Information Assurance
For Compliance with:
-
DoD Directive 8570.1 Information Assurance Training, Certification, and Workforce Management;
-
DoD 8570.01- Manual, IA Workforce Improvement Program;
-
AR 25-2, Information Assurance
Information Assurance FAQs
♦ What is DoD Directive 8570.1?
♦ What is the status of the Manual (DoD 8570.1M)?
♦ Do I need any special training on how to implement DoD 8570.1?
♦ What support can the Office of the DoD CIO offer to Components to plan for 8570
implementation?
♦ Who has to pay for Certifications?
♦ Has the IA Workforce Improvement Program (IA WIP) been funded?
♦ Who needs to be certified?
♦ Now that the Manual is signed, how long until I have to become certified?
♦ Have the National Unions agreed to support these requirements?
♦ What role can the local unions play in the IA WIP?
♦ What can I do now to prepare for certification requirements?
♦ What can my Component do to prepare for requirements?
♦ If I fail a certification can I retake the exam?
♦ How can I identify who is in the IA Workforce?
♦ What do you mean by Computing Environment, Network Environment or Enclave?”
♦ How to identify the IAT Workforce?
♦ I want more information, who can I talk to?
♦ How can I get a copy of the Manual?
♦ Will the training and certification requirements specified in DoD Directive 8570.1
and the 8570.01-M replace Component, Command or community specific training
and certification requirements?
♦ I already hold a certification listed in DoD 8570.1-M, what more will I need to do?
♦ Do I have to take the training associated with a certification, or can I just take the
test?
♦Can DoD use appropriated funds for military or civilian personnel to take
commercial certification exams?
♦ What will qualify for continuous learning?
♦ What are the contractor certification implementation requirements?
♦ Has the DoD developed standard contract language for IA WIP requirements?
♦ How can Components address the requirements for contractors to be certified IAW
the DoD 8570?
♦ How do I report personnel who are filling more than one IA position?
♦ How do I submit suggestions or new ideas for inclusion in the IA WIP?
♦ What do you mean by Computing Environment, Network Environment or Enclave?
BACK TO THE TOP
♦ What is DoD Directive 8570.1?
DoD Directive 8570.1 provides the basis for an enterprise-wide solution to train, certify, and manage the DoD Information Assurance (IA) workforce. The policy requires Information Assurance technicians and managers to be trained and certified to a DoD baseline requirement. The Directive’s accompanying Manual identifies the specific certifications mandated by the Directive’s enterprise-wide certification program.
Much of the Directive addresses workforce management issues. Components must identify and document in personnel and manpower databases, IA personnel and positions and make certain that IA personnel meet training and certification requirements related to their job functions. The ultimate vision of the Directive is a sustained, professional IA workforce with the knowledge and skills to effectively prevent and respond to attacks against DoD information, information systems, and information infrastructures. This effort will enable DoD to put the right people with the right skills in the right place.
BACK TO THE TOP
♦ What is the status of the Manual (DoD 8570.01-M)?
The Manual has been approved by the Assistant Secretary of Defense for Networks and Information Integration (ASD NII)/DoD Chief Information Officer (CIO). It is now mandatory for all DoD organizations to comply with its requirements. A copy of the Manual is available on the DoD Publications website located at: http://www.dtic.mil/whs/directives
BACK TO THE TOP
♦ Do I need any special training on how to implement DoD 8570.01-M? (I have received e-mails from commercial activities stating that I must attend a mandatory training session on implementing DoD 8570.1)
No. Neither you, nor your organization needs special training regarding the implementation of DoD 8570.01-M. Furthermore, the DoD has not sponsored or required any commercial 8570.01-M implementation training or planning sessions. You should disregard any direct messages from vendors indicating a requirement to complete their course or information session as part of DoD 8570.01-M implementation.
BACK TO THE TOP
♦ What support can the Office of the DoD CIO offer to Components to plan for 8570 implementation?
Defense-wide Information Assurance Program (DIAP) personnel are available to provide briefs and to support regional or major command workshops for 8570 implementation planning. You are strongly encouraged to work within your Component Human Resources and IA operations leadership to establish a plan for meeting the requirements outlined in DoD 8570.1 and DoD 8570.01-M.
