Lewis HumanCapital WEB BlkWhteVersion

A Human Capital Crisis in
Cybersecurity
Technical Proficiency Matters
CSIS CENTER FOR STRATEGIC &
INTERNATIONAL STUDIES
A White Paper of the
CSIS Commission on Cybersecurity for the 44th Presidency
1800 K Street, NW | Washington, DC 20006

Tel: (202) 887-0200 | Fax: (202) 775-3199 cochairs
E-mail: books@csis.org | Web: www.csis.org
Representative James R. Langevin
Representative Michael T. McCaul
Scott Charney
Lt. General Harry Raduege,
USAF (ret.)
project director
James A. Lewis
July 2010

Cybersecurity
cochairs
Scott Charney
USAF (ret.)
project director
James A. Lewis
July 2010
About CSIS
In an era of ever-changing global opportunities and challenges, the Center for
Strategic and International Studies (CSIS) provides strategic insights and practical
policy solutions to decision makers. CSIS conducts research and analysis and
develops policy initiatives that look into the future and anticipate change.
Founded by David M. Abshire and Admiral Arleigh Burke at the height of the Cold
War, CSIS was dedicated to the simple but urgent goal of finding ways for America to
survive as a nation and prosper as a people. Since 1962, CSIS has grown to become
one of the world’s preeminent policy institutions.
Today, CSIS is a bipartisan, nonprofit organization headquartered in Washington,

DC. More than 220 full-time staff and a large network of affiliated scholars focus
their expertise on defense and security; on the world’s regions and the unique
challenges inherent to them; and on the issues that know no boundary in an
increasingly connected world.
Former U.S. Senator Sam Nunn became Chairman of the CSIS Board of Trustees in
1999, and John J. Hamre has led CSIS as its President and Chief Executive Officer
since 2000.
CSIS does not take specific policy positions; accordingly, all views expressed herein
should be understood to be solely those of the authors.
©2010 by Center for Strategic and International Studies
Washington, DC
All rights reserved.
1800 K Street, NW
Washington, DC 20006
202.775.3175
TABLE OF CONTENTS
Executive Summary ............................................................................................................................... 1
A Human Capital Crisis in Cybersecurity - Technical Proficiency Matters....................... 5
Vision for the Future Cybersecurity Workforce ......................................................................10
Current Efforts .......................................................................................................................11
Other Efforts That Could Make a Big Difference .......................................................14
Next Steps: Recommendations ......................................................................................................18
Recommended Action Plan ................................................................................................20
Long Term Recommendations .........................................................................................22
Governance ................................................................................................................22
Analysis of Alternatives .......................................................................................22
Summary Assessment ...........................................................................................25
Conclusion ..............................................................................................................................................25
Appendix A Federal CIO Council Documents:
1. Federal Information Security Workforce Development
Matrix: Roles Identification, Definitions and Prioritization
dated April 21, 2009 ............................................................................................ 26
2. Information Security Workforce Development Matrix (DRAFT):
Systems Operations and Maintenance Professional .............................. 28
3. Information Security Workforce Development Matrix
(DRAFT): Chief Information Security Officer ............................................ 29
4. US Cyber Command: Memorandum for Secretaries of the Military
Departments, dated June 23, 2009; SUBJECT: Establishment of a
Subordinate Unified U.S. Cyber Command Under U.S. Strategic
Command for Military Cyberspace Operations ........................................ 30
Appendix B Taxonomy of Cybersecurity Roles ......................................................................... 33
Appendix C Draft Definition for Potential Legislation ........................................................... 46
Appendix D Cybersecurity Workforce Action Plan ................................................................ 47
Appendix E Acknowledgements ...................................................................................................... 48
EXECUTIVE SUMMARY
Crisis in Cybersecurity
“The cyber threat to the United States affects all aspects of society, business,
and government, but there is neither a broad cadre of cyber experts nor an
established cyber career field to build upon, particularly within the Federal
government.” 1
Evidence continues to build showing our information infrastructure is vulnerable to threats

not just from nation states but also from individuals and small groups who seek to do us
harm or who wish to exploit our weaknesses for personal gain.
Where we are
The nation and the world are now critically dependent on the cyber infrastructure that
is vulnerable to threats and often under attack in the most real sense of the word.
Military and nuclear energy systems are under continuous attack,

experiencing large losses. For at least the past six years the US
Department of Defense, nuclear laboratory sites and other sensitive US
civilian government sites have been deeply penetrated, multiple times,
by other nation-states. “China has downloaded 10 to 20 terabytes of
data from the NIPRNet (the sensitive, but unclassified US military
network). There is a nation-state threat by the Chinese.” (Maj. Gen.
William Lord, Director of Information, Services and Integration in the
Air Force’s Office of Warfighting Integration and Chief Information
Officer, 8/21/06 Government Computer News, “Red Storm Rising”)
Terrorists and organized crime groups are actively exploiting weak US

security and extorting money used for criminal purposes and to buy
terrorist bombs. In October 2008, for example, Express Scripts, one of
the nation’s largest processors of pharmacy prescriptions, reported
extortionists had threatened to disclose personal and medical
information on millions of Americans if the company failed to meet
payment demands.
A critical element of a robust cybersecurity strategy is having the right people at

every level to identify, build and staff the defenses and responses. And that is, by
many accounts, the area where we are the weakest.
“There are about 1,000 security people in the US who have the
specialized security skills to operate effectively in cyberspace. We need
10,000 to 30,000.” (Jim Gosler, Sandia Fellow, NSA Visiting Scientist,
and the founding Director of the CIA’s Clandestine Information
Technology Office.)
1 Center for Strategic and International Studies, Report of the Commission on Cybersecurity for the 44th Presidency, December 2008
1
The problem is both of quantity and quality especially when it comes to highly
skilled “red teaming” professionals We not only have a shortage of the highly
technically skilled people required to operate and support systems already
deployed, but also an even more desperate shortage of people who can design
secure systems, write safe computer code, and create the ever more sophisticated
tools needed to prevent, detect, mitigate and reconstitute from damage due to
system failures and malicious acts.
The cybersecurity workforce to which we speak in this report consists of those who
self-identify as cybersecurity specialists as well as those who build and operate our
systems and networks. That workforce includes not only workers on government
payrolls, but also those contractors who operate as part of the extended government
workforce. It also includes those who build and maintain the critical infrastructure
on which the public and private sectors have come to rely.
Where we need to go
Having the right number of people with the requisite technical skills matters and
there are four elements of any strategy to deal with this challenge.
• Promote and fund the development of more rigorous curricula in

our schools.
• Support the development and adoption of technically rigorous

professional certifications that include a tough educational and
monitored practical component.
• Use a combination of the hiring process, the acquisition process

and training resources to raise the level of technical competence
of those who build, operate, and defend governmental systems.
• Ensure there is a career path as with other disciplines like civil

engineering or medicine, rewarding and retaining those with the
high-level technical skills.
It is the consensus of the Commission that the current professional certification

regime is not merely inadequate; it creates a dangerously false sense of security for
the following reasons:
• Individuals and employers are spending scarce resources on

credentials that do not demonstrably improve their ability to
address security-related risks; and
• Credentials, as currently available, are focused on demonstrating

expertise in documenting compliance with policy and statutes
rather than expertise in actually reducing risk through
identification, prevention and intervention.
2
In many ways, cybersecurity is similar to like 19th century medicine – a growing
field dealing with real threats with lots of self-taught practitioners only some of
whom know what they are doing. The evolution of the practice of medicine
mandated different skills and specialties coupled with qualifications and
assessments. In medicine, we now have accreditation standards and professional
certifications by specialty. We can afford nothing less in the world of cybersecurity.
We need to develop a culture of professionalism and goal orientation for the
cybersecurity workforce; doing so will help prevent, detect, and/or respond to
intentional or unintentional compromises involving both federal and other critical
infrastructure systems.
What is being done
Skills matter. They must be taught, and then demonstrated on the job. The
Commission’s work has been focused on those currently in the workforce, and
those who are, or will shortly be, in the labor pool.
We do not start with a blank slate, as there are several initiatives attempting to
address the issues of career paths and training of the cybersecurity workforce.
Organizations and initiatives that can be leveraged going forward include the
Department of Homeland Security, International Information Systems Security
Certification Consortium, Information Systems Audit and Control Association, the
Institute of Electrical and Electronics Engineers, the Department of Justice, Federal
Bureau of Investigation, National Security Agency, Department of Defense, Federal
Chief Information Officers Council, Office of Personnel Management, State
Department, US Cyber Command and US Cyber Challenge.
How we get from where we are
With all these activities underway, it is the Commission’s intention to give impetus
to and leverage the existing efforts and initiatives to move forward in a
comprehensive manner. This report focuses on those actions that the Federal
government can take in the short-medium term to develop and hire a more
cybersecurity capable workforce. By using its instruments of direct control – hiring
and procurement – and by serving as a model, the Federal government can
significantly influence the quantity and quality of the cybersecurity workforce.
Expand cyber education. The current Administration is addressing the education of

cyber professionals as part of the Comprehensive National Cybersecurity Initiative,
an unclassified description of which was released on March 2, 2010. The topic is
included as Initiative 8:
While billions of dollars are being spent on new technologies to secure

the U.S. Government in cyberspace, it is the people with the right
knowledge, skills, and abilities to implement those technologies who will
determine success. However there are not enough cybersecurity experts
within the Federal Government or private sector to implement the CNCI,
nor is there an adequately established Federal cybersecurity career
3
field. Existing cybersecurity training and personnel development
programs, while good, are limited in focus and lack unity of effort. In
order to effectively ensure our continued technical advantage and
future cybersecurity, we must develop a technologically skilled and
cyber-savvy workforce and an effective pipeline of future employees. It
will take a national strategy, similar to the effort to upgrade science and
mathematics education in the 1950’s, to meet this challenge.
(www.whitehouse.gov/cybersecurity/comprehensive-national-
cybersecurity-initiative)
The Commission makes recommendations to build on the current activities

of both the Executive Branch and the Legislative Branch. Additionally, there
is an Action Plan, including a time line, in order to address those
recommendations. Long-term recommendations for sustainability and
governance are also included.
Build a rigorous certification system. On the basis of our analysis, the Commission
is recommending the creation of a governance body, which would develop and
administer certifications in two or three specialty areas, where rigorous certifications
do not exist. The governance body should also develop criteria for evaluating other
certification programs so that, using a federated model, other existing or future
certification programs that meet its standards can also be accredited. The
organization could be created initially as not-for-profit and there would be an
oversight of a board that would include representatives of each of the following:
• Major private sector organizations that employ cybersecurity

