What is DoD Directive 8570.1?
DoD Directive 8570.01 provides the basis for an enterprise-wide solution to train, certify, and manage the DoD Information Assurance (IA) workforce. The policy requires Information Assurance technicians and managers to be trained and certified to a DoD baseline requirement. The Directive's accompanying Manual identifies the specific certifications mandated by the Directive's enterprise-wide certification program.
Much of the Directive addresses workforce management issues. Components must identify and document in personnel and manpower databases, IA personnel and positions and make certain that IA personnel meet training and certification requirements related to their job functions.
The ultimate vision of the Directive is a sustained, professional IA workforce with the knowledge and skills to effectively prevent and respond to attacks against DoD information, information systems, and information infrastructures. This effort will enable DoD to put the right people with the right skills in the right place.
What is the status of the Manual (DoD 8570.01M)?
The Manual has been approved by the Assistant Secretary of Defense for Networks and Information Integration (ASD NII)/DoD Chief Information Officer (CIO) and is now mandatory for all DoD organizations to comply with its requirements. A copy of the Manual is available on the DoD Publications website located at http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf.
Do I need any special training on how to implement DoD 8570.1?
(I have received e-mails from commercial activities stating that I must attend a mandatory training session on implementing DoD 8570.1)
No. Neither you, nor your organization needs special training regarding the implementation of DoD 8570. Furthermore, the DoD has not sponsored or required any commercial 8570.1 implementation training or planning sessions. You should disregard any direct messages from vendors indicating a requirement to complete their course or information session as part of DoD 8570.1 implementation.
What support can the Office of the DoD CIO offer to Components to plan for 8570 implementation?
The Defense-wide Information Assurance Program (DIAP) is available to provide briefs and regional or major command workshops to support Components' 8570 implementation planning. You are strongly encouraged to work within your Component Human Resources and IA operations leadership to establish a plan for meeting the requirements outlined in DoD 8570.1 and DoD 8570.1-M.
Who has to pay for Certifications?
For DoD military and civilian IA Workforce members, the DoD Component must budget for and pay for an individual's required certification. The Component must also ensure appropriate training is provided for the position and preparation for the certification exam.
Has the IA Workforce Improvement Program (IA WIP) been funded?
Yes. The DoD CIO has included funding in the Quadrennial Defense Review (QDR) and the PDM to support initial implementation requirements including certifications exams, personnel database updates, and training support. These requirements cover the IA WIP implementation phase from FY07 to FY10. DoD Components are required to include IA WIP sustainment requirements in their budget plans.
The Government cannot pay for contractor certification or certification preparation training. However the Government can support contractor training for the actual system and procedures they are supporting.
Who needs to be certified?
Information Assurance Technical (IAT) and IA Management (IAM) personnel must be fully trained and certified to baseline requirements to perform their IA duties. The policy defines IAT workforce members as anyone with privileged information system access performing IA functions. IAM personnel perform management functions for DoD operational systems described in the Manual.
See the question below on "How can I Identify the IA Workforce?" later in this FAQ document.
The training, certification, and workforce management requirements of 8570.1 apply to all members of the DoD IA workforce including military, civilians, foreign nationals, local nationals, Non-appropriated fund (NAF), and contractors. They apply whether the duties are performed full-time, part-time, or as an embedded duty.
Future updates to the Manual will incorporate additional portions of the IA workforce. A chapter on "System Architecture and Engineering" is currently under development, which will establish certification requirements for members of the workforce who perform system design functions, such as requirements gathering, that are not currently covered by the manual. Additional Chapters will be drafted for "Certification and Accreditation" and "Vulnerability Analysts."
Until these chapters are published positions/personnel performing these functions with privileged access for the Computing, Network, or Enclave Environment should be included as IAT or IAM Levels I - III based on the environment they are working in.
Now that the Manual is signed, how long until I have to become certified?
Components and Agencies are required to have all identified IA personnel certified to the baseline requirement within four fiscal years of the Manual's publication date (19 Dec 2005). The Manual requires 10 percent of the IA workforce to become certified in FY07 and an additional 30 percent each fiscal year after that. At the end of year fourth (FY 2010) all personnel performing IA functions described in the DoD 8570.1-M should be certified.
Have the National Unions agreed to support these requirements?
Yes. As part of the DoD's formal staffing process, USD P&R conducted a "national consultation" (NCR) where the unions have an opportunity to comment on the Manual. The National Unions either made no comment or were supportive of the IA WIP.
What role can the local unions play in the IA WIP?
The National Consultation (NCR) mentioned above does not absolve local parties from fulfilling their local bargaining obligations as appropriate prior to implementation of DoD policy. They can participate in the planning for meeting the IA WIP requirements for the Civilian IA Workforce. The local union can not negotiate the actual local implementation requirements.