BACK TO THE TOP
♦ Who has to pay for Certifications?
For DoD military and civilian IA Workforce members, the DoD Component must budget for and pay for an individual’s “required” certification. The Component must also ensure appropriate training is provided for the position and preparation for the certification exam.
BACK TO THE TOP
♦ Has the IA Workforce Improvement Program (IA WIP) been funded?
Yes. The DoD CIO has included funding in the PDM to support initial implementation requirements including certifications exams and personnel database updates.. Funding via the PDM does not include training, Components should already have IA training in their budgets . These requirements cover the IA WIP implementation phase from FY07 to FY10. DoD Components are required to include IA WIP sustainment requirements in their budget plans.
The Government cannot pay for contractor certification or certification preparation training. However, the Government can support contractor training for the actual system and procedures they are supporting.
BACK TO THE TOP
♦ Who needs to be certified?
Information Assurance Technical (IAT) and IA Management (IAM) personnel must be fully trained and certified to baseline requirements to perform their IA duties. The policy defines IAT workforce members as anyone with privileged information system access performing IA functions. IAM personnel perform management functions for DoD operational systems described in the Manual.
See the question below on “How can I Identify the IA Workforce?” later in this FAQ document.
The training, certification, and workforce management requirements of 8570.01-M apply to all members of the DoD IA workforce including military, civilians, local nationals, Non-appropriated fund (NAF) personnel, and contractors. The requirements apply whether the duties are performed full-time, part-time, or as an embedded duty.
Future updates to the Manual will incorporate specialized elements of the IA workforce. Chapters on System Architecture and Engineering and Computer Network Defense Service Providers have been drafted and are currently entering the formal DoD staffing process. These chapters will establish certification requirements for members of the workforce who perform system design functions, such as requirements gathering and computer network defense service provider specialized functions that are not currently addressed by the manual. Additional Chapters will be drafted for Certification and Accreditation and Vulnerability Analysts. Until these chapters are published positions/personnel performing these functions, with privileged access for the Computing, Network, or Enclave Environment, should be included as IA workforce members in IAT Levels I – III based on the environment within which they are working.
BACK TO THE TOP
♦ Now that the Manual is signed, how long until I have to become certified?
Components are required to have all identified IA personnel certified to the baseline requirement within five fiscal years of the Manual’s publication date (19 Dec 2005). FY 06 is the planning year to develop Component and local IA Workforce Improvement Program (IA WIP) implementation plans. The Manual requires 10 percent of the IA workforce to become certified in FY07 and an additional 30 percent each fiscal year following. By the end of FY 2010, all personnel performing IA functions described in the DoD 8570.01-M should be certified.
BACK TO THE TOP
♦ Have the National Unions agreed to support these requirements?
Yes. As part of the DoD’s formal staffing process, USD P&R conducted a “national consultation” (NCR) in which the unions had an opportunity to comment on the Manual. The National Unions either made no comment or where supportive of the IA WIP.
BACK TO THE TOP
♦ What role can the local unions play in the IA WIP?
The National Consultation (NCR) mentioned above does not absolve local parties from fulfilling their local bargaining obligations as appropriate prior to implementation of DoD policy. They can participate in the planning for meeting the IA WIP requirements for the Civilian IA Workforce. The local union can not negotiate the actual implementation requirements.
For example:
· Who needs to be certified is non negotiable.
· Order/priority to certify the local IA Workforce may be negotiated.
· The number of retests the organization will fund may be negotiated.
BACK TO THE TOP
♦ What can I do now to prepare for certification requirements?
Information Assurance Technical (IAT) and IA Management (IAM) personnel are strongly encouraged to complete DoD internally available training (e.g., Service Schoolhouse IA courses, DISA web based training) or external training currently supported by your Component for courses with learning objectives directly aligned to baseline certifications outlined in the Manual.
BACK TO THE TOP
♦ What can my Component do to prepare for requirements?
Components should identify IA workforce positions and personnel based on the categories, levels, and functions for IAT and IAM levels I – III described in DoD 8570.01-M. Positions/personnel performing specialized functions for the Computing, Network, or Enclave Environment should be included as IAT or IAM Levels I – III based on the environment within in which they are working. Specialized IA positions include Certification and Accreditation, Computer Network Defense, Vulnerability Analysts, and Information System Architects and Engineers (defined below) (see question on “Identifying the IA Workforce” below and “Who needs to be certified?” above for more information):
Certification and Accreditation: Personnel who support the documentation and compliance with the standard process, set of activities, general tasks, and management structure to certify and accredit DoD information systems that will maintain the information assurance and security posture of the Defense Information Infrastructure (DII).
Computer Network Defense: Computer Network Defense (CND) personnel provide CND situational awareness, implement CND protect measures, monitor and analyze network alerts in order to detect unauthorized activity, and implement CND operational direction. CND Services are commonly provided by Computer Emergency or Incident Response Teams (CERT/CIRT) and may be associated with a Network Operations Center (NOSC).
Information System Architecture and Engineering: Personnel who design, develop, implement, and/or integrate a DoD IA architecture, system, or system component for use in IA level I, II, or III environments. They may perform these tasks at either Technical or Management levels depending on whether they have privileged access or perform management type tasks.
Vulnerability Analysts (VA): Provide on site information system analysis to develop and provide a site “security profile”. Vulnerability Analysts travel to various sites to collect and analyze system configuration data to provide an accurate security profile to the local IAM.
BACK TO THE TOP
♦ If I fail a certification can I retake the exam?
Yes. The 8570.1 and 8570.01-M do not set a limit on the number of times a person may attempt to qualify for certification. However, Components must support at least one retest attempt but may set a limit on the number of additional retests they will support. Remember, until a DoD military or civilian employee completes the requirements of the IA WIP, to include becoming fully certified, they are not authorized to fill an IAT or IAM billet (after the 4 year implementation phase). If the member’s Component has set a limit on the number of retest attempts, an individual may take a subsequent test at their own expense. If they qualify for certification, then they would qualify to fill an IAT or IAM position (assuming they meet the other requirements such as background investigation, OJT, etc.).
BACK TO THE TOP
♦ How can I identify who is in the IA Workforce?
First, the IA WIP is a workforce management program. The key to workforce management is the position. All positions required to perform IA functions must be identified. Second any person filling that position is then automatically part of the IA workforce whether it is full time, part-time, or embedded duty or whether it is their “primary specialty”, secondary or not a specialty but just another duty as assigned (this approach may lead to minimizing/eliminating IATs as an embedded duty group).
Here are steps to identify IA positions: The DoD 8570.01-M establishes the basic requirements. The current version of the Manual has two categories, technical (IAT) and management (IAM). Each category has three levels based on where the position is located within the overall Information System architecture (see Diagram under this question). Each level of architecture is specifically defined in Appendix 1 of the Manual. The Computing Environment is IAT and IAM Level I, the Network Environment is IAT and IAM Level II, and the Enclave Environment is IAT and IAM Level III. Note that the “IA Level” is related to the system architecture, not to an individual’s grade or experience.
Also see the Diagram under:
Chapters 3, 4, and 5 of the Manual list IA functions for each level of the information system architecture depicted above. Positions/personnel required to perform any of these functions are part of the IA workforce.
Chapters 3, 4, and 5 of the Manual list IA functions for each level of the information system architecture depicted above. Positions/personnel required to perform any of these functions are part of the IA workforce.
BACK TO THE TOP
♦ How do I identify the IAT workforce?
Two basic questions to help identify IA Technical positions:
1. Does the position require privileged access to a DoD information system Computing, Network, or Enclave environment?
2. Does the position include anyof the functional requirements listed in Chapter 3of the Manual for that level of the information system Architecture?
· If the answer to both 1 and 2 is yes the position is an IAT position.
· If the answer is no to both then it is not an IAT Position.
· If the answer is no to either 1 or 2 it is not an IAT position
· If the answer is yes to 1 and no to 2 it is not an IAT position
· If the answer is no to 1 and yes to 2 it may be an IA Manager or other IA position
BACK TO THE TOP
♦ How to identify the IAM Workforce?
