Re: Ready to get your federal computer license?

[Valdis.Kletnieks () vt edu]

On Mon, 31 Aug 2009 14:06:56 EDT, "Sachs, Marcus Hans (Marc)" said:

>  (d) CERTIFICATION.-Beginning 3 years after the date of enactment of
> this Act, it shall be unlawful for an individual who is not certified
> under the program to represent himself or herself as a cybersecurity
> professional.

Highly unlikely that 3 years is sufficient time to devise a certification,
a testing program, and get enough people certified.  5 years would be much
more reasonable.

It will probably take over a year just to thrash out what a "certification" is.
Consider the vast difference in scope and depth between a CISSP and one of
the GIAC certs. (Ghod forbid somebody suggest something rational like "upper
managers need a CISSP-ish cert and line emplouees need a relevant GIAC-ish
cert.. :)

>  (e) CERTIFIED SERVICE PROVIDER REQUIREMENT.-Notwithstanding any
> provision of law to the contrary, the head of a Federal agency may not
> use, or permit the use of, cybersecurity services for that agency that
> are not managed by a cybersecurity professional who is certified under
> the program.

Unintended consequences - will this encourage the head of an agency to
instead say "screw it" and *not* use any cybersecurity services?

> A question for the NANOG community - if this section were to only apply
> to US government employees would it be acceptable?  In other words,
> strike any reference to the private sector (except perhaps for those in
> the private sector who are under contract to perform government work.)

Limiting it to "US government agencies, employees, and contractors" would
certainly trim out about 95% of the contentious areas.  But it still leaves
me, personally, on the hot seat - am I on the hook because I'm responsible
for research data that's NSF-funded? ;)

Attachment: _bin
Description: