With the publication of DoD Directive 8140.01, “Cyberspace Workforce Management” and Secretary of the Navy (SECNAV) Instruction 5239.20A, “Department of the Navy Cyberspace Information Technology and Cybersecurity Workforce (DON Cyber IT/CSWF) Management and Qualification,” a new approach to education, training and Cyber IT/CSWF qualification will occur. No longer will the demonstration of workforce cybersecurity, operating system, system tools and operating environment training rely solely on information assurance and operating system certifications. Instead, the use of certifications, along with military training, academic degree programs and other relevant credentialing programs will be integrated into the Cyber IT/CSWF Qualification Program. Within the DON, this includes but is not limited to commercial certifications, foundational cybersecurity training and education, technical training and education, on-the-job training, and demonstration of acquired skills and abilities.
The DON is moving from the decade-old Information Assurance Category and Level model outlined in earlier DoD Information Assurance (IA) workforce policy. We will now utilize the Category and Specialty area approach outlined in the National Initiative for Cybersecurity Education (NICE) Workforce Framework. This provides the ability to match a qualification to specialty areas and associated tasks and knowledge, skill and ability rather than functions based on network size. Additionally, we will move from the network size approach to a proficiency level approach, which more accurately addresses a person's qualification based on his or her work and experience.
The appropriate identification and use of military training, academic degree programs, commercial certifications, and credentials provides the DON with a viable program in which the most appropriate type and mix of training and education can be used for the development of our military and civilian personnel. The key in supporting the knowledge, skill and ability progression of our personnel is the integration of these training and education options to support the most effective delivery of knowledge to our personnel at the right time. Military training and academic programs are a vital part of the overall program; military training is the foundation of the development of our military personnel.
Commercial certification will still be required for those Cyber IT/CSWF members who have not met the credentialing requirement via formal military training or academic degree. The use of cybersecurity certifications remains a viable, and sometimes the only, option for personnel to demonstrate attainment of the level of cybersecurity education and training needed to qualify within their designated Specialty Area (SA). Commercial certifications will remain an integral part of the overall DON Cyber IT/CSWF Qualification Program. A commercial certificate may also be the most effective approach for gaining needed knowledge of an operating system, tool, computing environment, and also for focused/specialized cybersecurity areas.
There will be several options for personnel to be qualified as the DON transitions from the mandatory IA certification requirement as dictated in current guidance. Elements of the new DON Cyber IT/CSWF qualification program include:
- Military Training,
- Certification,
- Academic Degree Programs,
- Commercial Credentials/Certificates,
- Continuous Learning,
- On-the-Job Experience, and
- Individual Qualification Programs.
The DON will continue to require Continuing Education. This will ensure that the DON Cyber IT/CSWF continues to develop their knowledge and skills in an ever-changing cyber environment. As the training provided in military programs maps to the Specialty Area and is also associated with commercial certifications, these personnel should be encouraged and provided the resources and funding necessary to obtain and maintain commercial certifications on a voluntary basis.
In addition to using certificates to gain basic knowledge, DON civilian personnel looking to improve their knowledge and ability and prepare for more demanding positions may also want to consider the option of using commercial certifications and certificates as the most effective path. Academic programs may require large amounts of time and may not focus specifically on areas in which a person needs to improve to raise his or her proficiency level and/or gain the additional knowledge needed for new positions. Maintaining the mapping of approved commercial certifications and certificates within the Cyber IT/CSWF Qualification program provides the foundation for the career progression of DON civilian personnel. Additionally, training for more advanced and alternative certifications/certificates helps satisfy current continuing education requirements.
Determination of applicable continuing education requirements for the entire workforce, regardless of whether they have a military training certificate, academic degree, or commercial certification, should not differ between these options within a Specialty Area as each has been mapped to the Specialty Area. Regardless of how personnel obtained initial knowledge, continuing education should be the same, or nearly the same.
There are also circumstances in which commercial cybersecurity certifications/certificates become the most viable option and may be the most effective approach for providing information to personnel. These include:
- Emergent information not incorporated into military training or academic programs;
- Information that cannot be added to military training programs due to cost considerations (cost to deploy/training days);
- Information focused on a specialized group;
- Military training programs not open to civilians, or with limited civilian throughput;
Information that is only useful for a limited time period; and
- Requirement for hands-on network training and student evaluation.
In these circumstances, the DON will work with commands, military training organizations, academic institutions and commercial certification providers to establish the most effective options for training the workforce. There may be many instances in which the technical requirements and schoolhouse availability of virtual environments and the ability to incorporate current and emergent threat tactics, as well as tactics, techniques and procedures, may best suit environments available through academic and commercial sources. This may be especially appropriate for emergent technologies, infrastructure, and processes that need to be taught to military course managers and instructors so they can be incorporated into military programs.
The ability to establish partnerships and also advance DON personnel knowledge with private sector sources is paramount. The DON will work to establish and maintain these partnerships.
Chris Kelsall is the DON CIO Cyber Workforce lead.
See also CHIPS articles: The New DON Cyberspace (Cyber) IT and Cybersecurity Workforce Management and Qualification Program and “DON Cyberspace (Cyber) IT and Cybersecurity Workforce — Who Are We?”