recommended reading

Panel to recommend certifications for cybersecurity workforce

A commission established to advise the Obama administration on cybersecurity issues will release a report with recommendations for establishing a more skilled, abundant cyber workforce in federal government through a certification process.

The Commission on Cybersecurity for the 44th Presidency, which the Center for Strategic and International Studies created in October 2007, is finalizing a draft report on ways to expand the pool of qualified job candidates. The recommendations also will ensure federal employees and contractors receive the ongoing training needed to effectively protect computer networks and systems.

"We're recommending that this be a continuous learning and demonstration of skill," said Karen Evans, commission member and former administrator for e-government and information technology at the Office of Management and Budget. Evans, who spoke at the Digital Government Institute's Cybersecurity Conference and Expo on Thursday, also is leading the U.S. Cyber Challenge, which is a nationwide talent search and training program designed to identify 10,000 young Americans qualified to fill cybersecurity positions in and outside government.

The administration should define a core set of skills cybersecurity workers must possess, Evans said, and encourage individuals to build upon those core talents in specialized areas that more closely match their responsibilities. For example, employees could focus on offense to weed out potential threats before they penetrate the computer networks and systems, or defense to minimize vulnerabilities and make cyberattacks more difficult. Training should extend beyond the cyberwarriors hired specifically to prevent attacks, Evans noted, to include the network operators, who need to balance security with performance, and developers, who should bake security into software applications from the start.

Among the report's primary recommendations is for the administration to establish an independent certifying body that would develop standards to test cybersecurity skills and create career paths based upon those certifications. Federal agencies also could require contractors providing products and services to meet the same certification requirements.

"This is not just about creating a standard for those on the federal payroll, but using the certification to ensure those selling to government are held to that same standard," said Frank Reeder, commission member and former director of the White House Office of Administration. The certifying body would play the same role for cybersecurity that the National Board of Medical Examiners plays for health care, he added.

But driving certification requirements is not government's job, said an Air Force employee attending the conference.

"Government doesn't train doctors and lawyers -- they hire them," he said. "Why should government pay for [cybersecurity] certifications, and why should I take another exam to prove I know what I know? It seems [this is] making it more hard for talent to come in."

Both Reeder and Evans noted the goal of a certification process would be to leverage talent and training, not start over.

"There's nothing that suggests the federal government create a training machine," Reeder said. "But [Veterans Affairs Department] hospitals expect physicians to meet certain levels of training and, where applicable, have certifications and licenses to practice; that's the model."

He said he hopes the certifications would mature to the point where a licensing process could be established, but that's still a long way off.

"Licensing specifically involves the state using its authority to state 'You must not do X unless you meet a certain standard,' " Reeder said. "At this point, while that may be a vision or pipedream, we're not there yet."

In addition, the report will recommend that the administration classify cyber roles that require targeted education and training, and require academic institutions that receive federal funding for cybersecurity programs to revamp the curriculum to address those defined skill sets.

Threatwatch Alert

Network intrusion / Stolen credentials

85M User Accounts Compromised from Video-sharing Site Dailymotion

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.