Senate security bill would put burden on contractors

An ambitious bill introduced last week in the Senate aims to improve cybersecurity in federal government by laying new responsibilities on contractors in the areas of training, procurement and technical standards.

The measure, one of two cybersecurity bills that Sens. John Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine) introduced last week, would require the licensing and certification of anyone providing cybersecurity services to a federal agency or information system or network designated as critical infrastructure. The Commerce Department would determine those requirements.

Some observers point out that many other professions require extensive licensing and certification.

Alan Paller, director of research at the SANS Institute, said it will be important to determine to whom the certification requirements should apply. For example, Paller said people with jobs that involve managing systems have large responsibilities for cybersecurity, even through they are not necessarily considered security professionals.
James Lewis, director of the Center for Strategic and International Studies’ Technology and Public Policy program, said the certification proposal would require people to show they have the necessary training and knowledge. That would be part of what he sees as an ongoing effort to nudge the information technology industry to greater maturity. 

The legislation would also call for the development of validation standards for software purchased by government. Lewis said reform in the procurement process is widely seen as a way to encourage better cybersecurity.

Experts, federal officials and industry remain fixated on the Obama administration’s ongoing 60-day cybersecurity review, which is expected to lead to a new cybersecurity strategy that involves government and the private sector.

John Stewart, chief security officer at Cisco Systems, said government and industry need to be mindful of the speed with which the IT industry changes. 

“If we codify something that doesn’t have elasticity in it, or by the way gets highly prescriptive, what we’ll end up doing is solving a moment in time to a one degree and then not be able to adapt to the next moment,” Stewart said. 

About the Author

Ben Bain is a reporter for Federal Computer Week.

Cyber. Covered.

Government Cyber Insider tracks the technologies, policies, threats and emerging solutions that shape the cybersecurity landscape.


Reader comments

Fri, Apr 24, 2009 Marc Techner San Diego

This proposal maintains the professional IT certification industry. The dollars that are pumped into training guides, bootcamps and exam fees may even be a more profitable industry than the IT industry iself. Creating certifications allows know-nothing human resource weenies an easy way to screen applicants and ill-informed government contracting officers to craft agreements that must satisfy due diligence. Second, the constant drum-beat of certifications cheapens the value of real academic preparation and provides a false impression of competence among so-called professionals. Certification training cannot substitute for the well-rounded education gained through four-year undergraduate degree or through graduate education. Industry certification, on the other hand, is job training. Whatever happened to on-the-job training provided by employers? IT professionals are now more often expected to get training before being hired. But this training remains time-sensitive. Just try marketing a Novell or Banyan certification these days.

Fri, Apr 17, 2009

A certification simply means that a person has an understanding of an area of study, and the propensity to learn that area of study. A professional in any industry, that has experience and certification, is better than a professional with no certification, or a professional with certification and no experience. If you are a professional go get the certification, it makes you a better professional, the opportunity to learn is always a good thing. Those with certification, and no experience, will gain that experience, but while doing so, the certification will make them a better professional from the education obtain through the certification process. Seems the only people that complain about certifications are the ones that don’t have any. There is no substitute for experience, and the person with the experience and the certification, will win over the person with just the experience.

Mon, Apr 13, 2009 Dassin Ordwell Midwest

The Commerce Department?? If farmers have trouble with egg yields maybe they should call the State Department... Department of Transportation should handle negotiations with China.You can't license initiative.
Until regulations apply to Generals like they do everyone else. You’re not plugging holes at the Pentagon.
Besides, there’s been more released by loose lipped Senators and Generals during press conferences than any other means. How about a speaking certification.

Thu, Apr 9, 2009 Paul Atlanta, GA

It is like going to best University in the World, if you don't continue to learn, you are not going good at whatever you are doung. First of, Security is dynamic area, it changes constantly, and rapidly. If there was a singly magic bullet, we would have done it long time ago. Certification gives you the fundamentals, you have to do the rest.

Thu, Apr 9, 2009 Contractor

Generic or specialized Security Certifications are a good measure of competence, and I respectfully disagree with the majority of the comments attached to this article that bash any security certification.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group