professionals;
• Universities with major cyber education and research programs; and
• Key Federal government agencies.
The role of the oversight board would be to direct and evaluate a two-year pilot test
and, at the end of the first year, offer recommendations on whether/how the body
should continue.
CONCLUSION
We are unified by a shared objective to help protect our critical infrastructure by

detecting, responding to and ultimately preventing cyber attacks and accidents.
Our analysis indicates there are many initiatives and efforts underway. As included
in the President’s Cyberspace Policy Review, the CNCI initiatives are mutually
reinforcing and are designed to help secure the United States in cyber space. The
goal “to strengthen the future cybersecurity environment by expanding cyber
education;….” can be achieved by implementing the recommendations included in
this paper.
We are beginning now.
4
A HUMAN CAPITAL CRISIS IN CYBERSECURITY—
TECHNICAL PROFICIENCY MATTERS
“The cyber threat to the United States affects all aspects of society, business,
and government, but there is neither a broad cadre of cyber experts nor an
established cyber career field to build upon, particularly within the Federal
government. [Using an] airplane analogy, we have a shortage of ‘pilots’
(and ‘ground crews’ to support them) for cyberspace.” (Center for Strategic
and International Studies, Report of the Commission on Cybersecurity
for the 44th Presidency, December 2008)
That the nation and the world are now critically dependent on the cyber infrastructure
is no longer a matter of debate. Evidence continues to build showing our systems for
power (nuclear and conventional), water, banking and credit as well as our national
security and public safety systems rely on complex and sophisticated computer and
telecommunications technology. Our information infrastructure is vulnerable to
threats not just from nation states but also from individuals and small groups who
seek to do us harm or who wish to exploit our weaknesses for personal gain.
Military and nuclear energy systems are under continuous attack,

experiencing large losses. For at least the past six years the US
Department of Defense, nuclear laboratory sites and other sensitive US
civilian government sites have been deeply penetrated, multiple times,
by other nation-states. “China has downloaded 10 to 20 terabytes of
data from the NIPRNet (the sensitive, but unclassified US military
network). There is a nation-state threat by the Chinese.” (Maj. Gen.
William Lord, Director of Information, Services and Integration in the
Air Force’s Office of Warfighting Integration and Chief Information
Officer, 8/21/06 Government Computer News, “Red Storm Rising”)
Terrorists and organized crime groups are actively exploiting weak US

security and extorting money used for criminal purposes and to buy
terrorist bombs. In October 2008, for example, Express Scripts, one of
the nation’s largest processors of pharmacy prescriptions, reported
extortionists had threatened to disclose personal and medical
information on millions of Americans if the company failed to meet
payment demands.
A critical element of a robust cybersecurity strategy is having the right people at

every level to identify, build and staff the defenses and responses. And that is, by
many accounts, the area where we are weakest.
“I cannot get the technical security people I need.” (Lt. Gen. Charles
Croom, Commander, Joint Task Force - Global Network Operations, in
response to a question from a CSIS Commissioner asking what is the
most critical problem he faces in meeting the growing cyber challenge.
May 28, 2008)
5
“There are about 1,000 security people in the US who have the
specialized security skills to operate at world-class levels in cyberspace.
We need 10,000 to 30,000.” (Jim Gosler, Sandia Fellow, NSA Visiting
Scientist, and the founding Director of the CIA’s Clandestine
Information Technology Office.)
The problem is both of quantity and quality especially when it comes to highly
skilled “red teaming” professionals. The December 2008 CSIS report in some ways
understates the problem. We not only have a shortage of the highly technically
skilled people required to operate and support systems we have already deployed;
we also face an even more desperate shortage of people who can design secure
systems, write safe computer code, and create the ever more sophisticated tools
needed to prevent, detect, mitigate and reconstitute systems after an attack.
The reality of the staffing problem was illuminated on April 19, 2007, in
a hearing of the US House Homeland Security Committee, Subcommittee
on Emerging Threats, Cybersecurity and Science and Technology.
Witnesses from the State Department and the Commerce Department
both testified their systems were penetrated with zero day attacks
(attacks using exploits for which no patch exists). The Commerce
Department witness testified he did not know when the attack had first
occurred. He said the attack had spread to at least 32 systems, all of
which were contacting servers in China. These Commerce systems were
in the Bureau of Industry and Security (BIS), the division that
determines which US technologies are too sensitive to be exported. He
further said he did not know how many other BIS systems were infected
or whether the infections had been eliminated from Commerce
Department networks. The State Department witness, on the other
hand, testified his people found the attack within moments after it had
occurred, cleaned the infected system and stopped the infection’s
spread. The Commerce Department witness said his organization had
met the compliance requirements of the Federal Information Security
Management Act (FISMA) but the attack got through because it used a
zero-day vulnerability. By contrast, the State Department witness, who
also met FISMA compliance requirement, had built a team of network
forensics investigators, deep-packet-analysis experts and security
programmers who could find and eliminate problems.
Richard Hale, Chief Information Assurance Executive at the Defense Information

Systems Agency, told a small gathering at the March 2010 RSA Conference in San
Francisco that the State Department manpower experience directly mirrors what
DISA finds when it evaluates DoD facilities. Those units that are overly dependent
on security tools rarely find the advanced persistent threat (APT) while those that
have deep and broad technical security skills and constantly adapt the tools to
changing threat patterns are the ones that find and eliminate the APT.
6
When in January, 2010, Google and other commercial companies reported that their
systems had been penetrated by foreign government attacks. They met with
government officials and asked why the government was not doing a better job of
protecting them. The answer was that today’s tools are ineffective in stopping the
advanced persistent threat; and that the companies themselves needed to upgrade
the skills of their security hunters. Hunters are the people who can dig deeply into
the workings of computers and networks to track the attackers who get through the
organization’s defenses. Sadly, when the commercial companies began seeking
people with those skills, they discovered that such people were very rare and that
the commercial companies faced intense competition for every qualified person
from the entire defense industrial base.
Having the right number of people with the requisite technical skills matters.
That’s what the comparison of the Commerce and State Department experiences
illustrates. There are four elements of any strategy to deal with this challenge,
all of which can be accelerated by governmental action:
• Promoting and funding the development of more rigorous

curricula in our schools. The National Science Foundation and the
National Security Agency, among others, have begun to move in
this direction. While there are understandable concerns about
infringement on academic discretion, there is a connection
between the skill level of those who build systems and their safety
and security. Several US colleges, funded under that Scholarship
for Service program, have been graduating security experts with
advanced technical skills, but the total number of new graduates
with very deep technical skills is well under 200 per year.
• Supporting the development and adoption of technically rigorous

professional certifications that include a tough educational
component and a monitored practical component. Unfortunately,
there is already a plethora of certifications, some of which require
little more than passing a written examination and being able to
describe one’s job experience creatively. And all but a few focus
on terms and principles, but not on the hard technical skills and
knowledge that are in such short supply.
• Using a combination of the hiring process, the acquisition process

and training resources to raise the level of technical competence
of those who build, operate, and defend governmental systems.
We need to be sure those whom we hire, whether as Federal
employees or contractors, have the requisite skills. As more
rigorous professional credentials become available, we have a
duty to those currently in the workforce to help them attain the
performance levels that we need.
7
• Assuring there is a career path as with other disciplines, like
engineering or medicine, rewarding and retaining those with high-
level technical skills, both in the civilian workforce and in the
uniformed services.
It is the consensus of the Commission that the current professional certification

regime is not merely inadequate; it creates a dangerously false sense of security for
the following reasons:
• Individuals and employers are spending scarce resources on

credentials that do not demonstrably improve their ability to
address security-related risks; and
• Credentials, as currently available, are focused on demonstrating

expertise in documenting compliance with policy and statutes
rather than expertise in actually reducing risk through
identification, prevention and intervention.
Any efforts to mandate certifying and licensing requirements based on the

current regime of professional certifications would be premature. As early as
1995, the Association for Computing Machinery (ACM) voiced its opposition to
licensing software engineers. In expressing ACM’s reservations about efforts to
license software professionals in 2000, the then-president of the ACM wrote:
ACM believes the problem of reliable and dependable software,

especially in critical applications, is the most important problem facing
the IT profession. ACM will continue to work closely with IEEE Computer
Society on projects that further the evolution of software engineering as
a professional computing discipline and improve the quality of software
and the capabilities of software engineers.2
He went on to note that:
In the U.S., mandatory licensing has been used as a means to protect the
public from malpractice by those offering services directly to the public,
such as doctors, lawyers, civil engineers, contractors, day care workers,
barbers, and surveyors. Many licensing advocates argue it would help
promote software engineering into a profession and would safeguard
society against incompetent engineers. Those against licensing argue it
would not be practical-nor effective-in achieving these goals. Indeed,
they say no recognized, generally accepted body of knowledge exists on
which licensing examinations could be based.
We fully concur that certification and licensing regimes are essential elements for
informing and protecting those who buy complex professionals services that the
buyers are often unable to evaluate. We further agree that any such regime must be
2 A Summary of the ACM Position on Software Engineering as a Licensed Engineering Profession, July 17, 2000
8
based on a body of knowledge that represents the complete set of concepts, terms
and activities that make up a professional domain. And absent such a body of
knowledge there is little basis for supporting a certification program. Indeed it
would be dangerous and misleading.
A complete body of knowledge covering the entire field of software engineering may
be years away. However, the body of knowledge needed by professionals to create
software free of common and critical security flaws has been developed, vetted
widely and kept up to date. That is the foundation for a certification program in
software assurance that can gain wide adoption. It was created in late 2008 by a
consortium of national experts, sponsored by DHS and NSA, and was updated in late
2009. It contains ranked lists of the most common errors, explanations of why the
errors are dangerous, examples of those errors in multiple languages, and ways of
eliminating those errors. It can be found at http://cwe.mitre.org/top25.
Any programmer who writes code without being aware of those problems and is not
capable of writing code free of those errors is a threat to his or her employers and to
others who use computers connected to systems running his or her software.
Just as a body of knowledge exists for creating software free of common and critical
security flaws, the development of other certifications will depend on the
development of similar bodies of knowledge. The path to meaningful certification
should also be one which is structured. For example, schools should teach ‘the
theory’ of good coding, specialized and/or a major in schools/clinics should teach
‘the hands on practice’ of good coding, and exams should validate the learning has
been internalized.
In many ways, cybersecurity is a lot like 19th century medicine – a growing field
dealing with real threats with lots of often self-taught practitioners only some of
whom know what they are doing. What has evolved in medicine over the last
century is a system that recognizes that different kinds of skills and specialties are
required. And, since most of us are not able to assess the qualifications of a
practitioner when a need arises, we now have an education system with
accreditation standards and professional certifications by specialty. We can afford
no less in the world of cyber.
With the evolution and revolution of technology, the technical proficiency problem
could be addressed in the short run, but it is not the complete answer. Tools and
techniques, like automated configuration and patch management, will reduce the
need for high-end skills in many organizations, but, we will continue to need people
with the knowledge and skills to develop those tools and to identify and respond to
the ever-changing threat to our cyber infrastructure. If we have learned nothing
else, we now know that those who seek to exploit our weaknesses for gain, to do us
harm, or even just for mischief, are every bit as smart as we are. We seek to change
the mindset of the current workforce and to develop 1) a workforce of true
cybersecurity professionals and 2) “security-enable” the workforce. We need both a
cadre of cybersecurity professionals and a ‘cyber-enhanced” workforce who are
9
security aware. For example, those who design, build, code and maintain systems
need to be security aware in order address the challenge facing the nation.
VISION for the FUTURE Cybersecurity Workforce
The Commission envisions a technically proficient cybersecurity workforce to

