New security certification program draws feds

New security certification program draws feds


A new security certification program for network and systems administrators is attracting federal participants, who combined make up the largest group to gain credentials through the program.

The International Information Systems Security Certifications Consortium has approved more than 3,000 certified information systems security professionals (CISSPs) since 1995. But it only recently began offering systems security certified practitioners (SSCPs) a shorter program for systems security practitioners.

These are the systems staff members who implement the security policies and procedures set by senior officials, said James E. Duffy, the consortium's managing director and chief operating officer. About 300 certified practitioners have qualified so far.

Duffy said the government has the highest concentration of CISSP credentials, driven by the Critical Infrastructure Protection Program.

'We're expecting 2001 to be a year of slow growth as we establish the credential,' Duffy said. 'By 2002, the SSCP will stand on its own.' But the consortium, based in Framingham, Mass., has barely scratched the surface in qualifying security personnel.

'Realistically, there are 100,000 people who should be certified' at the CISSP level, Duffy said, and several times that many who would fit the SSCP profile.

But certification is a double-edged sword for federal managers, Duffy said.

'Government workers know that getting a CISSP is a ticket out of town,' he said, because headhunters mine the certification list for leads.

Sallie McDonald, the General Services Administration's assistant commissioner for information assurance and critical infrastructure protection, said training programs are not turning out security experts fast enough to meet demand.

'The need for trained security specialists is critical in the government,' McDonald said. 'Most of the traditional information technology curriculum doesn't touch that area.'

Congress has provided financial assistance for information security training in exchange for a commitment on the part of the students to work in the government for a certain time.

'The fact that Congress has authorized money is indicative of the dire straits this segment of the industry is in,' McDonald said.

The government has no requirement for security certification, although it can be helpful in hiring, she said. Establishing qualifications is on a one-to-one basis.

'Mostly, I do it through the interview process,' McDonald said.

The consortium does no training of security specialists except for preparatory courses for its exams. There were 3,370 CISSPs at the end of last year, up from 1,836 a year earlier.

CISSP candidates must have three years' experience and pass a 250-question test. Those certified have to take 120 hours of continuing education every three years.

SSCP candidates must have one year's experience, pass a 125-question test and receive 60 hours of continuing education over three years for recertification.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected