On Mon, 31 Aug 2009 14:06:56 EDT, "Sachs, Marcus Hans (Marc)" said:
(d) CERTIFICATION.-Beginning 3 years after the date of enactment of this Act, it shall be unlawful for an individual who is not certified under the program to represent himself or herself as a cybersecurity professional.
Highly unlikely that 3 years is sufficient time to devise a certification, a testing program, and get enough people certified. 5 years would be much more reasonable. It will probably take over a year just to thrash out what a "certification" is. Consider the vast difference in scope and depth between a CISSP and one of the GIAC certs. (Ghod forbid somebody suggest something rational like "upper managers need a CISSP-ish cert and line emplouees need a relevant GIAC-ish cert.. :)
(e) CERTIFIED SERVICE PROVIDER REQUIREMENT.-Notwithstanding any provision of law to the contrary, the head of a Federal agency may not use, or permit the use of, cybersecurity services for that agency that are not managed by a cybersecurity professional who is certified under the program.
Unintended consequences - will this encourage the head of an agency to instead say "screw it" and *not* use any cybersecurity services?
A question for the NANOG community - if this section were to only apply to US government employees would it be acceptable? In other words, strike any reference to the private sector (except perhaps for those in the private sector who are under contract to perform government work.)
Limiting it to "US government agencies, employees, and contractors" would certainly trim out about 95% of the contentious areas. But it still leaves me, personally, on the hot seat - am I on the hook because I'm responsible for research data that's NSF-funded? ;)