications for the directive.

The DOD requirement already has thrown what one conference attendee called a giant monkey wrench into the IT security manpower market.

"If OMB issues a similar requirement, it's going to throw the supply-and-demand curve even more out of balance," he said.

Datesman agreed, saying it probably would take years for the supply of certified workers to catch up with demand. A CISSP certification, for example, requires five years' experience. "You don't mint them out of college," he said.

The requirement is likely to drive up the cost of recruiting professionals, not only in government but among government contractors, who also would have to meet the requirements in staffing government contracts. Government contract language also would have to change to reflect the requirements.

Other practical considerations would be the need to formally define IT security roles and jobs and spell out the knowledge, skills and abilities needed for each. Certification and training also would have to be verified by employers, possibly creating a backlog much like that for background checks in issuing personal-identity verification cards to government workers and contactors under Homeland Security Presidential Directive 12.

No amount of education and certification will completely fulfill the need for IT security professionalism, Datesman said.

"When we did this in law enforcement 30 years ago, what we learned was that 60 percent of what they needed to know is learned on the job," he said.

About the Author

William Jackson is the senior writer for Government Computer News (


  • Gears

    Top 10 Microsoft Tips and Analyses of 2018

    Here are the year's most popular explainers and how-to columns -- along with some plain, old "Why did Microsoft do that?" musings thrown in.

  • Sign

    2018 Microsoft Predictions Revisited

    From guessing the fate of Windows 10 S to predicting Microsoft's next big move with Linux, Brien's predictions from a year ago were on the mark more than they weren't.

  • Microsoft Recaps Delivery Optimization Bandwidth Controls for Organizations

    Microsoft expects organizations using its Delivery Optimization peer-to-peer update scheme will optimally see 60 percent to 70 percent improvements in terms of network bandwidth use.

  • Getting a Handle on Hyper-V Virtual NICs

    Hyper-V usually makes it easy to configure virtual network adapters within VMs. That is, until you need to create a VM containing multiple virtual NICs.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.