Wow, just when you though big government was someone else's problem

Michael Barker mbarker at cyrusnetworks.com
Sun Apr 5 16:58:50 UTC 2009


Seems like they're following up on Department of Defense Directive 8570.01, whereas all Information Assurance personnel (that being defined as anyone with privileged access) are required to be certified.

Fully policy manual is here.
http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf


-----Original Message-----
From: Valdis.Kletnieks at vt.edu [mailto:Valdis.Kletnieks at vt.edu] 
Sent: Sunday, April 05, 2009 4:13 AM
To: Suresh Ramasubramanian
Cc: nanog at nanog.org; Jeff Young
Subject: Re: Wow, just when you though big government was someone else's problem

On Sat, 04 Apr 2009 16:16:24 +0530, Suresh Ramasubramanian said:

> Do you by any chance get to go work on sensitive government networks 
> without, say, a security clearance?

What the draft actually says:

SEC. 7. LICENSING AND CERTIFICATION OF CYBERSECURITY PROFESSIONALS.

(a) IN GENERAL. - Within 1 year after the date of enactment of this Act, the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals.

(b) MANDATORY LICENSING. - Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President's designee, as a critical infrastructure information system or network, who is not licensed and certified under the program.

A few thoughts:

1) Somebody's going to make a mint of money doing certification testing.

2) Somebody's network is going to be left flapping in the breeze because their provider didn't get certified in time.

3) It's interesting that "providers of cybersecurity services" have to be licensed, although others who do security-relevant work on the system/net don't have to be - nor do they define what a "provider of cybersecurity services" is.

So - quick show of hands: If you have a net that this applies to, do you know which of your engineers do/don't need a cert? ;)




More information about the NANOG mailing list