Mandatory certification & licensing for IA professionals

In this fourth article in this five-part series, I look at the controversy surrounding U.S. government proposals for mandatory certification of security professionals.

* * *

On April Fool's Day 2009, senators John D. "Jay" Rockefeller (D-W.V.) and Olympia Snow (R-Maine)> introduced Senate Bill 773, "A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes." The bill's short title is the "Cybersecurity Act of 2009."

Among other important proposals bearing on the security of critical communications and computing infrastructure, the bill would introduce what Scott Petersen of describes as, "a raft of new federal security standards and certification and licensing requirements that could have major impacts on businesses and security professionals."

Ben Bain ably summarized the key points of the bill about licensing in a June 18, 2009 article in Federal Computer Week.

From what I can tell by reading the pro/con arguments, here's a summary of the arguments. I leave it to readers to make up their own minds.

SupportFISMA).standards defined by the National Institute of Standards and Technology (NIST) Information Technology Laboratory (ITL) Computer Security Division (CSD) to the private sector more strongly.

• Other professions involving public safety require government-sanctioned standards and licenses: why shouldn't critical infrastructure receive protection?

• Federal government involvement will support nationwide promulgation of better security standards than a hodge-podge of state-government run programs or the chaos of independent standards.

• Defining federal security standards will lend credibility to information assurance and serve as a boost to security awareness.

• Federal standards for the civilian sector will inevitably improve government standards as well.

• Forcing industry to spend money on training and certification will overcome the risk-tolerant, short-term focus on quarterly bottom lines that interferes with rational security management.

• Certification would weed out charlatans and incompetents who move from victim to victim as they provide bogus, wasteful, ineffective information assurance advice.

• Certification, with its usual requirement for continuing professional education, may support continued learning and adaptation to a changing security environment.

• The new law would bring regulatory and legal pressure to bear on the private sector to bring security standards in line with government security standards such as the Federal Information Security Management Act (

• Legal force would bring the research and

• Testing, certification, and licensing should be removed from organizations that profit from training and education.

• All resistance to government involvement in any aspect of business is the mark of either Fascists or devil-worshippers. [OK, it's joke No.1 – it's an unspoken bias that I suspect is held by some proponents.]


• Involving government agencies in any aspect of security for a rapidly-evolving high-tech field will slow people's ability to respond to changing threats.

• The legislation fails to define the terms "critical infrastructure" and "cybersecurity services" used in defining its mandatory licensing scheme.

• Establishing mandatory training, certification and licensing standards will be difficult and take much longer than the one-year deadline envisaged in the bill.

• Although mandatory certification might be acceptable, mandatory licensing raises more troubling questions about the nature of the licensing authority, costs and liability for errors by licensed professionals.

• If licensing is accepted, it must be controlled by state governments, not the federal government, just as other professional licensing is managed.

• The legislation would be expensive and difficult to implement, especially for small-to-midsize businesses.

• Unless there are funds allocated for establishing mandatory certification and licensing processes, the bill will be another unfunded or underfunded mandate that will fail because of inadequate planning and resources.

• Mandatory certification requirements may include grandparent clauses that allow incompetent, unqualified personnel to continue in positions of responsibility over information assurance organizations and functions.

• Continuing education requirements for security certifications are too lax to guarantee measurable, real-world growth or even maintenance of professional knowledge and skills in information assurance.

• Compliance with security standards is not in itself a guarantee of improved security.

• Removing competition from testing, certification and licensing will reduce or eliminate free-market pressures for improvement and excellence.

• All government involvement in any aspect of business is the mark of either Communists or devil-worshippers. [OK, it's joke No.2 – it's an unspoken bias that I suspect is held by some opponents.]

In the next (and last) article, I'll (finally) respond to a young correspondent's request for guidance about the "best" security certification for improving job prospects.

* * *

For further reading

Bain, B. (2009). "Cybersecurity training: The battle over mandates." Federal Computer Week (2009-06-18). 

Castro, D. (2009). "Certifications are not a panacea for cybersecurity woes." Federal Computer Week (2009-12-01). 

HSNW (2009). "Licensing cybersecurity professionals, I." Homeland Security Newsletter (2009-06-23). 

HSNW (2009). "Licensing cybersecurity professionals, II." Homeland Security Newsletter (2009-06-24). 

Monroe, J. S. (2010). "Certifications: A false sense of security." Federal Computer Week (2010-01-05). 

With special thanks to MSIA Professor Paul Brusil, Chief Scientist and Founder of Strategic Management Directions, for several references.

Copyright © 2010 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022