New Directive Could Redefine Cybersecurity Certification

Struggling with a chronic shortage of cyber security talent, the Defense Department is preparing to jettison its highly prescriptive approach to cyber certifications in favor of a new system based more on practical skills and less on book knowledge.

The change will replace DoD Directive 8570, which has defined baseline information assurance training and certification for more than a decade, with a new directive, DoD 8140, which emphasizes job skills and experience over rote certifications.

Other federal agencies are close behind. The Federal Cybersecurity Workforce Assessment Act, passed in January, requires all federal agencies to develop a cyber workforce assessment program based on the National Institute for Standards and Technology’s NICE initiative. NICE stands for the National Initiative for Cybersecurity Education, which breaks down security into seven categories of effort: security provision, operate and maintain, protect and defend, analyze, operate and collect, oversight and development and investigate.

The cyber shortage
The exact size of the government’s cyber talent shortfall is hard to measure. But industry watchers agree the talent gap is profound and worsening.

Some 60 percent of U.S. government IT leaders say they do not have enough cybersecurity personnel to meet the demands of their mission, according to (ISC)2’s 2015 Global Information Security Workforce Study. Respondents included 1,099 military and 727 civilian IT executives.

Human resources managers, chief information officers and chief information security officers say they face particular shortages of specialists certified in risk assessment, incident investigation and response and governance, risk management and compliance. Similar shortages extend to the private sector, where more than 209,000 U.S.-based cybersecurity jobs stood unfilled in March 2015, according to a Stanford University research project. Indeed, the shortage extends around the globe: Symantec CEO Michael Brown predicts the worldwide shortage will reach 1.5 million cyber professionals by 2019.

The shortage makes military-trained cyber professionals a fleeting asset. Civilian opportunities are so great – and often pay so well – that retention is a major challenge.

“We are not fully manned by any stretch of the imagination,” said Lt. Col. J. Kiley Weigle, 24th Air Force’s chief of operational training for exercises and weapons & tactics. The 24th Air Force is the service’s operational cyber force. “The demand still outweighs the supply.”

Certification Challenges
While experts try to hammer out details on the developing 8140 instruction, the existing 8570 standard remains in force, including requirements for certifications. And those certifications are not easy to come by.

“This is very challenging material, it’s very technical,” said Scott Cassity, senior director of Global Information Assurance Certification (GIAC) at SANS, a leading cyber certification developer. “It is just hard to find people who fit that profile. In a field that is this new, there simply are not that many people who have those skills and that experience.”

Along with SANS, other organizations that grant cyber certs are CompTIA, (ISC)2, ISACA, and EC-Council.

Certifications are expensive, as well, costing $650 to $1,100 just to sit for the exam. Yet demand is even greater for cyber fields than for other information technology jobs. The most recent report from Burning Glass founds that 35 percent of cybersecurity jobs call for an industry certification, compared to 23 percent of IT jobs overall.

Janice Haith, deputy chief information officer for the Navy, said at a recent AFCEA meeting that one of the Navy’s biggest challenges is finding enough people with required certifications. The problem touches almost everything her office has to do, she said.

The hiring criteria apply to anyone in the DoD sphere who may have cyber responsibilities, including included system administrators, computer repair technicians, information security managers and directors of information security organizations.

But some in the military community have expressed concerns about the use of these industry credentials as the fundamental yardstick of competency.

“You can sometimes get individuals who have multiple certifications, but that’s all they have — they cannot execute,” said Jimmy Clevenger, director of system security engineering for Marine Corps Systems Command. “Anyone can read a book and pass a test on it.”

Even leaders in the certification community acknowledge certs don’t always reflect real-world skills. “You can’t just lecture to people, throw them in a certification situation and hope for the best,” said Dr. James Stanger, senior director, products at CompTIA. “The only way you can really understand how to secure a wireless network is through hands-on activity. You do it by actual practice.”

Others have complained that 8570 doesn’t focus on the right skills. For example, the guidance does not include a cert for software programmers.

From 8570 to 8140
It is against this backdrop that the Department of Defense has been trying to bolster its cyber certification requirements – the Network+CE, SSCP and Security+CE, among others, for entry-level jobs and CISA, CISSP, CASP CE and CISM, among others, for more advanced jobs.

DoD 8570 breaks down cyber into five main categories and assigns specific certifications as indicators of competence in each:

  • Information Assurance Technician (IAT)
  • Information Assurance Manager (IAM)
  • Computer Network Defense (CND)
  • Information Assurance System Architecture & Engineering (IASAE)
  • Computing Environment (CE).