prevent, detect, recover and/or respond to intentional or unintentional
compromises both on federal and critical infrastructure systems.
The following diagram illustrates an agreed upon vision for the learning disciplines
associated with the cybersecurity workforce development:
Assumption: This paper is based on a simple assumption:
“Skills matter and must be demonstrated on-the-job.”
This report focuses on those actions that the Federal government can take in the
short-medium term to develop and hire a more cybersecurity capable workforce.
By using its instruments of direct control – hiring and procurement – and by serving
as a model, the Federal government can significantly influence the quantity and
quality of the cybersecurity workforce.
Our proposals recognize the work in progress and attempt to build upon existing
efforts, some of which are described below.
Background: The workforce challenge is being addressed in several ways:

(1) encouraging more young people, starting in elementary school, to pursue
education and training in the more quantitative fields of science, technology,
engineering and math to prepare them to be cybersecurity workers, (2) developing
10
more rigorous curricula in computer-related disciplines; and (3) automating daily
operational tasks in cybersecurity, like configuration and patch management. While
these approaches offer promise for addressing part if not the entire problem in the
longer term, we cannot afford to wait. Hence, the Commission’s work has been
focused on those currently in the workforce and those who are, or will shortly be, in
the labor pool.
Current Efforts:
We do not start with a blank slate. The following is a short description of several
organizations and initiatives attempting to address the issues for career paths and
training of the cybersecurity workforce. This listing is no means exhaustive but
attempts to highlights initiatives that can be leveraged going forward.
DEPARTMENT OF HOMELAND SECURITY (DHS)

IT Security Essential Body of Knowledge (EBK): A Competency and Functional
Framework. The EBK is a framework to map Information technology (IT) security
competencies. DHS has included fourteen areas ranging from incident management
through digital forensics. The EBK was developed as complimentary framework to
existing efforts of the National Institute of Standards and Technology (NIST) or the
Committee on National Security Systems (CNSS) guidance on IT security training.
DHS built upon established work resources and best practices from the public and
private sectors. The EBK is intended to be a resource tool for the public and private
sectors as well as higher education in development of curriculum and training.
(http://www.us-cert.gov/ITSecurityEBK)
INTERNATIONAL INFORMATION SYSTEMS SECURITY CERTIFICATION

CONSORTIUM (ISC)2 (http://www.isc2.org)
Certified Information Systems Security Professional (CISSP) is an information

security credential accredited by ANSI ISO/IEC Standard 17024:2003 accreditation
and leads the industry in acceptance. This certification is included in the
Department of Defense (DoD) Information Assurance Workforce Improvement
Program. The CISSP curriculum includes ten Common Body of Knowledge (CBK)
information security topics. According to the (ISC)2, “the CISSP CBK is a taxonomy –
a collection of topics relevant to information security professionals around the
world. The CISSP CBK establishes a common framework of information security
terms and principles that allow information security professionals worldwide to
discuss, debate and resolve matters pertaining to the profession with a common
understanding.” (Tipton; Henry. Official (ISC)² Guide to the CISSP CBK. Auerbach
Publications. ISBN 0-8493-8231-9.)
ISACA (http://www.isaca.org/).
ISACA, originally known as the, “Information Systems Audit and Control

Association,” ISACA has established the CoBIT auditing and control standards,
which are widely recognized and used. ISACA offers the following:
11
• Certified Information Systems Auditor (CISA);
• Certified Information Security Manager (CISM);
• Certified in Governance of Enterprise (CGIT); and
• Certified in Risk and Information Systems Control (CRISC).
The SANS INSTITUTE (http://www.sans.org)
SANS is a graduate degree-granting education and research institution that also

provides advanced security training and certifications. Its 120,000 alumni are the
computer network defenders, penetration testers, security-savvy system operators,
forensics experts, secure programmers, and managers in more than 20,000
organizations ranging from the NSA and the Defense Industrial Base to the FBI to
banks to hospitals to universities.
CREST (http://www.crest-approved.org)
The United Kingdom has developed a model for hands-on certification in the form of
its Council of Registered Security Testers (CREST) test for security penetration
testers and is building a network of independent certifiers. CREST was created in
response to the need for regulated and professional security testers to serve the
global information security marketplace. CREST is a not for profit organization with
the goal to represent the information security testing industry and offer a
demonstrable level of assurance as to the competency of organizations and
individuals within approved companies.
The INSTITUTE OF ELECTRICAL AND ELECTRONICS ENGINEERS (IEEE)

(http://www.computer.org/portal/web/guest/home)
The IEEE is an international non-profit, professional organization, which provides

learning opportunities within the engineering, research, and technology fields. The
goal of the IEEE education programs is to ensure the growth of skill and knowledge
in the electricity-related technical professions and to foster individual commitment
to continuing education among IEEE members, the engineering and scientific
communities, and the general public. The IEEE offers certification and training for
software professionals. Their organization recognizes there is a gap between
education and work requirements and attempts to verify the students’
understanding the fundamentals of software development practices.
(http://www.computer.org/portal/web/certification/home).
IEEE certifications include:
• Certified Software Development Associate (CSDA); and

• Certified Software Development Professional (CSDP).
12
THE DEPARTMENT OF JUSTICE; FEDERAL BUREAU OF INVESTIGATION (FBI)
The FBI Academy at Quantico provides a cyber education training program for
domestic law enforcement and counterintelligence. They train over 2,192 new FBI
agents in basic cyber training with 783 FBI cyber agents with advance training and
over 1,100 cyber taskforce agents. Currently, the Office of Justice Programs (OJP),
Bureau of Justice Assistance (BJA) provides federal assistance for training for law
enforcement officials. The Counter Terrorism Training and Resources for Law
Enforcement non-profit organization does provide training for cybersecurity and
privacy. (http://www.counterterrorismtraining.gov)
NATIONAL SECURITY AGENCY (NSA)
The NSA and the DHS have jointly sponsored the National Centers of Academic
Excellence in Information Assurance (IA) Education (CAE/IAE) and CAE-Research
(CAE-R) programs. The goal of the programs is to reduce vulnerabilities in our
national information infrastructure by promoting higher education and research in
IA. It is also attempting address the growing need of professionals with IA expertise
in various disciplines. The designation of an institution as a CAE/IAE or CAE-R is
valid for five academic years and then, the school must reapply. Students who
attend these designated schools are eligible for scholarships and grants through
DoD and DHS. (http://www.nsa.gov/ia/academic_outreach/nat_cae/index.shtml)
Additionally, the NSA has an initiative underway which is working to qualifying

cyber-warriors. Aspects of this initiative include defining the cybersecurity
workforce and moving forward with education and training.
DEPARTMENT OF DEFENSE (DoD): DoD 8570.01-M, “Information Assurance

Workforce Improvement Program.”
Implements DoD Directive 8570.1, “Information Assurance Training, Certification,

and Workforce Management,” dated August 15, 2004. Provides guidance for the
identification and categorization of positions and certification of personnel
conducting Information Assurance (IA) functions within the DoD workforce
supporting the DoD Global Information Grid (GIG) per DoD Instruction 8500.2. The
DoD IA Workforce includes, but is not limited to, all individuals performing any of
the IA functions described in the Manual. Additional chapters focusing on personnel
performing specialized IA functions including certification and accreditation (C&A)
and vulnerability assessment will be published as changes to the Manual. Also
establishes IA workforce oversight and management reporting requirements to
support DoD Directive 8570.1. DoD 8570.01-M establishes the following goals:
• Develop a DoD IA workforce with a common understanding of the

concepts, principles, and applications of IA for each category,
specialty, level, and function to enhance protection and availability
of DoD information, information systems, and networks;
13
• Establish baseline technical and management IA skills among
personnel performing IA functions across the DoD enterprise;
• Provide warfighters qualified IA personnel in each category,

specialty and level;
• Implement a formal IA workforce skill development and

sustainment process, comprised of resident courses, distributive
training, blended training, supervised on the job training (OJT),
exercises, and certification/recertification;
• Verify IA workforce knowledge and skills through standard

certification testing; and
• Augment and expand on a continuous basis the knowledge and

skills obtained through experience or formal education.
FEDERAL CHIEF INFORMATION OFFICERS (CIO) COUNCIL and the OFFICE OF

PERSONNEL MANAGEMENT (OPM)
The E-Government Act of 2002 (Section209)

(http://www.gpo.gov/fdsys/pkg/PLAW-107publ347/pdf/PLAW-107publ347.pdf)
and Clinger-Cohen Act of 1996 (Division E)
(http://www.gpo.gov/fdsys/pkg/PLAW-104publ106/pdf/PLAW-104publ106.pdf)
includes the requirement for the assessment of the competencies and skills of the
federal information technology (IT) workforce. The purpose of the requirement is
to analyze the needs of the federal government relating to IT and information
resources management. Currently, the CIO Council’s IT Workforce Committee, in
conjunction with the OPM, is working on the new workforce survey instrument.
Additionally, they have identified eleven information security roles (See Appendix A,
Federal Information Security Workforce Development Matrix: Roles Identifications,
Definitions and Prioritization dated April 21, 2009) and have assigned priorities to
the roles. They are working on developing a matrix similar to their efforts for
project management. To date, there are two draft documents available: Systems
Operations and Maintenance Professional and Chief Information Security Officer
(See Appendix A, Information Security Workforce Development Matrix (DRAFT):
Systems Operations and Maintenance Professional and Information Security
Workforce Development Matrix (DRAFT): Chief Information Security Officer).
Other Efforts That Could Make a Big Difference:
As previously stated, there are several initiatives underway that can be leveraged to
address workforce issues. The following initiatives identified by the Commission
should be studied, as they initially appear to be addressing short and mid-term
cybersecurity workforce issues such as training.
14
STATE DEPARTMENT
As discussed above, the State Department team is clearly demonstrating that skills
do matter. They have instituted a training program for all new team members
covering multiple levels of competency with extensive, hands-on training in their
environment.
US CYBER COMMAND
The US Cyber Command (USCYBERCOM) is a subordinate unified command under

the United States Strategic Command created by the Secretary of Defense on June
23, 2009 (See Appendix A, “Memorandum for Secretaries of the Military
Departments, SUBJECT: Establishment of a Subordinate Unified U.S. Cyber
Command Under U.S. Strategic Command for Military Cyberspace Operations).
USCYBERCOM includes responsibility for several organizations including: the Joint
Task Force for Global Network Operations (JFT-GNO); Joint Functional Component
Command for Network Warfare (JFCC-NW); and the Defense Information Systems
Agency (DISA), which will provide technical assistance for network and information
assurance. They are to coordinate computer-network defense and direct US cyber-
attack operations.
DoD 8570.01-M Change 2 (released Spring 2010)
This release reflects the DoD’s commitment to continuous improvement in the IA

