First the history: CISSP-ISSEP was originally created so the U.S. National Security Agency (NSA) could have a measurable standard for hiring Information Systems Security Engineers (ISSE), both as government employees and as contractor employees. That is the major reason the original ISSEP domain structure relied so heavily on the old Information Assurance Task Force (IATF) Volume 3. When the program was put in place the NSA began a big push to get staff certified as CISSP, and then moving to add the -ISSEP to their credentials.
The NSA had planned to require all ISSE employees, especially in contracted companies, to hold the CISSP-ISSEP.
Well, the NSA allowed the IATF to die from neglect, and it took many years for NIST to pick up the slack with NIST SP 800-160 Volume 1.
So, my question: Can anyone tell us the current policy, and level of implementation, fo requiring CISSP and CISSP-ISSEP at NSA?
Craig
There is a little more history behind the development of NIST SP 800-160 then meets the eye. It was an extension of a body of work on systems security engineering by an individual that was close to the IATF. Their dissertation formed the basis for the SP. Fact was that the IATF had lost its utility to the agency and needed to evolve into something much bigger that aligned to ISO/IEC 15288. Now in terms of acceptance and requirements all you have to do is look at the member counts for a hint to your answer.
@AppDefects wrote:There is a little more history behind the development of NIST SP 800-160 then meets the eye. It was an extension of a body of work on systems security engineering by an individual that was close to the IATF. Their dissertation formed the basis for the SP. Fact was that the IATF had lost its utility to the agency and needed to evolve into something much bigger that aligned to ISO/IEC 15288. Now in terms of acceptance and requirements all you have to do is look at the member counts for a hint to your answer.
Rachel,
Could you please provide the name of the dissertation author and the dissertation? I had not heard that part of the story. I had a conversation at an ISSA NOVA Chapter meeting with Ron Ross about the need to replace the (dead) IATF Ch 3 about three years before he started work on 800-160. Then once underway, I had regular conversations with co-author Michael McEvilley at MTRE as he kept me current on the evolution from simply updating Chapter 3 to incorporating ISO/IEC 15288, and the important decision to expand the document from only ISSE to System Security Engineering (SSE), aligning with INCOSE SE work, also. Early on, there was another MITRE team supporting NSA in their rewrite of IAT Chapter 3; that document became one of the initial inputs to Ross's effort.
I'd enjoy continuing this conversation by direct email, too, if you like.
Best regards,
Craig
I had a comical experience while interviewing with a commercial company that wanted an ISSEP on staff. I think their "Lead Security Engineer" felt threatened or something by the time I was through answering what my "First 120 Day Plan" would be because I never heard back from them.