Two basic questions to help identify IA Management positions:
1. Does the position have responsibility for managing information system security for a DoD Information System Computing, Network, or Enclave environment?
2. Does the position include any of the functions listed in Chapter 4 of the Manual for that level of the information system Architecture?
· If the answer to both 1 and 2 is “yes” then the position is an IAM position.
· If the answer is no to both 1 and 2, it is not an IAM position.
· If the answer is yes to 1 and no to 2 it is not an IAM position.
· If the answer is no to 1 and yes to 2 it may be an IA position but not an IAM position as currently defined in the Manual.
(Note: additional specialized categories of the IA WF have been identified and chapters will be added in the future for Certification & Accreditation, Computer Network Defense Service Providers, Information Systems Security Architects, and Vulnerability Analysis.)
Please see the power point brief on the DoD 8570.01-M located on this web-site for additional information on identifying the IA Workforce positions and specific requirements for individuals in those positions.
BACK TO THE TOP
♦ I want more information, who can I talk to?
For more information about DoD Directive 8570.1 and the enterprise-wide training and certification initiative, contact the IASE Helpdesk.
BACK TO THE TOP
♦ How can I get a copy of the Manual?
For a copy of the Manual, DoD 8570.01-M check the DoD Publications Web-site at http://www.dtic.mil/whs/directives/
BACK TO THE TOP
♦ Will the training and certification requirements specified in DoD Directive 8570.1 and 8570.01-M replace Component, Command or community specific training and certification requirements?
No. The 8570 provides a DoD enterprise-wide IA knowledge and skills baseline. You are still required to comply with relevant Component, command, or community specific requirements for IA training and/or certification.
Components may require personnel performing IA job functions to complete specific certifications in addition to those identified in the Manual. Confirm with your direct supervisor or IA leadership that you are categorized and certified at the right level and meet the appropriate Component specific requirements.
BACK TO THE TOP
♦ I already hold a certification listed in DoD 8570.01-M, what more will I need to do?
Notify your respective personnel point of contact to make certain that your certification status is documented in the appropriate personnel database of record.
Also you will need to maintain your certification status by completing continuous learning requirements as defined by your respective certification provider (e.g., ISC2, ISACA, CompTIA, etc.). Note that all certifications included in the Manual currently do require or will require in the near future, continuous learning as part of their certification requirements. You are encouraged to monitor current certification provider activity to see if they have imposed additional continuous learning requirements.
In addition, the Manual requires IATs to obtain a local operating system certification in addition to the baseline requirements.
BACK TO THE TOP
♦ Do I have to take the training associated with a certification, or can I just take the test?
Under DoD Directive 8570.1 and as specified in DoD 8570.01-M, you are not required to take specific training to prepare for the certification test. However, you should be able to demonstrate the ability to pass the test (e.g., take and pass a “pre-test” or assessment exam). Your IAM should verify that you are prepared to take the certification exam before authorizing you to request an exam voucher.
BACK TO THE TOP
♦ Can DoD use appropriated funds for military or civilian personnel to take commercial certification exams?
Yes. Chapter 101 of Title 10, United States Code has been amended to permit Services to use appropriated funds to pay for commercial certifications (tests) for uniformed personnel. The FY06 DoD Appropriations Bill gives uniformed personnel parity with civilians.
BACK TO THE TOP
♦ What will qualify for continuous learning?
The minimum continuous learning requirement for certifications included under DoD 8570.01-M is typically 40 hours annually or 120 hours over a three-year period. Certification providers determine the specific training and other activities that qualify for continuous learning credit. However, DOD CIO is working with certification providers to identify proposed activities that would qualify for credit.
Note that all certifications included in the Manual currently require or will require continuous learning as part of retaining certification status.
BACK TO THE TOP
♦ What are the contractor certification implementation requirements?