By contrast, NIST’s National Initiative for Cybersecurity Education (NICE) standard, the basis for both DoD Instruction 8140 and the Federal Cybersecurity Workforce Assessment Act signed into law in January, seeks to sort jobs and required skills into seven more narrowly defined categories:

  • Security provision: conceptualizes, designs and builds secure information technology systems, including aspects of systems development
  • Operate and maintain: provides support, administration and maintenance necessary to ensure effective and efficient IT system performance and security
  • Protect and defend: identifies, analyzes and mitigates against threats to internal IT systems or networks
  • Analyze: highly specialized review and evaluation of incoming cybersecurity information to determine intelligence usefulness
  • Collect and Operate: conducts denial and deception operations and collects cybersecurity information for intelligence
  • Oversee and govern: provides leadership, management, direction or development and advocacy so organizations may effectively conduct cybersecurity work
  • Investigate: investigates cyber events or crimes related to IT systems, networks and digital evidence

NICE’s goal is to create “more of a focus on work roles,” said NICE Director Rodney Petersen. “It’s a recognition that we need to move towards a more skills-based workforce.”

Instead of focusing on outside coursework and academic-style testing, he explained, “you are giving them hands-on testing and conducting performance-based assessments,” including lab work and real-world demonstrations.

Dan Waddell, Managing Director, North America Region and Director of U.S. Government Affairs for cyber certification and training specialist (ISC)2 said that prior to NICE, “the federal government had virtually no common language for discussing cybersecurity and the workforce.”

“Part of the challenge has been matching up the qualifications of cybersecurity candidates with the actual job requirements,” he said.

By breaking down jobs into categories and subcategories, NICE helps organizations better define cyber roles so that, enterprise wide, there’s a common understanding of skills and capabilities.

“It is meant to provide a comprehensive view of the ‘who’ and the ‘how’ you need to carry out that security element,” Petersen said. “Somewhere as part of your risk management plan, these types of roles and responsibilities should be accounted for.”

CompTIA’s Stanger says the NICE framework provides a bigger-picture view of how various cyber roles interact. “NICE categorizes things in a meaningful way, saying, ‘Here are all the different pieces you need to understand in regard to securing a network,’” he said. “You need to understand how each of these responsibilities at the security level works together,” Stanger said.

Rolling this out across the entire defense enterprise will take time. Even now, a year after its introduction, many cyber trainers and professionals say they are still waiting on further instruction on how to implement the new guideline. They note it took two years for DoD to formulate the 8570 manual a decade ago, and it will likewise take time to lay out specifics for 8140.

The Marine Corps’ Clevenger said the hiring managers in the meantime will employ a mix of methods to find qualified workers.

“I don’t think you’ll ever get away from certifications, nor do I think you should,” he said. “But there should be a balancing in validating that certification against a certain skill set.” A lab component, for example, could be valuable for evaluating potential hires, he explained: “We would ask them very technical questions, run them through scenarios to see what they would or wouldn’t do.”

New Certifications
Meanwhile, certifying bodies are already developing new certs to align with the new skills-driven hiring approach.

ISACA recently unveiled its Cyber Security Nexus Practitioner (CSXP) certification, a “performance-based” certification that tests a candidate’s skills in a live, virtual cyber-lab. “Right now there is a scramble among all the certifiers to do something that meets what the DoD is talking about” said Montana Williams, senior manager of Cybersecurity Practices at ISACA. “We will see a couple of different vendors come out with something in the next 18 months to compete with ISACA.”

CompTIA’s A+, Network+, Security+ and CompTIA Advanced Security Practitioner (CASP) certifications all include performance-based assessments. “The message to the industry is it is no longer just ‘click the check box’ or ‘memorize a couple of encryption algorithms,” Stanger said. “Now you are going to be presented with an actual security problem to analyze.”

Both ISACA and CompTIA are building their new hands-on programs around the NICE standards and definitions, angling to keep their credentialing programs relevant as critical hiring yardsticks, even in a skills-driven marketplace.

Indeed, that’s ultimately, what military leaders say they want to see. “We see certification as a means to an end,” said the 24th Air Force’s Weigle. “It’s a secondary effect. I am looking for the skills we need to go forward.”

9 Comments

  1. Steve

    So by changing from 8570 to 8140 we’ll fix the “chronic shortage of cybersecurity talent”? I think not, but let’s start at the beginning.

    NIST is statutorily tasked under FISMA with establishing cybersecurity/Information Assurance Standards and Guidelines for the Federal government to comply with. The NICE Framework is just that, a framework from which subsequent standards will be developed. In this case, standards as they pertain to the cybersecurity workforce. NISTs NICE framework establishes work roles, but NIST 800-16 defines the Knowledge and Skill (K&S) requirements for the work roles. The problem is that 800-16 has not been updated in years. The current (first revision) is on draft 3 and is dated March 2014 (attached). Updating and finalizing this document is the next step that will lead to a standardized training plans. The training plan will connect training activities to K&S to work roles and allow the workforce to move laterally across government because all taxonomies, lexicons, and training would be standardized. The first part of that three step effort was completed with establishment of the NICE Framework (which the DoD adopted, modified, and submitted changes to NICE 2.0).