Workforce Improvement Program. Change 2 emphasizes the Department’s intent
that the IA Workforce Improvement Program rely on skills-based training aligned
with operational needs. DoD components will be encouraged to construct training
and certification regimes that develop and assess the skills necessary to provide
effective IA capabilities. This emphasis, coupled with improved compliance metrics,
will move the Department away from reliance on stand alone, prescriptive
certifications as the primary compliance metric for IA Workforce training and
certification.
US CYBER CHALLENGE (http://www.uscyberchallenge.org)
The Center for Strategic and International Studies (CSIS) brought together
executives from high tech companies, academics, and government officials to launch
under a project known as the US Cyber Challenge enabling Americans to
demonstrate their cybersecurity knowledge, skills, and passion.
As part of this effort, candidates who prove their skills are being invited to attend
regional “cyber camps” which will be held at local colleges, where they will continue
to develop their skills more fully and participate in additional competitions. The
best of the candidates will be introduced to key federal agencies and corporations
where the most advanced cybersecurity work is being done. Several Examples of
Cyber Challenge competitions are show in the following table:
15
Competition Target audience What it does Impact
Cyber Security Adults and college Like a scavenger This is the primary
Treasure Hunt students (and very hunt, the game qualification for
talented high delivers an on-line students wishing
school students quiz that sends to earn a place in
who want to prove candidates to a the 2010 cyber
they have basic simulated camps. Comment:
mastery of environment “Even if the
vulnerabilities and where they can contestant cannot
other areas of safely explore, find complete all the
security) answers, and challenges, it
return to the quiz. creates a powerful
interest to learn
and explore more of
these ideas.”
CyberPatriot High school Students must An Air Force

students harden systems to official: “all the
block attacks and contestants I met
are scored on their are interested in
success in keeping pursuing degrees,
the attackers out. scholarships, USAF
appointments, etc.,
to have a role in
cyberspace in some
form in the future!
Netwars Adults and college Students work in a CNN’s story of

students (and very real-world, on-line December 21
talented high laboratory where shows the impact:
school students) contestants must finds the ultra-
who have very capture and hold talented kids and
high levels of skills cyber territory as gets them jobs
and want to prove hundreds of others
they should win try to do the same.
internships and
scholarships at
important
organizations.
DC3 Digital Separate Provides a disk Motivates young

Forensics competitions for image of data people to further
Challenge high school taken from actual develop their
students, college cases investigated forensics skills.
students, and by the DoD Cyber
adults to show Crime Center and
16
they have forensics asks four levels of
skills questions. The
fourth level
includes questions
even DC3 does not
know how to
answer.
On-site cyber College students Teams come The entire first

tournaments together to attack place team in the
and defend tournament held at
systems over a CSU Cal Poly
period of one-to- Pomona was
two days. offered cyber
security jobs by
Boeing.
UNIVERSITY OF MARYLAND UNIVERSITY COLLEGE (UMUC)

(http://www.umuc.edu)
The University of Maryland University College (UMUC) has three new degree
programs starting in Fall 2010. They are a Bachelor and Master of Science in
cybersecurity and Master in Science in Cybersecurity Policy. The UMUC is the
largest U.S. public university with approximately 94,000 enrolled, which includes
50,000 active duty military, reserves, dependents, and veterans.
NATIONAL COLLEGIATE CYBERSECURITY COMPETITION

(http://www.nationalccdc.org)
The mission of the Collegiate Cyber Defense Competition (CCDC) system is to

provide institutions with an information assurance or computer security curriculum
in a controlled, competitive environment to assess their students’ depth of
understanding and operational competency in managing the challenges inherent in
protecting a corporate network infrastructure and business information systems.
Competition has grown from 5 schools in 2005 to 63 schools across 8 regions in
2009.
CCDC Events are designed to:
• Build a meaningful mechanism by which institutions of higher

education may evaluate their programs.
• Provide an educational venue in which students are able to apply

the theory and practical skills they have learned in their course
work
17
• Foster a spirit of teamwork, ethical behavior, and effective
communication both within and across teams
• Create interest and awareness among participating institutions and

students.
DEFENSE ADVANCED RESEARCH PROJECTS AGENCY (DARPA)

(http://www.darpa.gov)
The Defense Advanced Research Projects Agency (DARPA) mission is to facilitate

research and development including the development of new technology and
techniques for use by the military. One example is the recently completed program
titled, “The Cyber Trust Program” which was to create the technology and
techniques to enable trustworthy information systems by:
1. Developing hardware, firmware, and microkernel architectures as

necessary to provide foundational security for operating systems
and applications.
2. Developing tools to find vulnerabilities in complex open source

software.
3. Developing scalable formal methods to formally verify complex

hardware/software.
Next Steps: Recommendations
With all these activities underway, it is the Commission’s intention to give impetus
to and leverage the existing effort and initiatives to move forward in a
comprehensive manner. The current Administration is addressing the education of
cyber professional as part of the Comprehensive National Cybersecurity Initiative,
an unclassified description of which was released on March 2, 2010. The topic is
included as Initiative 8:
Expand cyber education. While billions of dollars are being spent on

new technologies to secure the U.S. Government in cyberspace, it is the
people with the right knowledge, skills, and abilities to implement those
technologies who will determine success. However there are not enough
cybersecurity experts within the Federal Government or private sector
to implement the CNCI, nor is there an adequately established Federal
cybersecurity career field. Existing cybersecurity training and personnel
development programs, while good, are limited in focus and lack unity
of effort. In order to effectively ensure our continued technical
advantage and future cybersecurity, we must develop a technologically
skilled and cyber-savvy workforce and an effective pipeline of future
employees. It will take a national strategy, similar to the effort to
upgrade science and mathematics education in the 1950’s, to meet this
challenge.
18
(http://www.whitehouse.gov/cybersecurity/comprehensive-
national-cybersecurity-initiative)
By building on many of the activities underway, the Commission is recommending the

following for both the Executive Branch and Legislative Branch of the Federal
Government:
1. The President’s cybersecurity coordinator should sponsor an effort

to create an initial taxonomy of cyber roles and skills (See Appendix
B, Taxonomy of Roles, v5 Draft) that can be the basis for recruiting
and training and provide a more specific target for the education
and training community to drive curriculum development and a
regime of professional certifications grounded in practical reality;
2. The Office of Management and Budget (under the leadership of the

Chief Information Officer and the Administrator of Federal
Procurement Policy) in conjunction with the National Institute
Standards and Technology should ensure the skills matrix along
with future certification and eventually licensing requirements, if
appropriate, be included as “standards” in their
http://checklists.nist.gov and develop any additional procurement
language, if necessary for:
PART 39-ACQUISITION OF INFORMATION TECHNOLOGY
1. The authority citation for 48 CFR part 39 continues to read

as follows: Authority: 40 U.S.C. 121(c); 10U.S.C. chapter
137; and 42 U.S.C. 2473(c).
2. Amend section 39.101 by revising paragraph (d) to read as

follows: 39.101 Policy.
(d) In acquiring information technology, agencies shall

include the appropriate IT security policies and
requirements, including use of common security
configurations available from the NIST's website at
http://checklists.nist.gov. Agency contracting officers
should consult with the requiring official to ensure the
appropriate standards are incorporated.
(http://www.whitehouse.gov/omb/assets/omb/memoran
da/fy2008/m08-22.pdf)
3. The Chief Information Officers Council should modify its biennial

survey of the Federal information technology workforce to elicit
more granular information on the cybersecurity skill profile of
that workforce and to identify gaps;
4. The Office of Personnel Management should draft an action plan to
19
address “career path issues” in the Federal workforce including
developing a separate job series similar to the existing
professional services such as legal/medical/chaplain/mental
health and/or adjust the law enforcement classification (agents
with the power to carry weapons and make arrests) to also
include special hiring authority where there is evidence of
shortages, consider mandatory continuous training, and/or
establishing an extensive probationary period for skills to be
demonstrated on-the-job;
5. The Department of Homeland Security in conjunction with the

Federal CIO Council should create the Cyber Corp Alumni group
which would include the top 10 percent of the students who
complete the program. As part of this initiative, the program for the
alumni group would include specific set of benefits such as training
on how to be a Chief Information Security Officer; networking with
top cybersecurity professionals; and other related topics;
6. Develop model legislative language to address potential workforce

gaps (See Appendix C, Definition for Legislative Branch); and
7. The Department of Labor’s Bureau of Labor Statistics (BLS) should

lead an interagency committee to develop Standard Occupational
Classification (SOC) for cybersecurity workforce
(http://www.bls.gov/soc/socmanu.htm). This committee work
would build upon the taxonomy recommended in Item 1.
Recommended Action Plan:
The following actions could be taken in order to address the recommendations.

