I can't say for certain why the CISSP doesn't cover information assurance and the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) (DoD 8510.01p), as I've had no contract with anyone on the curriculum committee, but if I had to hazard a guess, I'd say it is because DIACAP is specific only to the DoD, and the CISSP is a general high-level management certification. Similarly, I'd guess that's why FISMA is also not covered. As a result, DIACAP and information assurance specifics fall outside the scope of the intent of the CISSP exam and courses of study.
To be clear, the CISSP is not specifically applicable to an enterprise environment, but rather to general security management. Remember, what you are looking for is not a security manager, but an auditor. The issue you are encountering has nothing to do with the CISSP per se, but rather with your organization looking to CISSPs (and likely CISMs as well) to perform tasks they weren't trained for. Complaining that a CISSP doesn't know IA is like complaining that an MCSE can't configure a router: It shouldn't be a surprise to anyone.
If you look up DoD 8570.01m, which is the Department of Defense standard that requires certifications for DoD employees engaged in security activities, you will see a chart on page 92 that breaks down the areas of specialty by certification. That chart shows the recommended certifications for CND Auditor as a GNSA or a CISA. I did a quick review of the websites and neither certification appears to address DIACAP specifically. Keep in mind that the specifics of any audit standard are relatively easy to learn once the larger process is understood, so I wouldn't particularly worry about it.
Finally, keep in mind that certification doesn't qualify anyone to work in any environment: Training and experience qualify people to work in a particular environment. This is an especially important point in the case of the federal government, as it requires these certifications as part of employment. This does not guarantee that certificate holders are qualified in any circumstance. In this case, however, it creates a large incentive for organizations to help people get certified even faster, which, ironically, makes the certification even more worthless, as less qualified people can obtain it.
For more information:
- Should enterprises ban USBs because the DoD banned them? Read more
- Hoping to get your CISSP certification? Check out our free CISSP training videos.
This was first published in July 2009