nanog mailing list archives

RE: Wow, just when you though big government was someone else's problem

From: Michael Barker <mbarker () cyrusnetworks com>
Date: Sun, 5 Apr 2009 12:58:50 -0400

Seems like they're following up on Department of Defense Directive 8570.01, whereas all Information Assurance personnel 
(that being defined as anyone with privileged access) are required to be certified.

Fully policy manual is here.
http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf


-----Original Message-----
From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] 
Sent: Sunday, April 05, 2009 4:13 AM
To: Suresh Ramasubramanian
Cc: nanog () nanog org; Jeff Young
Subject: Re: Wow, just when you though big government was someone else's problem

On Sat, 04 Apr 2009 16:16:24 +0530, Suresh Ramasubramanian said:

Do you by any chance get to go work on sensitive government networks 
without, say, a security clearance?


What the draft actually says:

SEC. 7. LICENSING AND CERTIFICATION OF CYBERSECURITY PROFESSIONALS.

(a) IN GENERAL. - Within 1 year after the date of enactment of this Act, the Secretary of Commerce shall develop or 
coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity 
professionals.

(b) MANDATORY LICENSING. - Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any 
individual to engage in business in the United States, or to be employed in the United States, as a provider of 
cybersecurity services to any Federal agency or an information system or network designated by the President, or the 
President's designee, as a critical infrastructure information system or network, who is not licensed and certified 
under the program.

A few thoughts:

1) Somebody's going to make a mint of money doing certification testing.

2) Somebody's network is going to be left flapping in the breeze because their provider didn't get certified in time.

3) It's interesting that "providers of cybersecurity services" have to be licensed, although others who do 
security-relevant work on the system/net don't have to be - nor do they define what a "provider of cybersecurity 
services" is.

So - quick show of hands: If you have a net that this applies to, do you know which of your engineers do/don't need a 
cert? ;)

Current thread:

Wow, just when you though big government was someone else's problem Jeff Young (Apr 04)
- Re: Wow, just when you though big government was someone else's problem Suresh Ramasubramanian (Apr 04)
  - Re: Wow, just when you though big government was someone else's problem Jeff Young (Apr 04)
    - Re: Wow, just when you though big government was someone else's problem Suresh Ramasubramanian (Apr 04)
  - Re: Wow, just when you though big government was someone else's problem John Bambenek (Apr 04)
  - Re: Wow, just when you though big government was someone else's problem John Schnizlein (Apr 04)
    - RE: Wow, just when you though big government was someone else's problem Marcus H. Sachs (Apr 04)
    - Re: Wow, just when you though big government was someone else's problem John Schnizlein (Apr 05)
  - Re: Wow, just when you though big government was someone else's problem Valdis . Kletnieks (Apr 05)
    - RE: Wow, just when you though big government was someone else's problem Michael Barker (Apr 05)
    - Re: Wow, just when you though big government was someone else's problem Valdis . Kletnieks (Apr 05)
- Re: Wow, just when you though big government was someone else's problem Florian Weimer (Apr 04)