Contractors performing IA functions on a DoD system must meet the certification requirements established in the DoD 8570.01-M for the category and level functions in which they are performing. As with the military and civilian IA workforce, contractors have four years to meet the requirements of the 8570.01-M. The requirement is for 10% to be certified in the first year and 30% each year following. Other specific requirements from the Manual include:
1. For new contractscontractor personnel supporting IA functions outlined in Chapters 3 and 4 should be appropriately certified in accordance with the overall four year implementation schedule. This means the contract should include the requirement for the contractor personnel to meet the overall 10%, 30%, 30%, 30% certification requirements depending on which year the contract starts. Requirements by fiscal year:
a. Starting in FY07 – 10% in 07, 30% in 08, 30% in 09, 30% in FY10.
b. Starting in FY08 – 40% in 08, 30% in 09, 30% in FY10.
c. Starting in FY09 – 70% in 09, 30% in FY10.
d. Starting in FY10 – 70% at contract award, 100% by the end of FY10.
2. The contracting officer will ensure that contracting personnel are appropriately certified. In the future they will need to provide verification to the Defense Eligibility Enrollment System (DEERS).
3. Components should not pay for contractors to obtain/retain required certifications. However, Components may provide additional training on local or DoD specific system procedures. (See question below for additional guidance on contractor implementation requirements.)
BACK TO THE TOP
♦ Has the DoD developed standard contract language for IA WIP requirements?
The DoD Chief Information Officer (CIO) has coordinated with the Undersecretary of Defense for Acquisition, Technology, and Logistics (AT&L), Defense Acquisition Regulations (DARs) Council to propose language to include in the Defense Acquisition Regulations (DFARS). These changes were approved by the Council and are currently in the “formal” staffing process before they will be added to the DFARS.
Until these changes are made in the DFARS, Components may use “local” clauses to implement these requirements for the contractor community.
BACK TO THE TOP
♦ How can Components address the requirements for contractors to be certified under the DoD 8570?
In general, Components must ensure that 10% of contractors are certified in FY07 and 30% of contractors are certified each subsequent year attaining 100% certification status by the end of FY10.
There are a variety of ways Components can operationalize this requirement. After reviewing and assessing current IA support contracts and considering: new requirements; renewal/expiration dates; the contractor implementation requirements described above; and length of current contracts; Component should plan on one of the following:
· Incrementally comply based on expiration/renewal dates for existing contracts
· Modify existing contracts to comply with the implementation requirements
· Include IA WIP requirements in requests for proposals (RFPs) for new contracts based on the percent of the IA workforce impacted by the contract (see response to “Has the DoD developed standard contract language for IA WIP requirements?”)
BACK TO THE TOP
♦ How do I report personnel who are filling more than one IA position?
The answer to this question depends on the purpose of the report and the organizational relationships.
For IA Workforce Management Reporting at the Component and/or DoD CIO DIAP level
For this purpose the DoD 8570.01-M reporting requirements are position driven. To effectively “manage” the IA workforce, the DoD Components and local commands must identify any position (table of organization or manning document) required to perform IA functions by category and level.
For Component/DoD CIO DIAP reporting, the information must include the qualifications of the person filling that billet. Therefore if a person is filling more than one IA position that person and their qualifications must be reported against that position requirement. However, if the person is performing those functions due to under manning, then the position should be reported as not filled.
Paragraph C7.2.5. of the DoD 8570.01-M says Components must…
”…track IA personnel training and certification against position requirements. Positions performing both management and technical functions must be identified individually in the appropriate manpower database. Personnel filling these positions must be aligned with both positions and maintain the appropriate certification/qualifications for each.”
Example A: A person filing an IAT Level I position and also performing IAM Level I functions should have positions indicated in the manpower documents for each category. That person and their qualifications would be reported against each position. This is how Component/DoD CIO DIAP management can analyze the IA workforce requirements achievement both from a “positions filled” and “positions filled with qualified people” viewpoint.
Personnel performing IA functions as both Government Service (GS) civilian personnel and military reservists must be reported seperately for each position.
Example B: A GS-12 IAT Level I performs full time IA functions in a designated civilian IA position. This individual is also a Major (0-4) in the Army reserve and performs IAM Level II position functions in that role. Since these positions support completely seperate manning and personnel requirements, both positions should be reported individually (reported from each respective organization). The person requirement would also be reported against each position, since the person is filling two completely seperate personnel, manning requirements.
