Panel to recommend certifications for cybersecurity workforce

New report from nonpartisan commission will suggest the federal government establish a certifying body to test skills of potential hires.

A commission established to advise the Obama administration on cybersecurity issues will release a report with recommendations for establishing a more skilled, abundant cyber workforce in federal government through a certification process.

The Commission on Cybersecurity for the 44th Presidency, which the Center for Strategic and International Studies created in October 2007, is finalizing a draft report on ways to expand the pool of qualified job candidates. The recommendations also will ensure federal employees and contractors receive the ongoing training needed to effectively protect computer networks and systems.

"We're recommending that this be a continuous learning and demonstration of skill," said Karen Evans, commission member and former administrator for e-government and information technology at the Office of Management and Budget. Evans, who spoke at the Digital Government Institute's Cybersecurity Conference and Expo on Thursday, also is leading the U.S. Cyber Challenge, which is a nationwide talent search and training program designed to identify 10,000 young Americans qualified to fill cybersecurity positions in and outside government.

The administration should define a core set of skills cybersecurity workers must possess, Evans said, and encourage individuals to build upon those core talents in specialized areas that more closely match their responsibilities. For example, employees could focus on offense to weed out potential threats before they penetrate the computer networks and systems, or defense to minimize vulnerabilities and make cyberattacks more difficult. Training should extend beyond the cyberwarriors hired specifically to prevent attacks, Evans noted, to include the network operators, who need to balance security with performance, and developers, who should bake security into software applications from the start.

Among the report's primary recommendations is for the administration to establish an independent certifying body that would develop standards to test cybersecurity skills and create career paths based upon those certifications. Federal agencies also could require contractors providing products and services to meet the same certification requirements.

"This is not just about creating a standard for those on the federal payroll, but using the certification to ensure those selling to government are held to that same standard," said Frank Reeder, commission member and former director of the White House Office of Administration. The certifying body would play the same role for cybersecurity that the National Board of Medical Examiners plays for health care, he added.

But driving certification requirements is not government's job, said an Air Force employee attending the conference.

"Government doesn't train doctors and lawyers -- they hire them," he said. "Why should government pay for [cybersecurity] certifications, and why should I take another exam to prove I know what I know? It seems [this is] making it more hard for talent to come in."

Both Reeder and Evans noted the goal of a certification process would be to leverage talent and training, not start over.

"There's nothing that suggests the federal government create a training machine," Reeder said. "But [Veterans Affairs Department] hospitals expect physicians to meet certain levels of training and, where applicable, have certifications and licenses to practice; that's the model."

He said he hopes the certifications would mature to the point where a licensing process could be established, but that's still a long way off.

"Licensing specifically involves the state using its authority to state 'You must not do X unless you meet a certain standard,' " Reeder said. "At this point, while that may be a vision or pipedream, we're not there yet."

In addition, the report will recommend that the administration classify cyber roles that require targeted education and training, and require academic institutions that receive federal funding for cybersecurity programs to revamp the curriculum to address those defined skill sets.