Who needs to be certified is not negotiable.
Order/priority to certify the local IA Workforce.
The number of retests the organization will fund.
What can I do now to prepare for certification requirements?
Information Assurance Technical (IAT) and IA Management (IAM) personnel are strongly encouraged to complete DoD internally available training (e.g., Service Schoolhouse IA courses, DISA web based training) or external training currently supported by your Component for courses with learning objectives directly aligned to baseline certifications outlined in the Manual.
What can my Component do to prepare for requirements?
Components should identify IA workforce positions and personnel based on the categories, levels, and functions for IAT and IAM levels I - III described in DoD 8570.01-M. Positions/personnel performing specialized functions for the Computing, Network, or Enclave Environment should be included as IAT or IAM Levels I - III based on the environment they are working in. Specialized IA positions include Certification and Accreditation, Computer Network Defense, Vulnerability Analysts, and Information System Architects and Engineers (defined below) (see question on Identifying the IA Workforce below for more information):
Certification and Accreditation: Personnel who support the documentation and compliance with the standard process, set of activities, general tasks, and management structure to certify and accredit DoD Information Systems that will maintain the information assurance and security posture of the Defense Information Infrastructure (DII).
Computer Network Defense: Computer Network Defense (CND) personnel provide CND situational awareness, implement CND protect measures, monitor and analyze in order to detect unauthorized activity, and implement CND operational direction. CND Services are commonly provided by Computer Emergency or Incident Response Teams (CERT/CIRT) and may be associated with a Network Operations Center (NOSC).
Information System Architecture and Engineering: Personnel who design, develop, implement, and/or integrate a DoD IA architecture, system, or system component for use in IA level I, II, or III environments. They may perform these tasks as either Technical or Management levels depending on whether they have privileged access or perform management type tasks.
Vulnerability Analysts (VA): Provide on site information system analysis to develop and provide a site "security profile". Vulnerability Analysts travel to various sites to collect and analyze system configuration data to provide an accurate security profiles to the local IAM.
If I fail a certification can I retake the exam?
Yes. The 8570.1 and 8570.01-M do not set a limit on the number of times a person may attempt to qualify for certification. However, Components must support at least one retest attempt but may set a limit on the number of additional retests they will support. Remember, until a DoD military or civilian employee completes the requirements of the IA WIP, to include becoming fully certified, they are not authorized to fill an IAT or IAM billet (after the 4 year implementation phase). If the member's Component has set a limit on the number of retest attempts, an individual may take a subsequent test at their own expense. If they qualify for certification, then they would qualify to fill an IAT or IAM position (assuming they meet the other requirements such as background investigation, OJT, etc.).
How can I identify who is in the IA Workforce?
First, the IA WIP is a workforce management program. The key to workforce management is the position. All positions required to perform IA functions must be identified. Second any person filling that position is then automatically part of the IA WF whether it is full time, part-time, or embedded duty or whether it is their "primary specialty", secondary or not a specialty but just another duty as assigned (the intent of the IA WIP is to minimize or eliminate IATs in embedded duty group).
To identify whether a position is an IA position is basically very simple. The DoD 8570.01-M establishes the basic requirements. The current version of the Manual has two categories, technical (IAT) and management (IAM). Each category has three levels based on where the position is located within the overall IS architecture. Each level of architecture is specifically defined in Appendix 1 to the manual. The Computing Environment is IAT and IAM Level I, the Network Environment is IAT and IAM Level II, and the Enclave Environment is IAT and IAM Level III. Note that the "IA Level" is related to the system architecture, not to an individual's grade or experience.
Chapters 3 and 4 of the Manual list IA functions for each level of the information system architecture depicted above. Positions/personnel required to perform any of these functions are part of the IA workforce.
How do I identify the IAT workforce?
Two basic questions to help identify IA Technical positions:
1. Does the position require privileged access to a DoD Information System Computing, Network, or Enclave environment?
2. Does the position perform any of the functional requirements listed in Chapter 3 of the Manual for that level of the IS Architecture?
If the answer to both 1 and 2 is yes the position is an IAT position.
If the answer is no to both then it is not an IAT position
If the answer is no to either 1 or 2 it is not an IAT position
If the answer is yes to 1 and no to 2 it is not an IAT position
If the answer is no to 1 and yes to 2 it may be an IA Manager or other IA position
How to identify the IAM Workforce?
Two basic questions to help identify IA Management positions:
1. Does the position have responsibility for managing information system security for a DoD Information System Computing, Network, or Enclave environment?
2. Does the position perform any of the functions listed in Chapter 4 of the Manual for that level of the IS Architecture?
If the answer to both 1 and 2 is "yes" then the position is an IAM position.
If the answer is no to both 1 and 2, it is not an IAM position.
