On Mon, 31 Aug 2009 14:06:56 EDT, "Sachs, Marcus Hans (Marc)" said:
> (d) CERTIFICATION.-Beginning 3 years after the date of enactment of > this Act, it shall be unlawful for an individual who is not certified > under the program to represent himself or herself as a cybersecurity > professional. Highly unlikely that 3 years is sufficient time to devise a certification, a testing program, and get enough people certified. 5 years would be much more reasonable. It will probably take over a year just to thrash out what a "certification" is. Consider the vast difference in scope and depth between a CISSP and one of the GIAC certs. (Ghod forbid somebody suggest something rational like "upper managers need a CISSP-ish cert and line emplouees need a relevant GIAC-ish cert.. :) > (e) CERTIFIED SERVICE PROVIDER REQUIREMENT.-Notwithstanding any > provision of law to the contrary, the head of a Federal agency may not > use, or permit the use of, cybersecurity services for that agency that > are not managed by a cybersecurity professional who is certified under > the program. Unintended consequences - will this encourage the head of an agency to instead say "screw it" and *not* use any cybersecurity services? > A question for the NANOG community - if this section were to only apply > to US government employees would it be acceptable? In other words, > strike any reference to the private sector (except perhaps for those in > the private sector who are under contract to perform government work.) Limiting it to "US government agencies, employees, and contractors" would certainly trim out about 95% of the contentious areas. But it still leaves me, personally, on the hot seat - am I on the hook because I'm responsible for research data that's NSF-funded? ;)
pgpCATyEdsCn0.pgp
Description: PGP signature