DOD 8570 - Information Assurance Training — COMPTIA —
Deadlines — Mandates - Requirements
DOD 8570 Certifications Overview: US Department of Defense Directive
8570 aims to certify all military IT professionals working in Information
Assurance jobs within a prescribed timetable. The spirit of Directive 8570 is to
establish a common baseline understanding of IT security issues, protocols and
procedures across the Government and military. The actual training
requirements are spelled out in the DOD 8570 manual, an official document
that comes in at roughly 100 pages. DOD 8570 certification levels are designed
to fit the level and type of job activity such as workforce level, degree of data
security and supervision of other workers.
Background: In the past decade the DOD has taken concrete steps to protect
the information resources of our military and Government. Specific high profile
hacking cases and a general public awareness of increasing reliance upon a
vulnerable IT infrastructure have illuminated the necessity for our critical
national defense organizations to protect and safeguard their computing systems
against threats both internal and external.
Scope and Progress: Certification requirements are closely matched to job
levels and activities as they are identified, tracked and catalogued within their
respective organizations. DOD 8570 requirements extend to military personnel,
contractors and civilians employed in DOD IA roles. Four broad military IA
workforce categories govern the structure of DOD 8570 certification
requirements. These are Information Assurance Technician (IAT), Information
Assurance Manager (IAM), Information Assurance System Architect and
Engineer (IASAE) and Computer Network Defense (CND). Workforce
manpower certification statistics have been and continue to be mapped and
monitored for completeness and overall unit training progress. Progress toward
100% certification is not publicly available, but anecdotal reports suggest that
the military remains behind schedule in certifying all personnel according to the
original timetables laid out in the DOD 8570 manual.
Timetable: New hires into Department of Defense Information Assurance
positions must be DOD 8570 certified within six months unless granted a
temporary waiver. Uncertified workers must be supervised by certified
personnel. All combat forces must be certified before deployment, unless
granted a temporary waiver that suspends the regular certification timetable;
upon return from combat deployment, the six-month requirement applies. The
original 2005 DOD 8570 Manual specified a phase-in timetable that may have
been more aggressive than realistic. Nevertheless, by the end of calendar year
2010, all workers performing Information Assurance Technical (IAT) and
Information Assurance Management (IAM) functions must comply with
Critical areas: All IT workers either in the classified SIPRNET (Secret Internet
Protocol Router Network) or unclassified NIPRNET (Non-classified Internet
Protocol Router Network) networks must comply with the directive.
Additionally, IA workers in areas that safeguard the privacy of personnel
records, such as medical or demographic data, must comply with certification
Training overview: Certifications begin at the basic level, increase through
tiers of responsibility, and all include a continuing education requirement that
amounts to 20 – 40 hours per year, or 120 hours every three years. In addition to
formal training and continuing education requirements, there are requirements
for on-the-job hands-on experiential training. Certification levels span three
tiers (Levels I, II and III) for both Information Assurance Technical (IAT) and
Information Assurance Management (IAM) functions. Additionally, training
should cover these topics as outlined in the Manual:
• Laws, policies and procedures affecting the user community
• The latest external threats to network security, such as scripts, hackers,
crackers and foreign agents
• Up-to-date internal threats such as incompetent, malicious or disgruntled
authorized workers, crackers and hackers
• Shared risk, risk of aggregating unclassified information, risk of remote
access data transmission
• Knowledge of how the latest malicious code examples such as Viruses,
Trojan Horses, Worms, Logic Bombs can infiltrate a system, the damage
they can cause, and how to contain and repair their damage
• Denial of service attacks
• Embedded hardware and software vulnerabilities
• Encryption principles and applications
• Restricting access through passwords and data hierarchies
• Policy and procedure differences between classified and non-classified
• Data archival policies and procedures
• Operating-system specific training will be required of technical personnel
Training components - IAT Level I: The COMPTIA A Plus certification and
COMPTIA Network Plus certification form part of the first level of 8570
technical certification. Additionally, the Systems Security Certified Practitioner
(SSCP) is required on the IAT side.
Training components - IAT Level II: The COMPTIA Security Plus
certification is one of four DOD 8570 formal education requirements for IAT
Level II. Additionally, the GIAC (Global Information Assurance Certification)
Security Essentials Certification (GSEC), the Security Certified Network
Professional (SCNP) and SSCP certifications form the IAT Level II curriculum.
Training components - IAT Level III: The Certified Information Systems
Security Professional (CISSP certification) certification is part of the four core
formal study requirements. The Certified Information Systems Auditor (CISA
certification), GIAC Security Expert (GSE) and Security Certified Network
Architect (SCNA) certifications complete the formal educational requirements
for IAT Level III.
Training components - IAM Level I: Certifications in GIAC Information
Security Fundamentals (GISF) certification, GIAC Security Leadership
Certification (GSLC), CompTIA Security+ and Certification and Accreditation
Professional (CAP) constitute the four formal requirements for the IAM Level I
Training components - IAM Level II: Certifications in GIAC Security
Leadership Certification (GSLC), Certified Information Systems Security
Professional (CISSP), Certified Information Security Manager (CISM) and
Certification and Accreditation Professional (CAP) constitute the four formal
requirements for the IAM Level II accreditation.
Training components - IAM Level III: The Certified Information Systems
Security Professional (CISSP), Certified Information Security Manager (CISM)
and GIAC Security Leadership Certification (GSLC) accreditations constitute
the three formal requirements for the IAM Level III certification.
Training components – IASAE and CND: The certification requirements for
these workforce categories draw from the same body of off-the-shelf IT security
courses, plus a specialized battery of certifications including Information
Systems Security Engineering Professional (ISSEP), Information Systems
Security Architecture Professional (ISSAP), Certified Ethical Hacker (CEH).
GIAC Certified Incident Handler (GCIH), Certified Computer Security Incident
Handler (CSIH), GIAC Systems and Network Auditor (GSNA) and Certified
Information Systems Security Professional - Information Systems Security
Management Professional (CISSP-ISSMP).
Training providers: The aggressive deadline that the DOD has set for IAM
and IAT personnel certifications will be met by ANSI-certified third party
Information Assurance training providers such as Knowledge Center Inc., a
proven vendor of quality classroom and online IT certification programs.
Northern Virginia and Washington DC area based KCI has earned a stellar
reputation in the IT training sector by successfully certifying in tens of
thousands of IT professionals. Their client list covers not only all major US
government agencies but also a large percentage of Fortune 500 companies
spanning all major industry sectors.
Training methodology: The baseline for DOD training and certification is
Computer Based Training (CBT) and web-based instruction. The DAA may
waive or modify training requirement as it adapts to changing environmental
conditions and resource constraints.
Urgency: Again, the deadline for DOD 8570 Information Assurance
certification across the entire armed forces has been set as December 31, 2010.
Because all personnel must be certified in their respective units by this date,
schools across the country are seeing unprecedented demand for class seats.
Quick certification programs are being offered to accommodate the urgency and
satisfy demand, but space is limited by available resources.