If the answer is yes to 1 and no to 2 it is not an IAM position.
If the answer is no to 1 and yes to 2 it may be an IA position but not an IAM position as currently defined in the Manual.
Note: additional categories of the IA WF have been identified and chapters will be added to include them in the future such C&A, CND, ISS Architects, Vulnerability Analysis.
I want more information, who can I talk to?
For more information about DoD Directive 8570.1 and the enterprise-wide training and certification initiative, contact the IASE Helpdesk, http://iase.disa.mil/help/iaseinfodesk.html
How can I get a copy of the Manual?
For a copy of the Manual, DoD 8570.1M Check the DoD Publications Web-site at http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf.
Will the training and certification requirements specified in DoD Directive 8570.1 and the 8570.01-M replace Component, Command or community specific training and certification requirements?
No. The 8570 provides a DoD enterprise-wide IA knowledge and skills baseline. You are still required to comply with Component, command, or community specific requirements for IA training and/or certification.
Your Component may require personnel performing IA job functions to complete specific certifications in addition to those identified in the Manual. Confirm with your direct supervisor or IA leadership that you are categorized and certified at the right level and meet the appropriate Component specific requirements.
I already hold a certification listed in DoD 8570.1-M, what more will I need to do?
Notify your respective personnel point of contact to make certain that your certification status is documented in the appropriate personnel database of record.
Also you will need to maintain your certification status by completing continuous learning requirements as defined by your respective certification provider (e.g., ISC2, ISACA, CompTIA, etc.). Note that all certifications included in the Manual currently do require or will require in the near future, continuous learning as part of their certification requirements. You are encouraged to monitor current certification provider activity to see if they have imposed additional continuous learning requirements.
In addition, the Manual requires IATs to obtain a local operating system certification.
Do I have to take the training associated with a certification, or can I just take the test?
Under DoD Directive 8570.1 and as specified in DoD 8570.1-M, you are not required to take specific training to prepare for the certification test. However, you should be able to demonstrate the ability to pass the test (e.g., take and pass a "pre-test" or assessment exam). Your IAM should verify that you are prepared to take the certification exam before authorizing you to request an exam voucher.
Can DoD use appropriated funds for military or civilian personnel to take commercial certification exams?
Yes. Chapter 101 of Title 10, United States Code has been amended to permit Services to use appropriated funds to pay for commercial certifications (tests) for uniformed personnel. The FY06 DoD Appropriations Bill gives uniformed personnel parity with civilians.
What will qualify for continuous learning?
The minimum continuous learning requirement for certifications included under DoD 8570.1M is typically 40 hours annually or 120 hours over a three-year period. Certification providers determine the specific training and other activities that qualify for continuous learning credit. However, DOD CIO is working with certification providers to identify proposed activities that would qualify for credit.
Note that all certifications included in the Manual currently require or will require continuous learning as part of retaining certification status.
What are the contractor certification implementation requirements?
Contractors performing IA functions on a DoD system must meet the certification requirements established in the DoD 8570.1-M for the category and level functions they are performing. Like the Military and Civilian IA workforce, contractors have four years to meet the requirements of the 8570.1-M. The requirement is for 10% to be certified in the first year and 30% each year after that. Other specific requirements from the Manual include:
For new contracts contractor personnel supporting IA functions outlined in Chapters 3 and 4 should be appropriately certified in accordance with the overall four year implementation schedule. This means the contract should include the requirement for the contractor personnel to meet the overall 10%, 30%, 30%, 30% certification requirements depending on which year the contract starts. Requirements by fiscal year:
Starting in FY07 - 10% in 07, 30% in 08, 30% in 09, 30% in FY10.
Starting in FY08 - 40% in 08, 30% in 09, 30% in FY10.
Starting in FY09 - 70% in 09, 30% in FY10.
Starting in FY10 - 70% at contract award, 100% by the end of FY10.
The contracting officer will ensure that contracting personnel are appropriately certified. In the future they will need to provide verification to the Defense Eligibility Enrollment System (DEERS).
Components should not pay for contractors to obtain/retain required certifications. However, Components may provide additional training on local or DoD specific system procedures. (See question below for additional guidance on contractor implementation requirements.)
Has the DoD developed standard contract language for IA WIP requirements?
The DoD Chief Information Officer (CIO) has coordinated with the Undersecretary of Defense for Acquisition, Technology, and Logistics (AT&L) body, the Defense Acquisition Regulations (DARs) Council to propose language to include in the Defense Acquisition Regulations (DFARS). These changes were approved by the Council and are currently in the "formal" staffing process before they can be added to the DFARS.
Until these changes are made in the DFARS, Components may use "local" clauses to implement these requirements for the contractor community.
How can Components address the requirements for contractors to be certified IAW the DoD 8570?