The actions are intended to be a starting place not necessarily inclusive of all
actions which must be taken to achieve the all the workforce issues:
3 to 6 Months:
• Harmonize the existing efforts with the Office of National Director;

Office of Personnel Management and the Federal Chief Information
Officers (CIO) Council to address potential for a new federal
personnel classification series. For example: Address the need for
forensic analysts;
• Develop and expand the workforce survey initiative of the Federal CIO
Council to address cybersecurity throughout the federal workforce;
• Create the Cyber Alumni Group;
• Begin development of the program for the Cyber Alumni Group;
• Expand on the initial taxonomy of cybersecurity roles and skills
(See Appendix B, “Taxonomy of Roles”);
• Finalize the definitions for cybersecurity services (See Appendix
20
C, Model Legislative Language);
• Develop model procurement language for inclusion in federal
contracts; and
• Finalize model legislative language to address cybersecurity
workforce issues for the executive branch to share with Congress.
6 to 9 Months:
• Publish the classification standards for any new designations for

cybersecurity positions;
• Recruit a workforce on the basis of the agreed upon classification
standards;
• Finalize the taxonomy and train agency personnel on its use. The
Office of Personnel Management in conjunction with the Federal
CIO Council should take the lead for this effort;
• Include model legislative language for the cybersecurity workforce
for inclusion in any appropriate cyber-related legislation;
• Develop curriculum for inclusion of federal programs such as
Scholarship for Service;
• Establish and invite membership to the Cyber Alumni Group;
• Finalize the model procurement language for inclusion in
contracts along with appropriate policy documents if necessary;
• Establish the SOC Committee to address the outcome of the
finalized taxonomy; and
• Conduct the workforce survey.
9 to 12 Months:
• Analyze and finalize the workforce survey to include

recommendations;
• Finalize initial curriculum to address future needs on the basis of
the recommendations identified from the final workforce survey;
• Identify and develop activities to be automated for the
cybersecurity workforce including but not limited to configuration
management and patch management;
• Review and update the taxonomy on the basis of the
recommendations identified from the workforce survey;
• Continue the Cyber Alumni Group initiative;
• Finalize the SOC and Update the SOC Manual; and
• Review and ensure contracts are being updated with the approved
procurement language.
12 Months and beyond:
• Develop and deploy training programs addressing the existing

federal workforce;
21
• Continue to recruit and train the cybersecurity workforce;
• Develop and deploy automated tools for lower level daily
cybersecurity tasks;
• Continue with the development and enhancement of the Cyber
Alumni Group initiative;
• Update and modify curriculum for federally funded cybersecurity
programs; and
• Continue to address workforce issues to ensure a clearly defined
career path.
Long Term Recommendations:
The following recommendations will sustain and maintain the professional

cybersecurity workforce for both the public and private sectors:
1. The creation of an ongoing U.S. Cyber Challenge by leveraging the

existing efforts and initiative launched by CSIS; and
2. The establishment of an independent Board of Information

Security Examiners to develop and administer a process for
certifying cybersecurity professionals in each area of
specialization as developed from the action plan above. The areas
of specialization should include not only so-called cybersecurity
roles, such as intrusion detection and forensics, but also areas
such as software development and network operations, which are
critical to cybersecurity.
GOVERNANCE
The creation of an ongoing U.S. Cyber Challenge and an independent Board of

Information Security Examiners recommended in this report raises the issue of how
those efforts should be governed. Both initiatives are intended to create a pipeline of
technically proficient cybersecurity practitioners and to provide employers and
purchasers of cybersecurity services some level of assurance as to the integrity and
competence of those whom they engage. The following outlines the potential
alternatives for the independent Board of Information Security Examiners, which is
envisioned to set the standards for all related activities for certification:
ANALYSIS OF ALTERNATIVES
There are several options for overseeing this initiative:
1. Status quo: a variety of professional societies and for-profit

entities developing and issuing certifications along with separate
entities operating what is currently the U.S. Cyber Challenge.
2. Federated model: A central body that establishes standards for

and accredits professional certifications including developing
22
model certifications. Testing is conducted by accredited
professional organizations.
3. Unified model: Independent Board of Information Security

Examiners is established in which a single body administers all
professional certifications.
In our view, the criteria for evaluating governance options are:
• Relevance to the current and future labor market. As is already

obvious, cybersecurity is a diverse and dynamic field that requires
a broad range of ever-evolving sets of skills. Most importantly,
training and certifications need to be connected to real jobs in the
current marketplace AND new challenges. This criterion also
includes the time to implement the model.
• Independence and integrity. Potential employers and purchasers

of cybersecurity services need to be assured that certification
processes have intellectual rigor and are not unduly biased by the
economic interests of particular providers.
• Sustainability. There needs to be a viable business model.
The status quo
A number of certification programs have evolved, some even ISO 17014 certified. A
few address specific equipment or technologies while others are more general. While
the existence of such programs has spurred investments in training, the consensus of
the CSIS Commission was that, all too often, there was little if any connection to the
specific technical cybersecurity skills that are needed in the workplace.
In the absence of an alternative, several organizations have built robust and highly
profitable lines of business and are understandably anxious to evolve the work that
they have done to meet changing needs.
The Federated Model
As included this report, there are number of certification programs already

underway. The Federated Model could move forward on its own and eventually
there will evolve standards and certification. Many times under a model such as this
one, the time to implement and/or evolve is long due to the need to engage a large
number of stakeholders and build consensus. Additionally, it would be difficult to
ensure these skills are demonstrated and included in the procurement vehicles.
The Unified Model
There is the Unified Model, which is working in other professions (e.g., electricians,
day care providers, and the medical profession). The challenges of developing and
23
implementing a reliable regime for certifying and licensing cybersecurity
professionals will be difficult. These other professions, most notably the medical
profession, have built a structure of independent certifying bodies linked to State
licensing requirements. To practice in most jurisdictions, physicians are required to
meet certain educational requirements and demonstrate certain practical
experience at independently accredited institutions.
See http://www.amaassn.org/aps/physcred.html. Other medical-related
professions – nurses, physician assistants, etc – are subject to similar requirements.
And the education sector has responded by developing curricula that support
certification and licensing and, we are convinced, will do so if the roles and skills
required in the cybersecurity workforce are clearly defined.
Medicine has addressed the need for more specialized professional certifications
under a regime overseen by the American Board of Medical Specialties
(http://www.abms.org). Board certifications, rigorously administered and
overseen, provide important information about the skills and knowledge of
practitioners to the purchaser of medical services. While no test or credential can
guarantee an outcome, taken together with information about performance, it
increases the quality of care and patient’s level of assurance. Similarly, it is essential
to assure that those who buy cybersecurity services have tools to evaluate the
competence of those whom they engage. Facing medical problems, few of us have
the knowledge to evaluate the competence of those to whom we turn for assistance.
Instead, we rely on a combination of independently administered professional
certifications and state licensing authorities to tell us whether the provider has the
needed training and has demonstrated the skills that we need.
The following shows the potential functional areas, which could be governed by the
Independent Board of Examiners:
Potential Governance Work Areas
Cybersecurity
Formal Cybersecurity
Workforce
Cybersecurity Workforce
Training & Prof
Education Structure
Dev’t
1 General IT Use
2 IT Infrastructure, Operations,
Maintenance, Information Assurance
3Domestic Law Enforcement 4 Specialized Cybersecurity

and Counterintelligence Operations
24
The following table includes our assessment using the criteria defined with a low to
high ranking of the criteria for each alternative:
Summary Assessment
Status Quo Federated Unified
Relevance Low-medium High High
Rigor and Low-medium High High

Independence
Sustainability High Medium High
On the basis of our analysis, the Commission is recommending the creation of a

governance body initially based on a federated model, which would develop and
administer certifications in two or three specialty areas and evaluate whether
some/any existing certification programs meet its standards. The organization
could be created initially as a not-for-profit in order to conduct the pilots. The effort
would be under the direction of a Board of overseers that would include 3-5
representatives each from:
• Major private sector organizations that employ high-end

cybersecurity professionals;
• Universities with major cyber education and research programs; and
• Key Federal government agencies and congressional committees.3
The role of the oversight board would be to direct and evaluate a two-year pilot test
and, at the end of the first year, offer recommendations on whether/how the body
should continue.
CONCLUSION
We are unified by a shared objective to help protect our critical infrastructure by

detecting, responding to and ultimately preventing cyber attacks and accidents.
Our analysis indicates there are many initiatives and efforts underway. As included
in the President’s Cyberspace Policy Review, the CNCI initiatives are mutually
reinforcing and are designed to help secure the United States in cyber space. The
goal “to strengthen the future cybersecurity environment by expanding cyber
education;….” can be achieved by implementing the recommendations included in
this paper.
We are beginning now.
3 Since this would be an oversight/advisory group, not a board of directors with fiduciary responsibilities, we presume that it will
be possible for government officials to participate
25
FEDERAL INFORMATION SECURITY WORKFORCE DEVELOPMENT MATRIX:
Roles Identification, Definition, and Prioritization
INFORMATION SECURITY DRAFT ROLES* (Last updated 4/21/2009)

