INFOSEC Assurance Training and Rating Program

We realize that many students have not had their name added to the IATRP certified list, or information updated. We apologize for the delays and any inconvenience. The website is in the process of being reworked without any change to what you should see. Please contact iatrp@iatrp.com if you feel your information is not correct or needs updating. Thank you for your patience and we apologize for any inconvenience.

On December 12, 2001, Mr. Michael Jacobs, National Security Agency’s Director of Information Assurance, (now retired)*, presented the representatives from seven companies with certificates thanking them for their participation in NSA’s INFOSEC Assessment Training and Rating Program (IATRP). Specifically, the seven firms agreed to have their INFOSEC vulnerability assessment capability appraised against NSA’s INFOSEC Assessment Capability Maturity Model. All seven companies perform assessments using either the NSA-developed INFOSEC Assessment Methodology (IAM) or a similar assessment methodology. NSA developed the IATRP, of which the IAM is a component, for the benefit of prospective assessment customers, many of which are government organizations and private companies trying to comply with Presidential Decision Directive (PDD)-63. The Program is designed to offer standardized guidance and training for defining and improving the community-wide INFOSEC assessment process. The long-term goal of the Program is to protect the sensitive information with which our government conducts business, by increasing the information assurance levels of our National and Defense Information Infrastructures.
The companies represented on December 12 were: Backbone Security.com; Booz, Allen, Hamilton; Computer Sciences Corporation (CSC); Electronic Data Systems (EDS); Lucent Technologies; SRA International; and TrustWave (formerly NetSafe).

The INFOSEC Vulnerability Assessment Division has been developing the INFOSEC Assessment Training and Rating Program for approximately two and a half years. The Program assists primarily government organizations needing an assessment, by identifying companies which are qualified to perform IAM or IAM-like assessments. Currently, unless they qualify for an assessment by NSA, these government organizations have to choose from dozens of commercial firms, with little or no insight about how a given provider conducts assessments. NSA hopes that this program will raise the standards for quality assessments and achieve overall consistency in performing assessments throughout the community.

As the name implies, the program has both a training and a rating component. The “training” portion of the program provides a standardized assessment methodology (the IAM) to commercial service providers and government personnel. The “rating” portion of the program is intended to assign a series of ratings to commercial assessment service provider organizations, so prospective government customers can judge whether or not a provider is postured to meet its requirements. Ratings are assigned after the provider has been appraised against the INFOSEC Assessment Capability Maturity Model (IA-CMM), a standard based on the Systems Engineering Capability Maturity Model of Carnegie Mellon University. The appraisal measures the maturity of the organization’s processes for performing IAM-type INFOSEC assessments. The IA-CMM defines five levels of process capability from Level 1: Performed Informally, to Level 5: Continuously Improving, and the organizations receive ratings in nine process areas.

*Mr. Dick Schafer is the National Security Agency's current Director of Information Assurance.