Monday, May 29, 2006

DoD Certification Program Update

I've had a chance to read issues of Federal Computer Weekly delivered while I was on vacation. I like reading FCW because it gives me some insight into the madness found inside the Beltway.

I enjoyed reading Wanted: Information assurance-savvy people, which discussed DoD's plans for certifying IT staff. I've examined this issue before. Here's a quote by someone who understands the problems with DoD's plan:

Alan Paller, director of research at the SANS Institute, said DOD should have no problem meeting its initial target of 80,000-plus employees trained and accredited in information assurance. But he doesn’t think the baseline certification that DOD requires will produce a workforce capable of securing the military’s systems.

“The problem is that the bulk of the certifications don’t teach people how to do security,” Paller said. “Certified people will be able to talk about security, but they won’t know how to do it — to actually encrypt data and do the necessary work.”

Instead, DOD needs a way to evaluate actual information assurance work, Paller said. That requires hand-on training and scenario-based testing, he added.

Alan is absolutely right. A DoD certification program which accepts the CISSP as the top technical certification indicates the program designers are absolutely clueless.

Speaking of clueless:

Robert Lentz, DOD’s director of information assurance, said he respects Paller’s opinion but is not worried that the program is headed in the wrong direction. The important thing is to get baseline certifications awarded and then work from there, Lentz said.

Assuming the reported depicted Mr. Lentz's words accurately, I am extremely disappointed by this opinion. This attitude sounds to me like the following: "Who cares if our program is wrong? Let's just get it started." That is a recipe for failure, especially considering this quote from the article:

DOD’s success with IA training and certification could have wider implications, said Jim Flyzik, president of the Flyzik Group, a consulting firm. If successful, DOD’s approach would probably be adopted in other areas of government, he said.

Great. DoD starts down the wrong path, and the rest of the government follows? Ouch.

1 comment:

Anonymous said...

Co-worker applied for a CISSP class, was told there are no funds available. Business as usual.