*The following listed roles are specific to the information security, information assurance, and information
technology security function and environment.
High Priority
1. Chief Information Security Officer- The Chief Information Security Officer (CISO) is responsible for the
information security strategy within an organization. The CISO establishes, implements, and monitors the
development and subsequent enforcement of the organization’s information security program (i.e., policies,
procedures, security architecture standards, security awareness and training program, IT contingency plans, IT
security compliance issues). The CISO leads the evaluation and assessment of the security program to ensure that
all aspects are in compliance with security requirements, while understanding security threats and vulnerabilities to
operations and the organization’s environment. The CISO is responsible for information security risk management
(e.g., determines risk impact, establishes risk mitigation plans and programs, works with business owners to devise
processes for risk assessment) within the organization. The CISO manages the incidents response program (e.g.,
identifies, reports, and remediates incidents).
2. Systems Operations & Maintenance Professional- The Systems Operations and Maintenance Professional
supports and implements the security of information and information systems during the operations, maintenance,
and enhancements phases of the systems development life cycle. The Systems Operations and Maintenance
Professional is also responsible for implementing server configurations, operating systems, database systems,
firewalls, patch management, and account management to protect the systems against threats and vulnerabilities.
3. Network Security Specialist- The Network Security Specialist is responsible for examining malicious software,
suspicious network activities, and non-authorized presence in the network to analyze the nature of the threat, and
secure and monitor firewall configurations. The Network Security Specialist needs to understand the specimen’s
attack capabilities, its propagation characteristics, and define signatures for detecting malware presence.
4. Digital Forensics & Incident Response Analyst- The Digital Forensics and Incident Response Analyst performs
a variety of highly technical analyses and procedures dealing with the collection, processing, preservation, analysis,
and presentation of computer-related evidence, and is responsible for disseminating and reporting cyber-related
activities, conducing vulnerability analyses and risk management of computer systems and all applications during all
phases of the systems development lifecycle. The Digital Forensics and Incident Response Analyst provides
oversight of incident data flow and response, content, and remediation, and partners with other incident response
centers in maintaining an understanding of threats, vulnerabilities, and exploits that could impact networks and
assets.
5. Information Security Assessor- The Information Security Assessor is responsible for overseeing, evaluating,
and supporting compliance issues pertinent to the organization. Individuals in this role perform a variety of activities
that encompass compliance from internal and external perspectives. These include leading and conducting internal
investigations, helping employees to comply with internal policies and procedures, and serving as a resource for
external compliance officers during independent assessments. The Information Security Assessor provides guidance
and autonomous evaluation of the organization to management. This individual is responsible for planning and
executing information systems operational assessment by obtaining, analyzing, and appraising competent evidential
data for forming an objective opinion on the adequacy of information systems, procedures, and documentation. This
individual also prepares, tests, and utilizes generalized computer audit software, programs, and questionnaires for
accomplishing audit objectives and procedures.
Medium Priority
6. Information Systems Security Officer- The Information Systems Security Officer (ISSO) specializes in the
information and security strategy within a system and is engaged throughout the systems development life cycle. The
ISSO is charged with the development and subsequent enforcement of the company’s security policies and
procedures, security awareness programs, business continuity and disaster recovery plans, and all industry and
governmental compliance issues. The ISSO communicates with the business at the system level and understands
security threats and vulnerabilities to the operations and the system’s environment.
7. Security Architect- The Security Architect is responsible for implementing business needs. The Security
Architect supports the business function as well as technology and environmental conditions (e.g., law and
regulation), and translates them into security designs that support the organization to efficiently carry out its activities
while minimizing risks from security threats and vulnerabilities.
8. Vulnerability Analyst- The Vulnerability Analyst is responsible for detecting threats and vulnerabilities in target
systems, networks, and applications by conducting systems, network, and web penetration testing. The Vulnerability
Analyst identifies flaws that can be exploited to cause business risk, and provides crucial insights into the most
pressing issues, suggesting how to prioritize security resources.
9. Information Security Systems & Software Development Specialist**-The Information Security Systems and
Software Development Specialist is responsible for secure design, development, testing, integration, implementation,
maintenance, and/or documentation of software applications (web based and non-web) following formal secure
systems development lifecycle processes and using security engineering principles.
26
FEDERAL INFORMATION SECURITY WORKFORCE DEVELOPMENT MATRIX:
Roles Identification, Definition, and Prioritization
Low Priority
10. Chief Information Officer- The Chief Information Officer (CIO) focuses on information security strategy within an
organization and is responsible for the strategic use and management of information, information systems, and IT.
The CIO establishes and oversees IT security metrics programs, including evaluation of compliance with corporate
policies and the effectiveness of policy implementation. The CIO also leads the evaluation of new and emerging IT
security technologies.
11. Information Security Risk Analyst- The Risk Analyst is responsible for facilitating and developing data-
gathering methods to control and minimize risks by understanding external threats and vulnerabilities to the
operation and environment. The Risk Analyst analyzes vulnerabilities identified and implements best practices in
their mitigation. This individual communicates compliance regulations and policies, monitors audit preparation
practices, and implements risk management policies and procedures.
** The Information Security Systems & Software Development Specialist is an emerging role that was not rated on
importance in the February focus group exercise. This role is classified under medium priority until further data
and feedback can be obtained and analyzed.
27
INFORMATION SECURITY WORKFORCE DEVELOPMENT MATRIX*
Systems Operations and Maintenance Professional**: The Systems Operations and Maintenance Professional supports and implements the security of information and information systems
during the operations, maintenance, and enhancements phases of the systems development life cycle. The Systems Operations and Maintenance Professional is also responsible for implementing
server configurations, operating systems, database systems, firewalls, patch management, and account management to protect the systems against threats and vulnerabilities.
Performance Suggested Learning & Development
Description/Complexity Competencies/Skills Suggested Credentials
Level Sources
I: Entry Has a basic understanding of computer systems and Performance levels are associated with  0-3 years experience involving work directly 1. Development Resources:
related information security software and hardware recommended proficiency descriptors related to systems operations and
components applicable to each of the relevant maintenance (e.g., help desk); OR a  IT Workforce Roadmap (IT Roadmap)
competency/skill models listed below. Bachelors Degree (suggested areas of  Graduate Programs, USDA IT
Ability to perform basic security system study include Computer Science,
administration duties including software and Competency/Skill Proficiency Programs
Information Technology, Information
hardware installation, troubleshooting, system Descriptors Assurance/Security, Engineering,  GoLearn Courses (www.golearn.gov)
backup, network component maintenance Business/Management)
I-Entry: Basic understanding of concepts  CIO Council (www.cio.gov)
Basic understanding of tools and methods for addressed in relevant competency/skill  Participation in Scholarship for Service
identifying anomalies in system behavior; develops models program through a designated Center of  DoD DISA Training
ability to recognize anomalies Academic Excellence in Information
II-Intermediate: Working knowledge and  GSA’s CIO university Program
Applies skills and abilities with supervision on application of relevant competency/skill Assurance Education (CAEIAE)
projects, programs, and initiatives with low threat models in work activities 2. University Information Security
and scope (e.g., inter-office) Programs:
III-Advanced: Advanced application and
mastery of relevant competency/skill  National Defense University- IRM
II: Intermediate Applies an understanding of the information security models  Bachelors Degree and 2+ years experience College
operational characteristics of a variety of computer (suggested areas of study include
platforms, networks, software applications, and Relevant Competency/Skills Sources: Computer Science, Information  IS/IA Degree Programs- CAEIAE
operating systems Technology, Information  Private University Programs (e.g.,
 OPM GS-2200 Job Family Standard Assurance/Security, Engineering,
Ability to explain to others the methods and Competencies GMU, MIT)
Business/Management, or degrees from a
techniques used in installation, testing, network designated CAEIAE); OR 3-5 years 3. OPM Development Center: The
debugging, troubleshooting, and maintenance of  Clinger-Cohen Core Competencies with
an emphasis on Technical, Desktop experience involving work directly related to Federal Executive Institute and the
PCs, servers, printers, and related equipment security control evaluation and Management Development Centers
Technology Tools, and IT
Automates repetitive processes (e.g., log reviews, Security/Information Assurance implementation on information technology,
systems, and programs 4. Participation in coaching/mentoring/job
configuration testing) to facilitate information security competency areas (www.cio.gov) shadowing programs
operations  Possession and demonstrated application
 DHS EBK Competencies 5. Agency Requirements: organization
Evaluates and assesses operating practices to of relevant certifications
 FISMA Guidance and business area training identified as
determine adequate risk management and  Core: MCSE, CCNA, CCNP, ISC² CAP required
compliance standards, with on-going systems  OPM’s IT Workforce Roadmap
monitoring  Related: CISSP, CISM, ISC² ISSMP, 6. Clinger-Cohen Core Competency-
 NIST SP 800-16, Revision 1 CompTIA, SANS GIAC, PMP based training sources and Capital
Is responsible for contributing, with limited Planning and Investment Control
supervision, to projects, programs, and initiatives  ODNI Cyber Subdirectory Competencies (CPIC) mandate
with medium-threat and moderate scope (e.g., sub-
organization wide)  DoD Directive 8570 7. Current and emerging legislation,
 CNSS Policies, Directives, and Reports policy, and regulations (e.g., FISMA,
III: Advanced Effectively communicates technical information to  Bachelors Degree and 3+ years experience NIST SP-800 series, FIPS, OMB
non-technical audiences; influences others to (preferred areas of study include Computer directives, CNSSI No. 4012)
comply with policies and conform to standards and Science, Information Technology, 8. Training by external vendors for
best practices Information Assurance/Security, security configuration (e.g., Oracle,
Engineering, Business/Management, or Computer Associate, IBM, and HP
Designs the organization’s working information degrees from a designated CAEIAE); OR
security systems operations and maintenance Tools, Sans Institute)
5+ years of experience involving work
strategy and methodology to comply with the directly related to security control
organization’s standards and mission evaluation and implementation on
Understands the needs of the organization and information technology, systems, and
establishes appropriate vendor relationships to programs
manage the proposal and purchasing process  Demonstrated experience in
Attends and participates in professional conferences managing/supervising a systems
to stay abreast of new trends and innovations in the operations and maintenance group
field of information systems  Possession and demonstrated application
Independently manages, plans, evaluates, and of relevant certifications
advocates for information security compliance  Core: MCSE, CCNA, CCNP, ISC² CAP
systems, plans, and functions, and is responsible for
the management of complex projects, programs,  Related: CISSP, CISM, ISC² ISSMP,
and initiatives with high threat and large scope (e.g., CompTIA, SANS GIAC, PMP
agency-wide or inter-governmental), with on-going
systems monitoring
* Criteria included in the above matrix are provided as guidance only. These criteria are not a replacement for OPM basic qualifications as outlined in the relevant occupational qualification standards. The intention of the qualifications matrix is to assist departments/agencies in
defining the qualifications criteria that are most relevant and applicable to their IT Security workforce. No singular qualification component on its own (i.e., education) should be the sole determinant in classifying an individual’s proficiency level. Rather, all aspects of experience,
competencies, education, and training/certifications should be considered when making performance level evaluations.
**The role description is specific to the information security, information assurance, and information technology security function and environment.
28
INFORMATION SECURITY WORKFORCE DEVELOPMENT MATRIX*
CHIEF INFORMATION SECURITY OFFICER**: The Chief Information Security Officer (CISO) is responsible for the information security strategy within an organization. The CISO establishes,
implements, and monitors the development and subsequent enforcement of the organization’s information security program (i.e., policies, procedures, security architecture standards, security awareness and
training program, IT contingency plans, IT security compliance issues). The CISO leads the evaluation and assessment of the security program to ensure that all aspects are in compliance with security
requirements, while understanding security threats and vulnerabilities to operations and the organization’s environment. The CISO is responsible for information security risk management (e.g., determines risk
impact, establishes risk mitigation plans and programs, works with business owners to devise processes for risk assessment) within the organization. The CISO manages the incidents response program (e.g.,
identifies, reports, and remediates incidents).
Performance Suggested Learning & Development
Description/Complexity Competencies/Skills Suggested Credential
Level Sources
III: Advanced
Demonstrates an in depth understanding of Performance levels are associated with  Graduate Degree with 5+ years 1. University Information Security Programs:
enterprise-wide, multi-platform operating recommended proficiency descriptors experience (suggested areas of study  National Defense University- IRM College
systems security, network security, application applicable to each of the relevant include Computer Science, Information  IS/IA Degree Programs- CAEIAE
security, database security, regulatory competency/skill models listed below Technology, Information  Private University Programs (e.g., GMU, MIT)
compliance, incident and risk management Assurance/Security, Engineering, 2. OPM Development Center: The Federal
Competency/Skill Proficiency Descriptors Business/Management, or degrees from
Identifies, understands, manages, and Executive Institute and the Management
III-Advanced: Advanced application and a designated CAEIAE); OR 8+ years of Development Centers
interprets information security risks and threats experience involving work with
as it affects the business and aligns the mastery of relevant competency/skill models
transferable skills related to information 3. Attendance at industry conferences, work
information security strategy to achieve security, incident and risk management groups, and briefings (i.e., DHS- GFirst; FIA;
organizational mission Relevant Competency/Skill Sources:
Black Hat; RSA; ISACA; SANS FIRE;
 NIST SP 800-100 Information Security  Demonstrated experience in leading an CAISSWG; AFCEA)
Designs the organization’s information security Handbook: A Guide for Managers Information Security/IA compliance group
governance framework to facilitate the 4. Development Resources:
implementation of the organization’s  OPM GS-2200 Job Family Standard  Possession and demonstrated  IT Workforce Roadmap (IT Roadmap)
information security strategy Competencies application of relevant certifications  Graduate Programs, USDA IT Programs
 Clinger-Cohen Core Competencies with an  GoLearn Courses (www.golearn.gov)
Set expectations, determines appropriate  Core: CISSP, CISM, CISA, GSLC  CIO Council (www.cio.gov)
security measures to be used across the emphasis on Technical, Desktop  Related: ISSMP, CIW-Security, CAP,  DoD DISA Training
department/agency, and maintains governance Technology Tools, and IT COMPTIA  AFCEA (www.afcea.org)
over the standards and methodologies for Security/Information Assurance competency  CAISSWG
areas  Security clearance commensurate with
information security risk management and  GSA’s CIO University Program
organizational requirements
compliance reviews  DHS EBK Competencies 5. Participation in coaching/mentoring/job
Independently manages, plans, evaluates, and  FISMA Guidance shadowing programs
advocates for information security solutions,
6. Agency Requirements: organization and
plans, and functions, and is responsible for the  OPM’s IT Workforce Roadmap
business area training identified as required
management of complex projects, program,
and initiatives with high threat and large scope  NIST SP 800-16, Revision 1 7. Current and emerging legislation, policy, and
(e.g., organization-wide or inter-governmental)  ODNI Cyber Subdirectory Competencies regulations (e.g., FISMA, NIST SP-800 series,
FIPS, OMB directives, CNSSI No. 4011 &
Leads, enables, and is accountable for the  DoD Directive 8570 4012 )
implementation and integration of solutions to
ensure information security within the  CNSS Policies, Directives, and Reports 8. Training by external vendors (e.g., Sans
organization Institute , ISC², ISACA, MIS)
 OPM’s Executive Core Qualifications
Understands mechanisms for securing new (ECQs) (for SES positions)
technologies; understands the impact of new
and emerging technologies on the information  Additional Key Competencies identified for
security environment, as well as tools and this role (for senior management positions):
• Leadership & People Management
methods for mitigating risks
• Written & Oral Communication
• Creative Problem Solving
• Budget Formation & Allocation
• Project/Program Management
* Criteria included in the above matrix are provided as guidance only. These criteria are not a replacement for OPM basic qualifications as outlined in the relevant occupational qualification standards. The intention of the qualifications matrix is
to assist departments/agencies in defining the qualifications criteria that are most relevant and applicable to their IT Security workforce. No singular qualification component on its own (i.e., education) should be the sole determinant in
classifying an individual’s proficiency level. Rather, all aspects of experience, competencies, education, and training/certifications should be considered when making performance level evaluations.
**The role description is specific to the information security, information assurance, and information technology security function and environment.
29
30
31
32
TAXONOMY OF CYBERSECURITY ROLES
This appendix is predicated on two premises: (1) that in protecting the cyber
infrastructure, skills matters: and (2) that cybersecurity is a complex field
embracing a range of roles and therefore, the skills required to perform them and,
thus, a robust strategy must reflect the diversity of roles and skills sets each role
requires.1
The purpose of this paper is to identify the key roles in cybersecurity, the functions
they perform, and then, the specific skills (including requisite training and
education) required to perform those roles.
The good news is a great deal of work is already under way in various quarters and
a number of organizations already have models on which we can draw; this is a
journey of discovery, not invention. The taxonomy is intended to be illustrative as
a basis for a more robust conversation about key cybersecurity roles and skills and
training and certifications required to fulfill those roles. Our objective is to
synthesize what we know, disseminate it so that others can use and perfect it, and
accelerate the development of a more robust model.
If we can come to consensus on the roles and requisite skill sets, then:
• the Training and Education sectors will have a much clearer

