dod 8570

Background: In the past decade the DOD has taken concrete steps to protect the information resources of our military. Specific high profile hacking cases and a general public awareness of increasing reliance upon a vulnerable IT infrastructure have illuminated the necessity for our critical national defense organizations to protect and safeguard their computing systems against threats both internal and external.

Scope and Progress: Certification requirements are closely matched to job levels and activities as they are identified, tracked and catalogued within their respective organizations. DOD 8570 requirements extend to Government personnel, contractors and civilians employed in DOD IA roles. Four broad Government IA workforce categories govern the structure of DOD 8570 certification requirements. These are Information Assurance Technician (IAT), Information Assurance Manager (IAM), Information Assurance System Architect and Engineer (IASAE) and Computer Network Defense (CND). Workforce manpower certification statistics have been and continue to be mapped and monitored for completeness and overall unit training progress. Progress toward 100% certification is not publicly available, but anecdotal reports suggest that the Government remains behind schedule in certifying all personnel according to the original timetables laid out in the DOD 8570 manual.

Timetable: New hires into Department of Defense Information Assurance positions must be DoD 8570 certified within six months unless granted a temporary waiver. Uncertified workers must be supervised by certified personnel. All combat forces must be certified before deployment, unless granted a temporary waiver that suspends the regular certification timetable; upon return from combat deployment, the six-month requirement applies. The original 2005 DoD 8570 Manual specified a phase-in timetable that may have been more aggressive than realistic. Nevertheless, by the end of calendar year 2010, all workers performing Information Assurance Technical (IAT) and Information Assurance Management (IAM) functions must comply with certification requirements.

Critical areas: All IT workers either in the classified SIPRNET (Secret Internet Protocol Router Network) or unclassified NIPRNET (Non-classified Internet Protocol Router Network) networks must comply with the directive. Additionally, IA workers in areas that safeguard the privacy of personnel records, such as medical or demographic data, must comply with certification requirements.

Training overview: Certifications begin at the basic level, increase through tiers of responsibility, and all include a continuing education requirement that amounts to 20 - 40 hours per year, or 120 hours every three years. In addition to formal training and continuing education requirements, there are requirements for on-the-job hands-on experiential training. Certification levels span three tiers (Levels I, II and III) for both Information Assurance Technical (IAT) and Information Assurance Management (IAM) functions. Additionally, training should cover these topics as outlined in the Manual:
1. Laws, policies and procedures affecting the user community
2. The latest external threats to network security, such as scripts, hackers, crackers and foreign agents
3. Up-to-date internal threats such as incompetent, malicious or disgruntled authorized workers, crackers and hackers
4. Shared risk, risk of aggregating unclassified information, risk of remote access data transmission
5.2 Knowledge of how the latest malicious code examples such as Viruses, Trojan Horses, Worms, Logic Bombs can infiltrate a system, the damage they can cause, and how to contain and repair their damage
6. Denial of service attacks
7. Embedded hardware and software vulnerabilities
8. Encryption principles and applications
9. Restricting access through passwords and data hierarchies
10. Policy and procedure differences between classified and non-classified networks
11. Data archival policies and procedures
12. Operating-system specific training will be required of technical personnel

Training components - IAT Level I: The COMPTIA A Plus certification and COMPTIA Network Plus certification form part of the first level of 8570 technical certification. Additionally, the Systems Security Certified Practitioner (SSCP) is required on the IAT side.

Training components - IAT Level II: The COMPTIA Security Plus certification is one of four DOD 8570 formal education requirements for IAT Level II. Additionally, the GIAC (Global Information Assurance Certification) Security Essentials Certification (GSEC), the Security Certified Network Professional (SCNP) and SSCP certifications form the IAT Level II curriculum.

Training components - IAT Level III: The Certified Information Systems Security Professional (CISSP Certification) is part of the four core formal study requirements. The Certified Information Systems Auditor (CISA certification), GIAC Security Expert (GSE) and Security Certified Network Architect (SCNA) certifications complete the formal educational requirements for IAT Level III.

Training components - IAM Level I: Certifications in GIAC Information Security Fundamentals (GISF) certification, GIAC Security Leadership Certification (GSLC), CompTIA Security+ and Certification and Accreditation Professional (CAP) constitute the four formal requirements for the IAM Level I accreditation.

Training components - IAM Level II: Certifications in GIAC Security Leadership Certification (GSLC), Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM) and Certification and Accreditation Professional (CAP) constitute the four formal requirements for the IAM Level II accreditation.

Training components - IAM Level III: The Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM) and GIAC Security Leadership Certification (GSLC) accreditations constitute the three formal requirements for the IAM Level III certification.

Training components - IASAE and CND: The certification requirements for these workforce categories draw from the same body of off-the-shelf IT security courses, plus a specialized battery of certifications including Information Systems Security Engineering Professional (ISSEP), Information Systems Security Architecture Professional (ISSAP), Certified Ethical Hacker (CEH). GIAC Certified Incident Handler (GCIH), Certified Computer Security Incident Handler (CSIH), GIAC Systems and Network Auditor (GSNA) and Certified Information Systems Security Professional - Information Systems Security Management Professional (CISSP-ISSMP).

Training providers: The aggressive deadline that the DOD has set for IAM and IAT personnel certifications will be met by ANSI-certified third party Information Assurance training providers such as Knowledge Center Inc, a proven vendor of quality classroom and online IT certification programs. Washington DC based KCI has earned a stellar reputation in the IT training sector by successfully certifying in tens of thousands of IT professionals. Their client list covers not only all major US government agencies but also a large percentage of Fortune 500 companies spanning all major industry sectors.

Training methodology: The baseline for DOD training and certification is Computer Based Training (CBT) and web-based instruction. The DAA may waive or modify training requirement as it adapts to changing environmental conditions and resource constraints.

Urgency: Again, the deadline for DOD 8570 IA certification across the entire armed forces has been set as December 31, 2010. Because all personnel must be certified in their respective units by this date, schools across the country are seeing unprecedented demand for class seats. Quick certification programs are being offered to accommodate the urgency and satisfy demand, but space is limited by available resources.