Problem solve Get help with specific problems with your technologies, process and projects.

Why doesn't the CISSP cover information assurance and DIACAP?

The CISSP is the standard when it comes to information security certifications, but why is it required for government security jobs when it doesn't cover information assurance and DIACAP? Security management expert David Mortman responds.

I work with the government, and I have a problem with the CISSP certification because it in no way qualifies a person to work in a mission-critical government environment; it is specifically applicable to an enterprise environment. The CISSP is good for screening for basic knowledge, but it does not cover issues such a Cross Domain Solutions. Why doesn't the CISSP cover DIACAP and other IA issues, and is there a certification that does?

I can't say for certain why the CISSP doesn't cover information assurance and the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) (DoD 8510.01p), as I've had no contract with anyone on the curriculum committee, but if I had to hazard a guess, I'd say it is because DIACAP is specific only to the DoD, and the CISSP is a general high-level management certification. Similarly, I'd guess that's why FISMA is also not covered. As a result, DIACAP and information assurance specifics fall outside the scope of the intent of the CISSP exam and courses of study.

To be clear, the CISSP is not specifically applicable to an enterprise environment, but rather to general security management. Remember, what you are looking for is not a security manager, but an auditor. The issue you are encountering has nothing to do with the CISSP per se, but rather with your organization looking to CISSPs (and likely CISMs as well) to perform tasks they weren't trained for. Complaining that a CISSP doesn't know IA is like complaining that an MCSE can't configure a router: It shouldn't be a surprise to anyone.

If you look up DoD 8570.01m, which is the Department of Defense standard that requires certifications for DoD employees engaged in security activities, you will see a chart on page 92 that breaks down the areas of specialty by certification. That chart shows the recommended certifications for CND Auditor as a GNSA or a CISA. I did a quick review of the websites and neither certification appears to address DIACAP specifically. Keep in mind that the specifics of any audit standard are relatively easy to learn once the larger process is understood, so I wouldn't particularly worry about it.

Finally, keep in mind that certification doesn't qualify anyone to work in any environment: Training and experience qualify people to work in a particular environment. This is an especially important point in the case of the federal government, as it requires these certifications as part of employment. This does not guarantee that certificate holders are qualified in any circumstance. In this case, however, it creates a large incentive for organizations to help people get certified even faster, which, ironically, makes the certification even more worthless, as less qualified people can obtain it.

For more information:

This was last published in July 2009

Dig Deeper on CISSP certification

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.