The measure would require the licensing and certification of people who provide cybersecurity services to agencies.
An ambitious bill introduced last week in the Senate aims to improve cybersecurity in federal government by laying new responsibilities on contractors in the areas of training, procurement and technical standards.
The measure, one of two cybersecurity bills that Sens. John Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine) introduced last week, would require the licensing and certification of anyone providing cybersecurity services to a federal agency or information system or network designated as critical infrastructure. The Commerce Department would determine those requirements.
Some observers point out that many other professions require extensive licensing and certification.
Alan Paller, director of research at the SANS Institute, said it will be important to determine to whom the certification requirements should apply. For example, Paller said people with jobs that involve managing systems have large responsibilities for cybersecurity, even through they are not necessarily considered security professionals.
James Lewis, director of the Center for Strategic and International Studies’ Technology and Public Policy program, said the certification proposal would require people to show they have the necessary training and knowledge. That would be part of what he sees as an ongoing effort to nudge the information technology industry to greater maturity.
The legislation would also call for the development of validation standards for software purchased by government. Lewis said reform in the procurement process is widely seen as a way to encourage better cybersecurity.
Experts, federal officials and industry remain fixated on the Obama administration’s ongoing 60-day cybersecurity review, which is expected to lead to a new cybersecurity strategy that involves government and the private sector.
John Stewart, chief security officer at Cisco Systems, said government and industry need to be mindful of the speed with which the IT industry changes.
“If we codify something that doesn’t have elasticity in it, or by the way gets highly prescriptive, what we’ll end up doing is solving a moment in time to a one degree and then not be able to adapt to the next moment,” Stewart said.