In general contractors must certify 10% in FY07 and 30% each subsequent year attaining 100% by the end of FY10.
There are a variety of ways Components can operationalize this requirement. After reviewing and assessing current IA support contracts and considering: new requirements; renewal/expiration dates; the contractor implementation requirements described above; and length of current contracts; Component should plan on one of the following:
Incrementally comply based on expiration/renewal dates for existing contracts
Modify existing contracts to comply with the implementation requirements
Include IA WIP requirements in requests for proposals (RFPs) for new contracts based on the percent of the IA workforce impacted by the contract (see response to question above)
How do I report personnel who are filling more than one IA position?
The answer to this question depends on the purpose of the report and the organizational relationships.
For IA Workforce Management Reporting
For this purpose the DoD 8570.1-M reporting requirements are position driven. To effectively "manage" the IA workforce, the DoD Components and local commands must know any position (table of organization or manning document) required to perform IA functions by category and level.
We must also know the qualifications of the person filling that billet. Therefore if a person is filling more than one IA position that person and their qualifications must be reported against that position requirement. However, if the person is performing those functions due to under manning, then the position should be reported as not filled.
Paragraph C7.2.5. of the DoD 8570.01-M says Components must ".track IA personnel training and certification against position requirements. Positions performing both management and technical functions must be identified individually in the appropriate manpower database. Personnel filling these positions must be aligned with both positions and maintain the appropriate certification/qualifications for each."
Example A: A person filing an IAT Level I position and also performing IAM Level I functions should have positions indicated in the manpower documents for each category. That person and their qualifications would be reported against each position. This is how management can analyze the IA workforce requirements achievement both from a "positions filled" and "positions filled with qualified people" viewpoint.
Personnel performing IA functions as both Government Service (GS) civilian personnel and military reservist must be reported separately for each position.
Example B: A GS-12 IAT Level I performs full time IA functions in a designated civilian IA position. This individual is also a Major (0-4) in the Army reserve and performs IAM Level II position functions in that role. Since these positions support completely separate manning and personnel requirements, both positions should be reported individually (reported from each respective organization). The person requirement would also be reported against each position, since the person is filling two completely separate personnel, manning requirements.
For FISMA Reporting
FISMA reporting is based on Office of Management and Budget reporting requirements and is person driven. Their basic requirement is to identify anyone performing IA functions and weather they have been trained to perform those functions. The 2006 FISMA Guidance notes that "if an individual is performing multiple IA categories, only count them once based on the IA role they spend the highest percentage of their time/effort" on. Thus for FISMA, only report a person performing IA functions one time based on the position they spend the most time performing. If the person is "double hated" due to covering functions for an unfilled IA position, only count them in positions they spend the most time performing.
Example A: An IAT Level I is assigned a primary duty (25 hours + per week) to support IA requirements for System A. There is another empty official "documented position" for System B which is collocated and the individual is required to cover the IA functions of that position (as an additional or embedded duty, 24 hours or less per week). Since FISMA is person focused, you would only report the individual based on the position requiring the highest percentage of their time - System A in this case.
Example B: A GS-12 IAT Level I performs full time IA functions in a designated civilian IA position. This individual is also a Major (0-4) in the Army reserve and performs IAM Level II position functions in that role. Since these positions support completely separate manning and personnel requirements, both positions should be included in the FISMA report (reported from each respective organization). The person requirement would also be reported against each position since the person is filling two completely separate personnel requirements.
Example C: A Marine Corps Master Sergeant performs full time IAT Level II functions in a joint combatant command headquarters. Who should report his position and personnel qualifications to FISMA? The Combatant Command owning the "joint" billet should report the MSgt. as one of their positions in their FISMA Report to the J-6. Every joint billet is supported by one of the Components, so in this case the Marine Corps is responsible to provide an appropriately certified Marine for the IA position. However, the Joint Staff or Combatant Command is responsible to fill that billet with a qualified person and report for FISMA. Note joint billets should be identified in the e-Joint Manpower and Personnel System (e-JMAMP).
However, in all cases, the operational management of the IA workforce (the IAM) for all systems must know their IA positions and the qualifications of the people filling them.
For End Strength Reporting:
Components must track their personnel against authorized end strength. They must also track each persons' IA qualifications (no mater what their current position assignment). End strength is people driven. For end strength, only count a person one time. Each person's IA certification/qualification will be maintained whether or not they are currently in an IA position.
What do you mean by Computing Environment, Network Environment or Enclave?
Understanding these terms are essential to properly identifying your IA Workforce. These terms are based on basic system architecture not on base, station, or command structure.
The DoD Appendix 1of the 8570.01-M contains definitions for each of these environments.
The diagram below portrays the basics of the three levels. They key to the architecture is the location within the GIG and the purpose of the server the IAT or IAM supports