[OT?] call for info on security professional certifications

Benjamin Scott dragonhawk at gmail.com
Tue Apr 6 13:11:33 EDT 2010 

On Tue, Apr 6, 2010 at 12:23 PM, Alan Johnson <alan at datdec.com> wrote:
>>  The DoD is now requiring all staff who work in an Information
>> Assurance role to maintain security certifications.  That includes
>> staff of commercial contractors.
>
> You mean, like clearance levels, or some tech security cert?

  I mean tech industry security certs.  DoD security clearances are
entirely about granting access to information.

  "Information Assurance" (IA) is what the DoD calls computer security
these days.  It applies to all computers, not just those processing
classified information.  IA has had other names, like COMPUSEC and
INFOSEC.  They adopted the "IA" name due to issues where stuff was
protected against disclosure but not (e.g.) backed up, so a hard disk
failure would result in lost data.  "So secure, nobody can access it."
 The name change is intended to help reflect requirements for not just
confidentiality, but also integrity and availability.  Like most large
organizations, the DoD is big on name changes.

  Anyway, DoD Directive 8570.01, "Information Assurance Training,
Certification, and Workforce Management", issued 2004AUG15, requires
anyone working in an IA role to have certifications.  That includes
not only techies, but also managers of techies.  It includes not just
DoD proper, but any DoD contractor.  Those requirements are slowly
trickling down.

  DoD Manual 8570.01-M, "Information Assurance Workforce Improvement
Program", spells out who needs what.  It makes a distinction between
people-management roles vs technical roles.  It also identifies levels
of each, basically scope, so a guy taking care of one PC is different
vs a guy in charge of 1000s.

  Table AP3.T1 in 8570.01-M lists approved certification programs for
the various roles and levels.  They're all tech industry certification
organizations -- CompTIA, GIAC/SANS, and ISC².

  It's actually a fairly reasonable take on the matter, given that the
DoD is one of the world's largest organizations, and has an obvious
need for strong computer security.

-- Ben

More information about the gnhlug-discuss mailing list