In this third article, I look at the wider context of certification and licensing for a range of professionals in the United States and point to the efforts beginning in the early 2000s to force certification for IA officers in the US Department of Defense.
This is the third of five articles discussing the benefits (if any) of security certifications in the job market. In the first article, a number of studies suggested that certifications do improve prospects for hiring and higher salaries. In the second article, we looked at some more recent studies and surveys with yet more encouraging news for holders of security certifications.
In this third article, I look at the wider context of certification and licensing for a range of professionals in the United States and point to the efforts beginning in the early 2000s to force certification for information assurance officers in the U.S. Department of Defense.
* * *
Many professions require government-recognized authorization (licensing) for professionals to practice their trade. In the United States alone, for example,
• Medical doctors must be certified by state medical boards; according to the history page on the Web site of the Federation of State Medical Boards, "The Federation of State Medical Boards of the United States, Inc., was founded in February 1912, as the result of a merger between the National Confederation of State Medical Examining and Licensing Boards (established in 1891) and the American Confederation of Reciprocating Examining and Licensing Boards (established in 1902)."Nurses, pharmacists, chiropractors and other specialists in medical care must be licenses by state boards.state bar association examinations to be allowed to practice law or even to provide legal advice (hence the often-repeated warning "I-am-not-a-lawyer-and-this-is-not-legal-advice-for-legal-advice-consult-an-attorney-with-expertise-in-this-area-of-the-law" which prevents accusations of practicing law without a license).state license.state boards for specific classes of financial accounting services.taxi commissions who set qualifying exams and often determine rates that companies or independent drivers may charge.
•
• Lawyers must pass
• In all but four states, private investigators must obtain a
• Certified Public Accounts are licensed by
• Taxi drivers must comply with state regulations for appropriate classes of drivers' licenses and with city
In August 2004, the U.S. Department of Defense (DoD) promulgated Directive 8570.1, the "Information Assurance Workforce Improvement Program and implemented it as of December 19, 2005; it was updated on May 15, 2008. The International Information Systems Security Certification Consortium (ISC)^2 describes 8570.1 as follows (major bullets added):
• What is U.S. DoD Directive 8570.1? This DoD-wide policy, made official in August 2004 and implemented according to the requirements of DoD 8570.1M Manual in December 2005, requires any full- or part-time military service member, contractor, or foreign employee with privileged access to a DoD information system, regardless of job or occupational series, to obtain a commercial information security credential accredited by ANSI or equivalent authorized body under the ANSI/ISO/IEC 17024 Standard. The Directive also requires that those same employees maintain their certified status with a certain number of hours of continuing professional education each year.
• How many DoD personnel are affected by this mandate? DoD officials estimate that the number could top 100,000 people, including any full- or part-time military service member, contractor, or foreign employee with privileged access to a DoD information system, regardless of job or occupational series.
• What is the significance of this mandate and of commercial certification in general? This mandate will have far-reaching implications, including:
o The Directive is viewed as a government endorsement of the effectiveness and cost-efficiency of commercial certification.
o It provides military and civilian personnel with a certification that is professional, internationally recognized and vendor-neutral (not tied to any agency, technology or product).
o It provides a portable certification that is recognized in both the public and private sectors.
o It mandates and endorses a global standard (ANSI/ISO/IEC 17024).
o It positions the information security profession as a distinct job series.
In the fourth of this five-part series, I'll look at the controversy surrounding U.S. government proposals for mandatory certification of security professionals.