Wanted: Information assurance-savvy people

DOD is poised to push a new training and certification program to all military services and civilian departments.

Information assurance has been an issue simmering at military and civilian agencies for some time, but the Defense Department finally pushed it to the front burner when it issued a manual last December establishing a program to improve its IA workforce.

That manual also highlighted the difficulty of raising government standards.

DOD’s first and most important requirements will be to train and certify the people responsible for IA. That includes people directly responsible for information technology systems and those for whom IA is an additional or embedded duty.

It will be the first time that DOD has approached IA training and certification as a departmentwide endeavor involving all services and agencies and all military and civilian employees and contractors.

DOD plans to train and certify a workforce of at least 80,000 people in the next four years. Robert Lentz, DOD’s director of IA, said the purpose is to create a cadre of IA professionals that fit the military’s evolving strategy of network-centric warfare and imbue them with the pride that characterizes the military services.

“For so long we have seen how the pride of groups such as pilots in the Air Force have driven their discipline and training, and the same is true for parts of the Navy when it comes to certification programs,” he said. “You see that kind of mind-set in place all across the DOD, and now, with the [transition to] net-centric operations, we want to get to that same point of pride that a core of certified IA professionals have in keeping the network always up and running.”

DOD’s success with IA training and certification could have wider implications, said Jim Flyzik, president of the Flyzik Group, a consulting firm. If successful, DOD’s approach would probably be adopted in other areas of government, he said.

“It is a subject that all leaders in government have realized for some time as a priority, but they haven’t had the resources to deal with it,” Flyzik said. A former CIO at the Treasury Department, Flyzik was also an adviser in the White House Office of Homeland Security. He is chairman of the IT Association of America’s Homeland Security Committee.

“The effort by the DOD is important because it is trying to get in front of the problem and be more proactive, whereas it and others in government have been reactive in the past,” Flyzik said. Previous attempts to tackle IA have been “piecemeal and Band-Aid approaches,” he said. DOD’s new program represents the first holistic attack on the problem.

The Navy has begun a program to implement DOD’s Directive 8570.1 on IA workforce training, issued in November 2004. Last December’s manual is based on that directive.

The Navy’s IA Workforce Working Group designed a program for IA training and certification that mixes classroom training and testing, laboratory simulations of IA weaknesses, refresher courses and on-the-job training. That program won a DOD 2005 Leadership Award and could be a template as the rest of DOD tackles the training issue.

Before adopting the current enterprisewide approach to IA training, the Navy trained many IA-savvy people worldwide, said Capt. Kevin Hooley, commanding officer at the Center for Information Dominance at the Navy’s Corry Station in Pensacola, Fla. But each IT enclave tended to set up training according to its own needs.

“In reality,” he said, “having many schemes like that was almost as bad as having none at all.” If a weakness exists anywhere, he said, it can affect the entire Navy, because flaws usually leave their original enclave and move to other sites.

The new IA program is a revamped approach to solving the problem, Hooley said. The DOD manual describes two categories of IA employees: technical and management. Each category is subdivided into three levels based on functional skills and the IT systems environments in which they operate. In some instances, the skills requirement might span several levels, in which case the person will be certified at the highest functional level.

Individuals who work in both categories must be certified for those functions they perform in each category.

DOD has outlined a spectrum of required training for each category and skill level. It includes formal classroom training and testing, on-the-job training and continuing education — some of it via online instruction.

DOD has most of the infrastructure necessary to provide such training, and some aspects of it are familiar to most DOD employees who take training courses. The biggest change for IA professionals, however, is the switch to commercial certifications based on International Organization for Standardization criteria.

Any certifications that DOD awarded in the past have been geared to specific requirements of each service — and, more specifically, to the requirements of individual commands. The new certifications reflect the need stated in the DOD manual that employees “demonstrate portability throughout the Department of Defense, federal government and private sector.”

Five private organizations provide the certifications: the Computing Technology Industry Association, the International Information Systems Security Certification Consortium ((ISC)2)), the Information Systems Audit and Control Association, SecurityCertified.Net and the SANS Institute.

Given the time constraints and number of people who must complete the training and accreditation courses, it’s a very ambitious program, said Lynn McNulty, director of government affairs at (ISC)2, who is a former associate director for computer security at the National Institute of Standards and Technology.

(ISC)2 has a challenge to increase its operations to meet the needs of a global workforce that is mobile and includes foreign employees, he said.

Another challenge will be to manage the inevitable failures. “It’s a challenge to us because over the years we’ve dealt with training the civilian government and private industry workforce, you learn to expect that a number of people will not pass,” McNulty said. “With DOD, if people don’t pass, then they have someone who can’t be involved in the work they need them to do, and sometimes that can be very important work.”

That dilemma has led (ISC)2 to re-examine some of its training and preparation material, with an idea to pre-test IA candidates so DOD can discourage people from taking the exam who might have difficulty passing it, McNulty said.

Some certification organizations have policies that accommodate DOD’s requirements. SecurityCertified.Net, for example, allows a person to retake an exam at any time following a failure, but it requires at least a one-month interval before a third attempt.

The company “will not be changing this policy for DOD personnel,” said Warren Peterson, president and chief executive officer of Ascendant Learning, which created the SecurityCertified.Net program.

The IA training and accreditation implementation program is still at an early stage, and nothing is cast in stone, Lentz said. “This is not a science where we can be fixated about where we need to go,” he said. “If we have to change our certification requirements in order to move more aggressively in some way, then we will do that.”

The initial goal, in which Lentz said he strongly believes, is to establish some baseline certifications that will apply to DOD’s entire IA workforce. “Everyone needs to be talking the same language to begin with,” he said. Under the new program, IA employees will have a certification that is recognized wherever they go in the military.

Military commands can add their own training and certifications, Lentz said. DOD’s intention in creating the IA program is to train a top tier of 10,000 core IA employees in the program’s first year. Those employees will help further publicize the program.

After being initially certified, IA employees must spend 40 hours each year in training and testing to remain certified. “We don’t expect any of this to be simple or easy,” Lentz said. “In my view, this is the biggest cultural shift in DOD IT and security there’s ever been.”

chart


**********

Certification vs. experience

Many people welcome the Defense Department’s enterprisewide approach to information assurance training and certification, but not everyone agrees that it will produce the desired results.

Alan Paller, director of research at the SANS Institute, said DOD should have no problem meeting its initial target of 80,000-plus employees trained and accredited in information assurance. But he doesn’t think the baseline certification that DOD requires will produce a workforce capable of securing the military’s systems.

“The problem is that the bulk of the certifications don’t teach people how to do security,” Paller said. “Certified people will be able to talk about security, but they won’t know how to do it — to actually encrypt data and do the necessary work.”

Instead, DOD needs a way to evaluate actual information assurance work, Paller said. That requires hand-on training and scenario-based testing, he added.

Devising programs that test specific attributes and skills is a challenge that the information technology certification industry has grappled with almost since the beginning, said Warren Peterson, president and chief executive officer of Ascendant Learning.

“No one that I know of will claim that a certification is designed to replace experience,” he said. “Rather, certifications are designed to verify and identify skills and experience.”

Robert Lentz, DOD’s director of information assurance, said he respects Paller’s opinion but is not worried that the program is headed in the wrong direction. The important thing is to get baseline certifications awarded and then work from there, Lentz said.

— Brian Robinson

NEXT STORY: Intruders breach TMA server