To begin my reply to your query, the words "direct full-time security professional work experience" already suggest that a degree by itself is not enough, but the statement "three years of direct full-time security professional work experience in one or more of the ten test domains of the information systems security Common Body of Knowledge (CBK) with a college degree or equivalent life experience" is pretty conclusive that real-world on-the-job experience is absolutely required in addition to the degree program you're pursuing. On the other hand, if you can make a case that part-time work or unpaid research work counts as "on the job experience" you might be able to appeal to them for special treatment.
I just talked to a very helpful guy at ISC-squared and learned that my surmise is correct: it's highly unlikely that you can replace more than one year of the four-year requirement with academic studies right now, because of the extreme importance of hands-on, in the trenches, on-the-job experience in working with security. Feel free to file your own appeal or to raise the question directly with them if you like, but I'm pretty sure you'll get the same response I'm giving you now (just having talked it through with Phil Wind of ISC-squared by phone). You will find contact information for the group at https://www.isc2.org/cgi-bin/contact.cgi.
Thanks for your inquiry. Good luck with your certification pursuits.
For more information on this topic, visit these other SearchSecurity.com resources:
Ask the Expert: How to become a CISSP
Ask the Expert: Online study resources for CISSP
Ask the Expert: Experience qualifications for CISSP
This was first published in January 2003