New Directive Could Redefine Cybersecurity Certification
Struggling with a chronic shortage of cyber security talent, the Defense Department is preparing to jettison its highly prescriptive approach to cyber certifications in favor of a new system based more on practical skills and less on book knowledge.
The change will replace DoD Directive 8570, which has defined baseline information assurance training and certification for more than a decade, with a new directive, DoD 8140, which emphasizes job skills and experience over rote certifications.
Other federal agencies are close behind. The Federal Cybersecurity Workforce Assessment Act, passed in January, requires all federal agencies to develop a cyber workforce assessment program based on the National Institute for Standards and Technology’s NICE initiative. NICE stands for the National Initiative for Cybersecurity Education, which breaks down security into seven categories of effort: security provision, operate and maintain, protect and defend, analyze, operate and collect, oversight and development and investigate.
The cyber shortage
The exact size of the government’s cyber talent shortfall is hard to measure. But industry watchers agree the talent gap is profound and worsening.
Some 60 percent of U.S. government IT leaders say they do not have enough cybersecurity personnel to meet the demands of their mission, according to (ISC)2’s 2015 Global Information Security Workforce Study. Respondents included 1,099 military and 727 civilian IT executives.
Human resources managers, chief information officers and chief information security officers say they face particular shortages of specialists certified in risk assessment, incident investigation and response and governance, risk management and compliance. Similar shortages extend to the private sector, where more than 209,000 U.S.-based cybersecurity jobs stood unfilled in March 2015, according to a Stanford University research project. Indeed, the shortage extends around the globe: Symantec CEO Michael Brown predicts the worldwide shortage will reach 1.5 million cyber professionals by 2019.
The shortage makes military-trained cyber professionals a fleeting asset. Civilian opportunities are so great – and often pay so well – that retention is a major challenge.
“We are not fully manned by any stretch of the imagination,” said Lt. Col. J. Kiley Weigle, 24th Air Force’s chief of operational training for exercises and weapons & tactics. The 24th Air Force is the service’s operational cyber force. “The demand still outweighs the supply.”
While experts try to hammer out details on the developing 8140 instruction, the existing 8570 standard remains in force, including requirements for certifications. And those certifications are not easy to come by.
“This is very challenging material, it’s very technical,” said Scott Cassity, senior director of Global Information Assurance Certification (GIAC) at SANS, a leading cyber certification developer. “It is just hard to find people who fit that profile. In a field that is this new, there simply are not that many people who have those skills and that experience.”
Along with SANS, other organizations that grant cyber certs are CompTIA, (ISC)2, ISACA, and EC-Council.
Certifications are expensive, as well, costing $650 to $1,100 just to sit for the exam. Yet demand is even greater for cyber fields than for other information technology jobs. The most recent report from Burning Glass founds that 35 percent of cybersecurity jobs call for an industry certification, compared to 23 percent of IT jobs overall.
Janice Haith, deputy chief information officer for the Navy, said at a recent AFCEA meeting that one of the Navy’s biggest challenges is finding enough people with required certifications. The problem touches almost everything her office has to do, she said.
The hiring criteria apply to anyone in the DoD sphere who may have cyber responsibilities, including included system administrators, computer repair technicians, information security managers and directors of information security organizations.
But some in the military community have expressed concerns about the use of these industry credentials as the fundamental yardstick of competency.
“You can sometimes get individuals who have multiple certifications, but that’s all they have — they cannot execute,” said Jimmy Clevenger, director of system security engineering for Marine Corps Systems Command. “Anyone can read a book and pass a test on it.”
Even leaders in the certification community acknowledge certs don’t always reflect real-world skills. “You can’t just lecture to people, throw them in a certification situation and hope for the best,” said Dr. James Stanger, senior director, products at CompTIA. “The only way you can really understand how to secure a wireless network is through hands-on activity. You do it by actual practice.”
Others have complained that 8570 doesn’t focus on the right skills. For example, the guidance does not include a cert for software programmers.
From 8570 to 8140
It is against this backdrop that the Department of Defense has been trying to bolster its cyber certification requirements – the Network+CE, SSCP and Security+CE, among others, for entry-level jobs and CISA, CISSP, CASP CE and CISM, among others, for more advanced jobs.
DoD 8570 breaks down cyber into five main categories and assigns specific certifications as indicators of competence in each:
- Information Assurance Technician (IAT)
- Information Assurance Manager (IAM)
- Computer Network Defense (CND)
- Information Assurance System Architecture & Engineering (IASAE)
- Computing Environment (CE).
By contrast, NIST’s National Initiative for Cybersecurity Education (NICE) standard, the basis for both DoD Instruction 8140 and the Federal Cybersecurity Workforce Assessment Act signed into law in January, seeks to sort jobs and required skills into seven more narrowly defined categories:
- Security provision: conceptualizes, designs and builds secure information technology systems, including aspects of systems development
- Operate and maintain: provides support, administration and maintenance necessary to ensure effective and efficient IT system performance and security
- Protect and defend: identifies, analyzes and mitigates against threats to internal IT systems or networks
- Analyze: highly specialized review and evaluation of incoming cybersecurity information to determine intelligence usefulness
- Collect and Operate: conducts denial and deception operations and collects cybersecurity information for intelligence
- Oversee and govern: provides leadership, management, direction or development and advocacy so organizations may effectively conduct cybersecurity work
- Investigate: investigates cyber events or crimes related to IT systems, networks and digital evidence
NICE’s goal is to create “more of a focus on work roles,” said NICE Director Rodney Petersen. “It’s a recognition that we need to move towards a more skills-based workforce.”
Instead of focusing on outside coursework and academic-style testing, he explained, “you are giving them hands-on testing and conducting performance-based assessments,” including lab work and real-world demonstrations.
Dan Waddell, Managing Director, North America Region and Director of U.S. Government Affairs for cyber certification and training specialist (ISC)2 said that prior to NICE, “the federal government had virtually no common language for discussing cybersecurity and the workforce.”
“Part of the challenge has been matching up the qualifications of cybersecurity candidates with the actual job requirements,” he said.
By breaking down jobs into categories and subcategories, NICE helps organizations better define cyber roles so that, enterprise wide, there’s a common understanding of skills and capabilities.
“It is meant to provide a comprehensive view of the ‘who’ and the ‘how’ you need to carry out that security element,” Petersen said. “Somewhere as part of your risk management plan, these types of roles and responsibilities should be accounted for.”
CompTIA’s Stanger says the NICE framework provides a bigger-picture view of how various cyber roles interact. “NICE categorizes things in a meaningful way, saying, ‘Here are all the different pieces you need to understand in regard to securing a network,’” he said. “You need to understand how each of these responsibilities at the security level works together,” Stanger said.
Rolling this out across the entire defense enterprise will take time. Even now, a year after its introduction, many cyber trainers and professionals say they are still waiting on further instruction on how to implement the new guideline. They note it took two years for DoD to formulate the 8570 manual a decade ago, and it will likewise take time to lay out specifics for 8140.
The Marine Corps’ Clevenger said the hiring managers in the meantime will employ a mix of methods to find qualified workers.
“I don’t think you’ll ever get away from certifications, nor do I think you should,” he said. “But there should be a balancing in validating that certification against a certain skill set.” A lab component, for example, could be valuable for evaluating potential hires, he explained: “We would ask them very technical questions, run them through scenarios to see what they would or wouldn’t do.”
Meanwhile, certifying bodies are already developing new certs to align with the new skills-driven hiring approach.
ISACA recently unveiled its Cyber Security Nexus Practitioner (CSXP) certification, a “performance-based” certification that tests a candidate’s skills in a live, virtual cyber-lab. “Right now there is a scramble among all the certifiers to do something that meets what the DoD is talking about” said Montana Williams, senior manager of Cybersecurity Practices at ISACA. “We will see a couple of different vendors come out with something in the next 18 months to compete with ISACA.”
CompTIA’s A+, Network+, Security+ and CompTIA Advanced Security Practitioner (CASP) certifications all include performance-based assessments. “The message to the industry is it is no longer just ‘click the check box’ or ‘memorize a couple of encryption algorithms,” Stanger said. “Now you are going to be presented with an actual security problem to analyze.”
Both ISACA and CompTIA are building their new hands-on programs around the NICE standards and definitions, angling to keep their credentialing programs relevant as critical hiring yardsticks, even in a skills-driven marketplace.
Indeed, that’s ultimately, what military leaders say they want to see. “We see certification as a means to an end,” said the 24th Air Force’s Weigle. “It’s a secondary effect. I am looking for the skills we need to go forward.”