    Implications to the Cybersecurity Workforce.

    First, the work roles established in the Framework need to be mapped to billets/career fields. Duty titles for officer, enlisted, civilian, and contractor billets need to be renamed in compliance with NIST guidance. Second, with work roles identified, JQS need to be created using K&S areas for each work role as identified in NIST 800-16. Those are the easy steps. Career fields must then map training tasks to work role K&S. Barring a NIST standard training plan/material, the Agencies will develop training plans based on what is known/exists. This process is, I believe, the required before any new certification (reference the authors claim that a potential change is in the offering) can be considered. Further, standardized training is key to certification as all individuals filling a work role will need to achieve certification based on established and common training. Based on the long timeline associated with fielding DoD 8570, DoD 8140, and NIST 800-16, I don’t foresee NIST establishing a common training criteria in the near-term. and I don’t see any change in IA certifications for some time to come.

    Reply
  2. Steve

    A stronger argument could be made for a push for NIST to create a standardize training plan for each work role knowledge and skill now in order to increase the number of individuals in the cybersecurity workforce. Having NIST create a standardized training plan/material/test/certification will expedite implementation by the Government. The standardized products are rapidly adaptable and would increase workforce (i.e. manpower) production faster than waiting for each Federal Agency to develop their own non-standardized, training plan.

    Reply
  3. P. Lim

    The technical-practitioner-level Organizational Systems Security Analyst certification (http://ossa.securitystartshere.org) has had a performance-based certification exam PLUS negative marking for wrong answers since 2006 when everyone else was still using MCQ-based exams.
    Understandable that those in the US may not have heard of it because it is based in Singapore and is Asia-centric. You might want to add this to the list of certifications you mentioned in your article.

    Reply
  4. Aynul Sehkz

    This is great news.
    Hopefully it’ll weed out the slackers, and people who “skate” by on the job.

    Companies that provide braindumps so government employees, useless contractors will hopefully go out of business.

    This is what our industry needs.
    Is more scenario / lab based exams.

    Not memorization of questions/answers via braindumps.
    Cybersecurity jobs need security/it managers doing lab/scenario based questions during interviews to weed out bullshitters.

    Reply
    • Lamont R.

      It’s going to be much easier to memorize the requirements for a lab environment to pass certification than it would be even the MCQ. This is the reason why Microsoft Office exams are so easy to pass. Just learn what the specific requirements are and go pass the test – you don’t really require a deep understanding of the Office App at all.

      Reply
  5. Catherine Halk

    There are several problems involved in industry certification of security. 1. The cost to the individual to take time off work for the test and the out of pocket expense. 2. The exam does not test knowledge….it tests “the best answer” based on book knowledge….not the most likely or right answer as there is often more than one. 3. In my opinion, it causes the individual to support a singular source for accreditation….which is not normally associated with free trade as most acquisition contracts require. 4. It also puts additional requirements on the individual to maintain that certification with no equal remuneration on the part of the employer or specialty pay to defray those costs to the employee. Having retired from the gov err nment, my civilian equivalent pay for the requirements of my government job is vastly unbalanced, even when comparing non-monetary rewards such as retirement and time off. The cost to the government to pay contract help opposed to in house technicians is also a concern. This business model needs to be researched closely.

    Reply
  6. Dallas Stephens

    So let’s keep it simple. Anyone, especially kids, can learn from the Internet the same things they can learn in colleges, technical schools/workshops. As time continues, there is an natural adaptation kids adjust to in complex technological environments. This dominates the skillset of their predecessors. So why would an 18 or 19 year old, young man or woman graduating high school, already having 10,000+ hours coding or practicing their cyber craft, need a certificate or degree when they can already outperform the instructors? The DoD shouldn’t hold the civilians feet to the fire when it comes to formal education if they have the chops. Especially when you consider the unemployment rates of our youth, who ask for nothing more than to live a simple and normal life rooted in a spirit of national pride, giving, servitude and who are pure of heart. Good for the DoD! Hopefully they find the talent they want. Best of luck to them!

    Reply
    • joe

      Just because these kids have the skills, they still lack tempered maturity. Would you allow them access to classified materials just because they know how to hack into their neighbor’s wireless router? I’d tread carefully with this one.

      Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Articles

GDIT Recruitment 600×300
GM 250×250
GDIT HCSD SCM 4 250×250 Plane w/Shadow
GDIT Recruitment 250×250
Vago 250×250
(Visited 13,003 times, 1 visits today)