In The End There Can Be Only One?

Cybersecurity Act 2009 – Review Part 1

This entry is one in a series of blog postings regarding a review of legislation currently before the US Congress. It should be noted that according to several sources there is a re-write of the bill, however, as of this writing that version is not posted in either the Library of Congress nor the Government Printing Office websites.

The title of this post (actually a tagline)–from the movie Highlander–seems very appropriate in regards to a section in the Cyber Security Act of 2009 (S.773 Sen. Rockefeller; Sen. Snowe; and Sen. Nelson).

Section 7(a) of this Act states that the the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification and periodic recertification program for cybersecurity professionals. Part (b) of this section further states “…it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President’s designee, as a critical infrastructure information system or network, who is not licensed and certified under the program.”

I will not go into whether or not the Government can devise a comprehensive, effective and, in general, adequate security certification program. I am sure there will be plenty of discussions/posts/etc. on that topic if this Act comes to pass.

As I read Part (b), several thoughts come to mind. What is going to happen to the existing certification bodies such as ISC, SANS or any other non-vendor specific certification entity? Are those certs going to fade away or become less-significant? Will the government recognize these certs and potentially institutem some sort of grandfather clause? What will be the impact of this “required” certification on training organizations? Initially every vendor, consulting and professional services organization will have to send their staff to be certified but, eventually, there probably won’t be a need for so many training entities or staff. I don’t think these certs will go away as there are many industries and organizations that don’t work with the US government but it remains to be seen as to the significance these certs now carry.

My next thought was in regards to vendors who offer implementations of their products. According to the Act the engineers with these companies will need to be certified as well as and maintain the cert. This may be more than some organizations want to go through just to offer implementation services. Sure consulting or professional services organizations may benefit from the outsourcing, but what if the on-site consultant needs advanced engineering support from the vendor? There will be a hit to the multitude of organizations and people who will now have to put up the time, money and possibly other resources in order to get their staff “approved” for government work–even if they outsource–to handle such a crisis.

Then I thought…one certification for everyone? Even most security professionals will agree that would be difficult, if not impossible, to establish. A debate that has been around for years is which is better: CISSP or SANS GIAC? Most security practitioners would agree that each has its own place as they are distinctive in their focus. The CISSP is generally looked upon as more managerial in nature while the GIAC certs are more technical. Not a criticism–just stating that the nature of each is different. Trying to imagine a one-stop certification boggles the mind, if nothing else, from the amount of material that would need to be studied. Unless there are different levels/tracks of government certification (which potentially is its own nightmare) this will be very difficult to implement.

If you step back and think of the scope this section of the Act implies, it is enormous and the resource impact to thousands of organizations is tremendous. While I certainly applaud the perceived intention of this section, I can’t see there only being one certification that fits everyone and provides the best service to the government.