There’s a big, bold, complex and new cybersecurity framework in town, and it comes from a source that seldom gets described using the terms “bold” and “new” — though “big” and “complex” are its stock in trade. Yes, that’s right: I’m talking about the government of the United States, specifically the Computer Emergency Readiness Team (CERT, aka US-CERT) in the Department of Homeland Security. The name of this program is the National Initiative for Cybersecurity Careers and Studies (NICSS), and it’s designed as a massive source of information on cybersecurity for the general public, students and their teachers, cybersecurity professionals and managers, policymakers, veterans, and other folks, too.
While it provides general computer and Internet security information, including an interesting Cybersecurity How-To Guide, its most important aim is to provide information for those interested in studying the topic, and for those interested in pursuing a career in cybersecurity. The organization is in the process of assembling a training catalog that will combine pointers to academic, professional, vocational, and commercial training in cybersecurity, with a massive collection of information about cybersecurity-related work categories, with job roles and titles and KSA (Knowledge, Skills, and Abilities) inventories to go with them, all in the context of a Cybersecurity Workforce Framework. These are divided into the 6 categories shown in the following figure, further organized into 31 distinct specialty areas.
Ultimately, this mammoth collection of information will be indexed and organized by an “Education and Training Catalog Search” tool that will let interested site visitors find courses by any of the various ways of slicing and dicing coverage and content for various cybersecurity job roles. Right now, there’s only a dummied-up demo catalog to play with that lacks any real data. But even that is interesting to visit and play with, and there’s a lot to learn about how modern IT is organized and practiced by perusing the categories and specialties that the catalog (and other information silos on this website) covers.
To me, of course, the most interesting area in the site is the section on “Professional Certifications,” which currently features 26 different credentials (CISSP and SSCP are each listed twice for some reason but I only counted them once) out of a field of 120-130, as far as my most recent but still incomplete information security certification survey for 2013 goes. Here’s a compacted list of what’s mentioned:
|NICSS Table of Recognized Cybersecurity Certs|
|(ISC)² Certified Information Systems Security Professional||DRI Master Business Continuity Professional|
|(ISC)² Systems Security Certified Practitioner||Electronic Commerce (EC) Council Certified Ethical Hacker|
|(ISC)² Certification and Accreditation Professional||GIAC Certified Incident Handler|
|CERT Certified Computer Security Incident Handler||GIAC Information Security Fundamentals|
|Certified Hacking Forensic Investigator||GIAC Security Essentials Certification|
|Certified Expert Penetration Tester||GIAC Security Leadership Certification|
|Certified Wireless Security Professional||GIAC Systems and Network Auditor|
|CompTIA A+||ISACA Certified Information Security Manager|
|CompTIA Network+||ISACA Certified Information Systems Auditor|
|CompTIA Security+||Security Certified Program (SCP) Security Certified Network Professional|
|DRI Associate Business Continuity Professional||Security Certified Program (SCP) Security Certified Network Architect|
|DRI Certified Business Continuity Professional||Certified Hacking Forensic Investigator|
|DRI Certified Functional Continuity Professional||Certified Penetration Tester|
I don’t see too many surprises there (though given the DoD’s recognition of the CompTIA Advanced Security Practitioner, or CASP, just recently I do expect it to show up here sometime soon as well). I’ve had enough trouble getting solid, objective info on the Security Certified Program (SCP) credentials that I’ve kind of written them off; their appearance here with the SCNP and SCNA is surprising, and I’m also a little surprised to see that none of the Cisco security certs made the grade, even though CCNA and CCNP Security are on the same DoD cert list that CASP just joined recently (that DoD Information Assurance or IA registry is documented in the 8570.01-M Manual). But again where government agencies are concerned, I don’t necessarily expect them to be completely in synch with one another: the DHS is not part of the DoD, after all.