The U.S. Department of Defense (DoD) will require 80,000 of its information assurance personnel to be certified within the next three years, according to its 8570.01-M “Information Assurance Workforce Improvement Program” manual. The 13 mandated credentials include offerings from ISACA, (ISC)2, CompTIA and the SANS Institute.
The DoD’s information assurance professionals are divided into two functional categories—information assurance technical (IAT) and information assurance managerial (IAM)—that are in turn divided into three skill levels, making for six classifications all together. “They have organized it by job responsibility,” said Everett Johnson, CPA, the international president of ISACA and a retired partner of Deloitte & Touche. “It’s an excellent move to professionalize people who are working in security and all information-assurance-type functions. It seems pretty clear from what I’ve seen that the people who have certain sensitive job functions aren’t going to be able to continue doing those functions until they get certifications.”
Because the DoD decides who will take a certification, what they’ll take and when they’ll take it, the funding of their employees’ credentialing efforts will come wholly from the department, DoD officials said. The sheer number of personnel that will be required to attain certifications might actually impact the operations of some of the credentialing programs involved, Johnson said. “For all the certifications on the list, it should increase the numbers quite dramatically. I don’t know how that 80,000 breaks down in terms of how many are managers and how many are in the technical positions, but we give the exams twice a year, and we’ve had discussions about gearing up to give them much more frequently, like once a month or so in the initial ramp-up stage.”
Johnson also speculated that other government departments and agencies would put similar mandates in place if the DoD showed dramatic improvements in information assurance as a result of the program. “Once the DoD does this, there’s the possibility that other agencies might do the same thing,” he said. “I think that in any organization when you make the investment to upgrade the skills and capabilities of your people, you get improved performance. I would assume that this is one of their objectives.”
He added that this initiative demonstrated how far IT certifications have come over the years since they were first introduced to the industry. “If you look at the CISA certification when it first came out, it was something that the people thought it would just be nice to have. It’s really evolved. It’s a requirement for some employers in getting hired or promoted. I think it’s become an independent benchmark. You’ll see companies that will say, ‘Our whole security staff has certifications.’”