[117070] in North American Network Operators' Group
Re: Ready to get your federal computer license?
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Mon Aug 31 15:25:44 2009
To: "Sachs, Marcus Hans (Marc)" <marcus.sachs@verizon.com>
In-Reply-To: Your message of "Mon, 31 Aug 2009 14:06:56 EDT."
<81D582C724CA1046A279A7EE1299638B01D35828@FHDP1LUMXCV24.us.one.verizon.com>
From: Valdis.Kletnieks@vt.edu
Date: Mon, 31 Aug 2009 15:24:56 -0400
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1251746696_3244P
Content-Type: text/plain; charset=us-ascii
On Mon, 31 Aug 2009 14:06:56 EDT, "Sachs, Marcus Hans (Marc)" said:
> (d) CERTIFICATION.-Beginning 3 years after the date of enactment of
> this Act, it shall be unlawful for an individual who is not certified
> under the program to represent himself or herself as a cybersecurity
> professional.
Highly unlikely that 3 years is sufficient time to devise a certification,
a testing program, and get enough people certified. 5 years would be much
more reasonable.
It will probably take over a year just to thrash out what a "certification" is.
Consider the vast difference in scope and depth between a CISSP and one of
the GIAC certs. (Ghod forbid somebody suggest something rational like "upper
managers need a CISSP-ish cert and line emplouees need a relevant GIAC-ish
cert.. :)
> (e) CERTIFIED SERVICE PROVIDER REQUIREMENT.-Notwithstanding any
> provision of law to the contrary, the head of a Federal agency may not
> use, or permit the use of, cybersecurity services for that agency that
> are not managed by a cybersecurity professional who is certified under
> the program.
Unintended consequences - will this encourage the head of an agency to
instead say "screw it" and *not* use any cybersecurity services?
> A question for the NANOG community - if this section were to only apply
> to US government employees would it be acceptable? In other words,
> strike any reference to the private sector (except perhaps for those in
> the private sector who are under contract to perform government work.)
Limiting it to "US government agencies, employees, and contractors" would
certainly trim out about 95% of the contentious areas. But it still leaves
me, personally, on the hot seat - am I on the hook because I'm responsible
for research data that's NSF-funded? ;)
--==_Exmh_1251746696_3244P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFKnCOIcC3lWbTT17ARAidLAJsHTLSM4lKF1orp/HbpJ7fk1+X0TACeNg/V
RpxLsT6erNGJbosVvAuKhbI=
=ILcc
-----END PGP SIGNATURE-----
--==_Exmh_1251746696_3244P--
