> Highly unlikely that 3 years is sufficient time to devise a certification,
No big deal; they could just adopt the CISSP/GIAC cert without modification as an interim step. Existing certs are already being used in some court cases: http://www.wisbar.org/AM/Template.cfm?Section=Home&TEMPLATE=/CM/ContentDisplay.cfm&CONTENTID=70438 > Unintended consequences - will this encourage the head of an agency to > instead say "screw it" and *not* use any cybersecurity services? Not likely. Corporate Officers must already make decisions that meet a wide range of existing "reasonable man" tests with respect to security. This is not the only law/regulation in existence. David