For FISMA Reporting:
FISMA reporting is based on Office of Management and Budget reporting requirements and is person driven. Their basic requirement is to identify anyone performing IA functions and whether they have been trained to perform those functions. The 2006 FISMA Guidance notes that “if an individual is performing in multiple IA categories, only count them once based on the IA role in which they spend the highest percentage of their time/effort”. Thus for FISMA, only report a person performing IA functions one time based on the position they spend the most time performing. If the person is “double hatted”? Performs two roles” due to covering functions for an unfilled IA position, only count them in positions they spend the most time performing.
Example A: An IAT Level I is assigned a primary duty (25 hours + per week) to support IA requirements for System A. There is another empty official “documented position” for System B which is co-located and the individual is required to cover the IA functions of that position (as an additional or embedded duty, 24 hours or less per week). Since FISMA is person focused, you would only report the individual based on the position requiring the highest percentage of their time – System A in this case.
Example B: A GS-12 IAT Level I performs full time IA functions in a designated civilian IA position. This individual is also a Major (0-4) in the Army reserve and performs IAM Level II position functions in that role. Since these positions support completely seperate manning and personnel requirements, both positions should be included in the FISMA report (reported from each respective organization). The person requirement would also be reported against each position since the person is filling two completely seperate personnel requirements.
Example C: A Marine Corps Master Sergeant (MSgt.) performs full time IAT Level II functions in a joint combatant command headquarters. Who should report his position and personnel qualifications to FISMA? The Combatant Command owning the “joint” billet should report the MSgt. as one of their positions in their FISMA Report to the J-6. Every joint billet is supported by one of the Components, so in this case the Marine Corps is responsible to provide an appropriately certified Marine for the IA position. However, the Joint Staff or Combatant Command is responsible to fill that billet with a qualified person and report for FISMA. Note joint billets should be identified in the e-Joint Manpower and Personnel System (e-JMAMP).
Note that in all cases, the operational management of the IA workforce (the IAM) for all systems must know their IA positions and the qualifications of the people filling them.
For End Strength Reporting:
Components must track their personnel against authorized end strength. They must also track each persons’ IA qualifications (no mater what their current position assignment). End strength is people driven. For end strength, only count a person one time. Each person’s IA certification/qualification should be maintained whether or not they are currently in an IA position.
BACK TO THE TOP
♦ How do I submit suggestions or new ideas for inclusion in the IA WIP?
DoD 8570.1 Directive and DoD 8570.01-M established the DoD IA Workforce Improvement Program Advisory Council. This Council will work to keep the requirements of the IA WIP current by making appropriate updates and improvements. Each major DoD Component is represented as a voting member of the Council. Under the Council will be committees focused on IA WIP training, certification and workforce management. The identified Component representative to the sub-committees has the role of gathering input from their IA WF to submit to their Committees and to the Council as a whole. Contact your Component’s Office of Primary Responsibility Point of Contact to provide direct feedback.
BACK TO THE TOP
♦ What do you mean by Computing Environment, Network Environment or Enclave?
Understanding these terms is essential to properly identifying your IA Workforce. These terms are based on basic system architecture not on base, station, or command structure.
The DoD Appendix 1of the 8570.01-M contains definitions for each of these environments.
The diagram below portrays basic information about the three levels. The key to the architecture is the location within the GIG and the purpose of the server the IAT or IAM supports directly.
Understanding these terms is essential to properly identifying your IA Workforce. These terms are based on basic system architecture not on base, station, or command structure.
The DoD Appendix 1of the 8570.01-M contains definitions for each of these environments.
The diagram below portrays basic information about the three levels. The key to the architecture is the location within the GIG and the purpose of the server the IAT or IAM supports directly.
This diagram depicts a basic enclave within a DoD Component:
· Enclave. An enclave consists of at least two networks controlled by the enclave security policy and procedures.
· Networks. In the diagram example, three networks are depicted, Operations Network, Logistics Network and Human Resources network connecting to a Component Enclave. Each network consists of at least one Computing Environment.
· Computing Environment. A CE has a server with multiple stations working from it. The stations can be standard computers, remote sensors, satellite feeds, etc.
BACK TO THE TOP