understanding of the labor market into which their graduate will be
going;
• the purchasers of cybersecurity services, whether they are hiring staff
or buying contractual support, can specify more clearly the
qualifications they seek; and
• the current, sometimes confusing regime of professional certification
programs can reflect the needs of potential employers.
To begin the conversation, we have identified nine key roles. As the suggested
taxonomy demonstrates, many of the key roles in cybersecurity, like writing safe
programs, are performed by persons not identified as cybersecurity specialists.
They are as follows:
• System administration – client systems and servers;

• Network administration and network security operations;
• Security assessment, security auditing and information assurance;
• Threat analysis, intrusion and data analysis, intelligence and counter
intelligence;
• Forensics investigation;
1 An apt metaphor may be modern medicine, which relies on very specific roles and skill sets from the board-certified neurosurgeon
to the licensed technician who operates the sophisticated imaging equipment. And, in challenging problems even within a
specialty, different skills and aptitudes differentiate the practitioners adept at diagnosis from those highly accomplished at
treating a condition.
33
• Programming;
• Technical writing;
• Security architecture and engineering; and
• Information security and incident management.2
At least for the moment, we have not included executive and leadership roles or
specialized functions unique to national security, intelligence or law enforcement.
We have also omitted the basic awareness and survival skills that everyone in an
organization needs to possess; the cyber equivalent of good hygiene.
2 Based on "Enhancing and Expanding the National Cybersecurity Work Force: Manpower Requirements and an Action Plan to Meet
Those Requirements" Version 0.6, April 15, 2009 [unpublished]
34
Role Duties Illustrative Duties Skills
System administration – System administrators ensure 1. Use command line functions to

Servers and Client software and hardware are identify potentially malicious
Systems installed and running effectively, processes and behaviors such
both upon initial as anonymous administrative
implementation and as changes logins via the network.
are made for updates and
patches and reconfigurations. 2. Use scripts to eliminate normal
They also manage user accounts events so that abnormal events
and may manage access will stand out when logs are
privileges. In small sites they reviewed.
also manage security devices
3. Use standard testing tools to
and software like firewalls and verify that standard secure
intrusion detection systems. configurations have not been
According to NSA reports to disabled or corrupted by
military CIOs, errors and
software installation scripts or
omissions in configuration have
malicious actors.
accounted for more than 80% of
all exploitable problems found 4. Ensure all default passwords
by the NSA Red Teams (groups have been changed,
that test the defenses of administrative passwords are
computer networks and systems regularly changed, screen
by doing what adversaries locking is active on all client
would do to find and exploit systems and that user
weaknesses). Thus, system passwords are of appropriate
administrators are the keys to strength to meet
ensuring systems are organizational standards.
implemented and maintained
securely. System administrators 5. Apply strong and appropriate
also have another critical access controls to shared file
security role – serving as the systems and applications.
human early warning sensors.
35
Because they know their 6. Place each user in the
systems and the way those appropriate group and (for
systems should be operating, Windows systems) ensure
they are often the first people to group policy is administered
see evidence that an adversary effectively.
has penetrated their systems
and taken control. Rapid 7. Verify backup files have not
identification and response been corrupted.
helps lessen the damage from 8. Use Wireshark or other tool to
break-ins and can help reduce baseline network traffic so
the spread of infections abnormal traffic can be seen.
introduced during those break- (advanced).
ins.
9. Develop scripts to automate
monitoring activities
(advanced).
Secure Network Network administrators install, 1. Configure firewall to perform a

Administration and configure, operate, and route lookup based on source
Network Security troubleshoot route and switched address to protect from IP
Operations – Sometimes networks. They implement and spoofing using ingress and
called Network verify connections to remote egress filtering.
Engineering or Network sites in a wide area network.
Security Engineering They work with Internet 2. Prevent ICMP DOS attacks
Protocol (IP), frame relay, without blocking ICMP packets.
VLANS, Ethernet, gateway
3. Configure a firewall for static
routing protocols, and access network address translation
control lists. Their principal (NAT).
responsibility is to maintain the
reliability and performance of
the network, with security being
36
an increasing element of 4. Set routes to black hole
reliability. Network unwanted traffic.
administrators may manage
wireless networks and voice 5. Use tools to test firewall
networks as well as data configurations to ensure they
networks. Years ago the are in compliance with policy.
network administrators worked 6. Identify security weaknesses in
in network operations centers network architectures.
while people responsible for
monitoring security worked in 7. Use network monitoring tools
security operations centers. to establish expected network
Separation of those functions, behavior.
however, led to cracks in
network defenses that were
deeply exploited by adversaries.
As a result, today many security-
aware organizations are
breaking down the barriers and
integrating their network and
security operations staff and
centers so that the career paths
are merging. The combined
centers manage and monitor
email and spam control systems,
firewalls, intrusion detection
and prevention and other
network and gateway security
services.
Security assessment, These are the people who verify 1. Perform penetration test.
security auditing and that security controls have been
information assurance implemented effectively and 2. Verify inventory of hardware
identify areas that need and software is complete using
37
improvement. They also active network inventory
implement advanced security technology.
procedures to deal with highly
targeted and sophisticated 3. Verify perimeter protections
threats. They work in many are in place by verifying
different groups, from operations, firewall and other gateway
to information security, to settings correspond with
internal audit, to investigations. enterprise policy, and by
They may be called penetration deploying packet sniffers to
testers, blue teamers, security verify that http traffic does not
assessors, auditors, or simply bypass http proxies.
information assurance 4. Verify that log analysis is tuned
professionals. Regardless of their to identify and respond to
location and job title, their most
anomalies from site-specific
important roles are to verify that
baselines.
the important controls are in
place, to identify the controls that 5. Verify administrative
have not been implemented passwords are not shared and
correctly or fully, and to assist the that two factor authentication
site in making the corrections. is used on all critical systems.
The best of the assessors and
information assurance staff not 6. Assess the time that divisions
only find problems; but also assist require to correct critical
organizations in solving the vulnerabilities and monitor
problems they find by making and compare trends in that
recommendations that are metric.
feasible and that they can back up
7. Verify that dormant accounts
with models of where those
and accounts of employees that
controls are in place. They see
have left are disabled regularly
themselves as successful only
and in a timely fashion.
when the organization’s controls
are effectively in place.
38
8. Verify malware defenses are
effectively implemented and
that systems with out o date
malware defenses are found
and corrected on a regular
basis.
9. Test configurations of the

