Ask the Expert

Why doesn't the CISSP cover information assurance and DIACAP?

I work with the government, and I have a problem with the CISSP certification because it in no way qualifies a person to work in a mission-critical government environment; it is specifically applicable to an enterprise environment. The CISSP is good for screening for basic knowledge, but it does not cover issues such a Cross Domain Solutions. Why doesn't the CISSP cover DIACAP and other IA issues, and is there a certification that does?

    Requires Free Membership to View

I can't say for certain why the CISSP doesn't cover information assurance and the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) (DoD 8510.01p), as I've had no contract with anyone on the curriculum committee, but if I had to hazard a guess, I'd say it is because DIACAP is specific only to the DoD, and the CISSP is a general high-level management certification. Similarly, I'd guess that's why FISMA is also not covered. As a result, DIACAP and information assurance specifics fall outside the scope of the intent of the CISSP exam and courses of study.

To be clear, the CISSP is not specifically applicable to an enterprise environment, but rather to general security management. Remember, what you are looking for is not a security manager, but an auditor. The issue you are encountering has nothing to do with the CISSP per se, but rather with your organization looking to CISSPs (and likely CISMs as well) to perform tasks they weren't trained for. Complaining that a CISSP doesn't know IA is like complaining that an MCSE can't configure a router: It shouldn't be a surprise to anyone.

If you look up DoD 8570.01m, which is the Department of Defense standard that requires certifications for DoD employees engaged in security activities, you will see a chart on page 92 that breaks down the areas of specialty by certification. That chart shows the recommended certifications for CND Auditor as a GNSA or a CISA. I did a quick review of the websites and neither certification appears to address DIACAP specifically. Keep in mind that the specifics of any audit standard are relatively easy to learn once the larger process is understood, so I wouldn't particularly worry about it.

Finally, keep in mind that certification doesn't qualify anyone to work in any environment: Training and experience qualify people to work in a particular environment. This is an especially important point in the case of the federal government, as it requires these certifications as part of employment. This does not guarantee that certificate holders are qualified in any circumstance. In this case, however, it creates a large incentive for organizations to help people get certified even faster, which, ironically, makes the certification even more worthless, as less qualified people can obtain it.

For more information:
 

This was first published in July 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: