Why doesn't the CISSP cover information assurance and DIACAP?

Why doesn't the CISSP cover information assurance and DIACAP?

I work with the government, and I have a problem with the CISSP certification because it in no way qualifies a person to work in a mission-critical government environment; it is specifically applicable to an enterprise environment. The CISSP is good for screening for basic knowledge, but it does not cover issues such a Cross Domain Solutions. Why doesn't the CISSP cover DIACAP and other IA issues, and is there a certification that does?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

I can't say for certain why the CISSP doesn't cover information assurance and the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) (DoD 8510.01p), as I've had no contract with anyone on the curriculum committee, but if I had to hazard a guess, I'd say it is because DIACAP is specific only to the DoD, and the CISSP is a general high-level management certification. Similarly, I'd guess that's why FISMA is also not covered. As a result, DIACAP and information assurance specifics fall outside the scope of the intent of the CISSP exam and courses of study.

To be clear, the CISSP is not specifically applicable to an enterprise environment, but rather to general security management. Remember, what you are looking for is not a security manager, but an auditor. The issue you are encountering has nothing to do with the CISSP per se, but rather with your organization looking to CISSPs (and likely CISMs as well) to perform tasks they weren't trained for. Complaining that a CISSP doesn't know IA is like complaining that an MCSE can't configure a router: It shouldn't be a surprise to anyone.

If you look up DoD 8570.01m, which is the Department of Defense standard that requires certifications for DoD employees engaged in security activities, you will see a chart on page 92 that breaks down the areas of specialty by certification. That chart shows the recommended certifications for CND Auditor as a GNSA or a CISA. I did a quick review of the websites and neither certification appears to address DIACAP specifically. Keep in mind that the specifics of any audit standard are relatively easy to learn once the larger process is understood, so I wouldn't particularly worry about it.

Finally, keep in mind that certification doesn't qualify anyone to work in any environment: Training and experience qualify people to work in a particular environment. This is an especially important point in the case of the federal government, as it requires these certifications as part of employment. This does not guarantee that certificate holders are qualified in any circumstance. In this case, however, it creates a large incentive for organizations to help people get certified even faster, which, ironically, makes the certification even more worthless, as less qualified people can obtain it.

For more information:

This was first published in July 2009