operating systems and ensure
such tests are done regularly
for all systems – or that group
policy is effectively in place for
all systems.
10. Scan for wireless connections.
11. Measure the effectiveness of

incident response in actual or
simulated incidents.
Threat analysis, Intrusion analysts, working 1. Monitoring current attack and

intrusion and data closely with threat and threat information to identify
analysis, intelligence intelligence analysts, are the those that are relevant to the
and counter intelligence watchers who look at network enterprise.
traffic and logs (and increasingly
at large amounts of data) trying 2. Identifying elements of the
to pick the signal out of the organization that are subject to
noise. They are supported by targeted attacks and
increasingly sophisticated tools, identifying traffic patterns that
but in the end it is their deep define potential attacks.
understanding of how attacks 3. Differentiating between
are formed and how they hide anomalous traffic patterns
along with their pattern caused by misbehaving
recognition skills and instincts
39
that enable the identification of hardware and that caused by
many of the newest and most malicious actors using deep
challenging attacks. understanding of networking,
TCP/IP, and logs.
4. Finding evidence of low and

slow attacks (stealthy attacks
that might send a few packets
only every three or four days).
5. Setting up and monitoring

honey pots.
6. Establishing expected traffic

patterns and log patterns to
enable the discovery of
anomalous traffic.
7. Developing scripts and short

programs for automating
analysis of logs and network
traffic.
8. Reverse engineering malware

to identify behaviors and to
point to other systems that
may have been attacked.
Forensics investigation When a system has been 1. Image volatile memory on a

compromised or when an computer without corrupting
employee or contractor is the data.
suspected of using a computer in
an illegal manner, or when a 2. Image a disk including all
computer is captured in a hidden sectors.
40
terrorist hideout, forensics 3. Use dirty string searches to
experts are called in to find find information of interest.
evidence of a crime, to follow the
trail of the intruder to determine 4. Create a timeline of intruder
what damage was done, to activity.
isolate the methods used in
penetrating networks and in
spreading through computer
systems, or to find other
information that can assist in
identifying and convicting
hackers and other criminals.
Forensics analysts capture
digital data from media and
network devices and mobile
devices, capture volatile data
from computers; conduct
incident analysis on standalone
computers or networks; analyze
digital media and network
devices to find the data of value
to the investigation. And they do
all that with an understanding of
legal issues and techniques that
will allow their work to be
accepted as evidence in courts of
law.
Software Development Computers have no business 1. Software/applications are

value without software – and developed using enhanced
software is written by security controls such as two
41
programmers. At the same time, factor authentication;
programmers are the source of encryption; passwords.
nearly every vulnerability that
allows attackers to penetrate 2. Software/applications are
systems. Security people spend tested by a security team prior
a great deal of time cleaning up to deployment into the
after attacks that exploited production environment.
software errors. Proactive 3. Software/applications are
security depends heavily on developed with audit trails to
ensuring programmers write
ensure to track data access and
code that is as free as possible authorizations.
from the errors that commonly
create vulnerabilities.
Early in 2009 a task force of

federal and private software
security experts reached
consensus on the twenty-five
most dangerous errors
programmers make.
The one security task for

programmers, then, is to develop
code that is free of those Top 25
errors. In assessing skills in this
area, it is useful to differentiate
between general security
knowledge and language-
specific, hands-on secure coding
skills. Generalized security
training for programmers,
although easier to administer,
fails to answer the key questions
42
that the programmers have –
how do I write secure code and
what errors must I avoid. Those
questions can be answered only
in specific programming
languages.
Security architecture When a new technology, system

(sometimes called or application is being designed
Security Engineering): or upgraded, the planners and
Baking Security In designers focus on selecting the
hardware and shaping the
software that is needed to
deliver the system’s proposed
functions effectively and
reliably. They rarely consider
security threats as part of that
process, even though security
problems can be a huge threat to
reliability. Baking security into
the design, early in the process,
can make the system much
easier to secure when it is
deployed.
The key skills needed to be

effective in designing security
into the architecture of new
systems, are (1) applying
knowledge of applicable attack
vectors to virtual testing of the
design of the system and (2)
43
applying knowledge of network
architecture, system and
network capabilities, and their
interactions. These are VERY
RARE skills -- much like building
and bridge engineering skills
before the requisite knowledge
became codified and taught in
engineering schools.
Information security and The most difficult position for

incident management which to define tasks is the
security manager. Security
managers do everything from
budgeting and selling ideas to
reviewing security plans to
assessing actual security
controls, to selecting,
purchasing, and deploying
security tools, preparing and
submitting and defending
compliance reports, negotiating
with auditors, helping
operations people bake security
in, managing security awareness
programs, and much, much
more.
We include the job here with the

hope that others – perhaps the
team working with the US Office
of Personnel management.
44
The one area of security
management that is often most
critical, at least when it happens,
is incident response. When
systems have been penetrated,
when data has been lost, when
systems need to be shut down,
the security manager must rise
to the occasion.
45
DRAFT DEFINITION FOR POTENTIAL LEGISLATION:
The term “cyber security services” means the development, implementation,
operation and administration of measures and/or activities intended to prevent,
detect, recover from and/or respond to intentional or inadvertent compromises of
the confidentiality, integrity and availability of information technology including but
not limited to intrusion detection, computer forensics, configuration management,
and system development.
(a) CERTIFICATION - Beginning 3 years after the date of enactment of this Act
for it shall be unlawful for an individual to be employed as a provider of
cybersecurity services to any Federal agency who is not a cybersecurity
professional unless such individual is operating under the direct supervision
of a cybersecurity professional.
(b) CERTIFIED SERVICE PROVIDER REQUIREMENT – Notwithstanding any other

provision of law, the head of a Federal agency may not use, or permit the use
of, cybersecurity services for that agency that are not directly supervised by a
cybersecurity professional.
46
47
ACKNOWLEDGEMENTS
With apologies to those whom we have omitted, members of the Commission would
like to thank the staff members of the following Executive Branch Departments and
Agencies; Congressional committees; and associations for their time and the insights
they offered:
• Office of Management and Budget

• Federal Chief Information Officers Council
• Office of Personnel Management
• Office of the Director for National Intelligence
• Department of Defense
o Department of the Army
o Department of the Air Force
o Department of the Navy
o Joint Chiefs of Staff
o National Security Agency
o National Defense University
• Department of Homeland Security
• Department of Justice
o Federal Bureau of Investigation
• Department of State
• Department of Commerce
o Information Security Program Advisory Board
U.S. House of Representatives:

• Armed Services
• Homeland Security
• Oversight and Government Reform
• Science and Technology
U.S. Senate:
• Commerce, Science and Transportation
• Homeland Security and Government Affairs
• Select Committee on Intelligence
Associations:
• International Information Systems Security Certification Consortium (ISC)2
• ISACA
48
Cybersecurity
1800 K Street, NW | Washington, DC 20006

Tel: (202) 887-0200 | Fax: (202) 775-3199 cochairs
E-mail: books@csis.org | Web: www.csis.org
Scott Charney
USAF (ret.)
project director
James A. Lewis
July 2010


Lewis HumanCapital WEB BlkWhteVersion

Uploaded by

Copyright:

Available Formats

Lewis HumanCapital WEB BlkWhteVersion

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lewis HumanCapital WEB BlkWhteVersion

Uploaded by

Copyright:

Available Formats

A Human Capital Crisis in

1800 K Street, NW | Washington, DC 20006

CSIS CENTER FOR STRATEGIC &

Today, CSIS is a bipartisan, nonprofit organization headquartered in Washington,

©2010 by Center for Strategic and International Studies

All rights reserved.

Evidence continues to build showing our information infrastructure is vulnerable to threats

Military and nuclear energy systems are under continuous attack,

Terrorists and organized crime groups are actively exploiting weak US

A critical element of a robust cybersecurity strategy is having the right people at

• Promote and fund the development of more rigorous curricula in

• Support the development and adoption of technically rigorous

• Use a combination of the hiring process, the acquisition process

• Ensure there is a career path as with other disciplines like civil

It is the consensus of the Commission that the current professional certification

• Individuals and employers are spending scarce resources on

• Credentials, as currently available, are focused on demonstrating

What is being done

How we get from where we are

Expand cyber education. The current Administration is addressing the education of

While billions of dollars are being spent on new technologies to secure

The Commission makes recommendations to build on the current activities

• Major private sector organizations that employ cybersecurity

• Universities with major cyber education and research programs; and

• Key Federal government agencies.

We are unified by a shared objective to help protect our critical infrastructure by

We are beginning now.

Military and nuclear energy systems are under continuous attack,

Terrorists and organized crime groups are actively exploiting weak US

A critical element of a robust cybersecurity strategy is having the right people at

Richard Hale, Chief Information Assurance Executive at the Defense Information

• Promoting and funding the development of more rigorous

• Supporting the development and adoption of technically rigorous

• Using a combination of the hiring process, the acquisition process

It is the consensus of the Commission that the current professional certification

• Individuals and employers are spending scarce resources on

• Credentials, as currently available, are focused on demonstrating

Any efforts to mandate certifying and licensing requirements based on the

ACM believes the problem of reliable and dependable software,

VISION for the FUTURE Cybersecurity Workforce

The Commission envisions a technically proficient cybersecurity workforce to

Assumption: This paper is based on a simple assumption:

“Skills matter and must be demonstrated on-the-job.”

Background: The workforce challenge is being addressed in several ways:

DEPARTMENT OF HOMELAND SECURITY (DHS)

INTERNATIONAL INFORMATION SYSTEMS SECURITY CERTIFICATION

Certified Information Systems Security Professional (CISSP) is an information

ISACA, originally known as the, “Information Systems Audit and Control

The SANS INSTITUTE (http://www.sans.org)

SANS is a graduate degree-granting education and research institution that also

The INSTITUTE OF ELECTRICAL AND ELECTRONICS ENGINEERS (IEEE)

The IEEE is an international non-profit, professional organization, which provides

• Certified Software Development Associate (CSDA); and

NATIONAL SECURITY AGENCY (NSA)

Additionally, the NSA has an initiative underway which is working to qualifying

DEPARTMENT OF DEFENSE (DoD): DoD 8570.01-M, “Information Assurance

Implements DoD Directive 8570.1, “Information Assurance Training, Certification,

• Develop a DoD IA workforce with a common understanding of the

• Provide warfighters qualified IA personnel in each category,