By Patience Wait
The first step toward better information security in the government is
to provide more training for the people responsible for keeping
That's the approach being taken by Nancy DeFrancesco, chief
information security officer for the Commerce Department. With
DeFrancesco as the champion, the department is implementing an
education and training program for its information security
professionals that she hopes will develop into a center of excellence
within the Security Line of Business initiative established by the
Office of Management and Budget.
DeFrancesco convinced the department last month to hire (ISC)2 Inc. of
Palm Harbor, Fla., to provide courses for employees to earn
designations as Certified Information Systems Security Professionals
(CISSP), System Security Certified Professionals (SSCP) and
Certification and Accreditation Professionals (CAP).
"Education is a large part [of our IT budget] because I make it that
way," DeFrancesco said. "I have a commitment from the Secretary of
Commerce [Carlos M. Gutierrez] that it's important."
For the past two years, IT security professionals in the department
had been using the Office of Personnel Management's online learning
center. But DeFrancesco wanted a broader course offering, and she
wanted to give employees different ways to access materials.
"Our component [agencies] were interested in instructor-led training,
and, of course, people learn in different ways," she said.
Getting the funding to set up the educational program was a challenge,
DeFrancesco said. Her office has a small budget; most information
security funds are allocated to the department's major program areas.
To gain the funding, she persuaded component agencies, such as the
Census Bureau, to contribute money to get it off the ground.
"We had great participation - I was very surprised and pleased," she
said. "A solid education program is critical to reaching personnel in
the department with significant information security responsibility."
John Mongeon, head of the government services division at (ISC)2, said
that DeFrancesco's push to set up training and education opportunities
shows that "Commerce is dedicated to building the next generation of
information security managers."
"Commerce is a pretty robust agency, with personnel all over the
place," Mongeon said.
To accommodate the dispersed workforce, his company will be providing
courses through several channels - classes on-site at Commerce
headquarters in Washington, vouchers for employees scattered around
the country to take classes off-site at (ISC)2 public education
venues, and online classes.
The first, one-day class, on the system certification and
accreditation process, was held May 31 at Commerce headquarters. All
the session's 25 slots were filled and DeFrancesco already has a
waiting list for the next offering. The department will hold a week of
information security training the first week of August, and is
planning to schedule other certification and accreditation classes in
June and July.
DeFrancesco said that she is hoping the information security education
program will prove so successful that it can be established as a
center of excellence in OMB's Security LOB.
A COE does not have to provide soup-to-nuts solutions for a particular
line of business; instead, it can carve out a particular specialty.
The Justice Department, for instance, last fall submitted a business
case to OMB that its Cyber Security Assessment and Management system
should become the standard tool for all agencies looking to track
Sources said the Treasury Department and the Environmental Protection
Agency also submitted business cases related to aspects of the
Security LOB for fiscal 2007, but no decisions have been made about
granting any of the applications.
It might seem ironic for a department to aspire to host a center of
excellence in security despite its poor Federal Infor- mation Security
Management Act grades - under FISMA agencies are graded on their
security measures and compliance, and Commerce has veered from F to C-
to D+ over the past three years. But DeFrancesco said it's
appropriate, because everything starts with educating and training the
people who bear the responsibility for implementing security.
"I did participate on the task force for the information security LOB,
[and I'm] very familiar with that particular initiative," she said.
DeFrancesco said it is too early to put together the business case
application to submit to OMB. The education program first has to get
up and running, and demonstrate its value to information security
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.