DOD approves new credentials for security professionals

Meets mandate that all DOD info assurance workers are accredited

The Defense Department has approved new credentials for information security professionals. The directive is expected to result in more than 100,000 personnel obtaining professional credentials.

DOD approved the (ISC) 2 Certification and Accreditation Professional (CAP), which requires that all DOD information assurance workers obtain a professional certification accredited under the global ANSI/ISO/IEC Standard 17024.

CAP certifies that the holder has in-depth knowledge of Certification and Accreditation, a formalized process for assessing IS risks and security requirements and ensuring that the systems have adequate security in place.

DOD and the National Institute of Standards and Technology are jointly trying to create a single C&A process across the government. CAP is undergoing changes to comply with the new C&A requirements, which go into effect  March 2010.

(ISC)2 is a global not-for-profit education and certifying organization for information security professionals. The organization has other certifications approved for use under the directive, including the Certified Information Systems Security Professional (CISSP) and the Systems Security Certified Practitioner (SSCP).

It also provides certifications for several concentrations of the CISSP, including the Information Systems Security Engineering Professional (ISSEP), the Information Systems Security Architecture Professional (ISSAP); and the Information Security Systems Management Professional (ISSMP).

In addition, recently NIST released a draft contingency planning guide for federal information systems, draft SP 800-34, Revision 1, for public comment. The draft is an upgrade to the original guide published in 2002. Comments are due by Jan. 6, 2010.

About the Author

Kathleen Hickey is a freelance writer for GCN.

inside gcn

  • When cybersecurity capabilities are paid for, but untapped

Reader Comments

Mon, May 10, 2010 Joe San Antonio

Not all federal civilians have to pay for the training. I'm a civilian and my organization paid for the training and certification because it was required for the job. Also, in response to "hmm" normally after you pass the test the first time, you don't have to take the test again as long as you maintain your CPE's. Yes it is painful, but there are numerous ways to maintain CPE's for free. Also, if you are a DoD employee and in an IA billet, register in DMDC IA Workforce to ensure that your annual maintenance fee is paid for by DoD.

Mon, Nov 30, 2009 Alexandria, VA

I agree with the other commenters. While the focus is on obtaining a certification, which I may add, is a good thing, the cost is rather expensive and sometimes risky, especially for a professional with many years of experience. The CAP does absolutely nothing for us; whereas the CISSP and other certifications does. The current cost to take the CISSP is over five-hundred dollars. If you don't pass, you pay another five-hundred dollars, and you keep paying until you pass the examination. I personally can not afford to take the exam and surely can not risk paying out of pocket and run the risk of not passing the examination. I find it rather intimidating that my career lies in the hands of a cert. I have years of experience as well as a MS in information security and assurance. People can not afford to these examinations and training boot camps out of of pocket these days; I know I can't, so where is the happy medium? Is the government willing to pay for training for us as some federal agencies pay for their federal employees to take the training and exam several times?

Tue, Nov 17, 2009 IAM Austin, TX

Taking training to maintain certs is expensive and counter productive. I just completed a SANS-Intrusion Detection In-Depth course that concentrated on finding hacks that were released back in 1999-2002, nothing current. But I took the training in order to get my 40 CPEs for this year for CISSP and CISM. This training does not help with today's world of hacks per say as we used old software also that the trainer just happened to help create.

Mon, Nov 16, 2009 hmm

Its getting too expensive in time and money to maintain the certs. I find it ironic that months before DOD 8570 was announced the IT world was announcing the demise of certifications because people were realizing that there was a difference been applied knowledge and test passing knowledge. The directive seems to have pulled the cert orgs out of the fire, now thats lobbying. This has me very concerned because in practice you really need diversity and I cannot see in the long term how requiring certifications creates diversity. You see, everyone is so concerned about keeping their job that they focus intensely on passing the cert tests. This means their most immediate knowledge is dictated by the test writers, which may already be years out of date. The cycle repeats because the directive requires recurrent testing. Years from now you end up with employees who think the same, have the same skillsets and are at least 2 years behind cutting edge. You can sugar coat is all you want, but once something is mandatory for your job that becomes your primary focus, its human nature. So the directive has made testing the primary focus rather then personal development. We are seeing the tossing out of innovation and diversification. Rather than individuals learning how to defend against zero day exploits they are memorizing how to defend against attacks that were negated years ago. Now on the flip side, certs are good at the entry level, but never at the professional level. After all your patches and defininitions need to be up to date to negate the old attacks, that entry level knowledge. But the professional should be focused on the exploits that have not even been dreamed of.

Fri, Nov 13, 2009

Agree with others that the article is poorly written. The individual does not appear to understand the requirements of DoD 8570. I believe the intent of the approva is to add the CAP (which I personally don't support) to the 8570 list of approved certifications.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group