CISSP: DoD Information Assurance (IA) Levels

Introduction

Information assurance (IA) is a crucial consideration for today’s businesses as well as with government agencies and branches of the US military. In order to ensure the safety and security of all data and systems, the Department of Defense (DoD) now requires all professionals involved with any form of information assurance to complete a wide range of training requirements.

These are set out in DoD Directive 5144.02, and apply to both active military personnel, as well as civilians working with the Department of Defense in any capacity, where the focus is on “the development, operation and enforcement of security capabilities for systems and networks.” According to the DoD, “Personnel performing IA functions establish IA policies and implement security measures and procedures for the DoD and affiliated information systems and networks.”

IA Workforce Qualifications

All IA workers within the DoD, including civilian contractors, must meet the IA workforce qualifications that apply to their Information Assurance Technician (IAT) level and their role dealing with information, information systems, security and other related topics. There are three IAT levels, and each has specific certification and training requirements, as well as ongoing training and recertification mandates.

What Are The IAT Levels?

The DoD states that “the functions associated with each of these levels are intended to be baseline DoD requirements. The DoD components are expected to have additional requirements reflecting their operating policy and information system technical environment.”

This means that for all three IA levels, the qualifications set forth are entry-level requirements, and you will need to build on those with training specific to the actual environment in which you work. It should be noted that these levels are cumulative; if you are put into a Level III position, you should have mastered all the requirements for both Level I and Level II.

Computer Networking/IAT Level I

The first level IAT baseline certifications include:

• A+-CE
• Network+ CE
• SSCP
• CCNA-Security

In addition, the DoD has other requirements for IAT Level I personnel. You should have up to five years of experience in IA technology or a related area, and computing environment (CE) system experience. You should be able to apply basic knowledge of IA concepts, practices and procedures within the CE. You will need to work well under supervision and report to a supervisor, while following established policies and procedures. You will have up to six months to earn your baseline certifications after being assigned to the Level I position.

The Department of Defense sets out specific functions for each of the three IA levels. The expectations for Level I are as follows, as taken from DoD 8570.01-M Information Assurance Workforce Improvement Program (updated 11/10/2015):

• Recognize a potential security violation, take appropriate action to report the incident as required by regulation, and mitigate any adverse impact.
• Apply instructions and pre-established guidelines to perform IA tasks within CE.
• Provide end user IA support for all CE operating systems, peripherals and applications.
• Support, monitor, test, and troubleshoot hardware and software IA problems pertaining to their CE.
• Apply CE-specific IA program requirements to identify areas of weakness.
• Apply appropriate CE access controls.
• Install and operate the IT systems in a test configuration manner that does not alter the program code or compromise security safeguards.
• Conduct tests of IA safeguards in accordance with established test plans and procedures.
• Implement and monitor IA safeguards for CE system(s) in accordance with implementation plans and standard operating procedures.
• Apply established IA security procedures and safeguards and comply with responsibilities of assignment.
• Comply with system termination procedures and incident reporting requirements related to potential CE security incidents or actual breaches.
• Implement online warnings to inform users of access rules for CE systems.
• Implement applicable patches including IA vulnerability alerts (IAVA), IA vulnerability bulletins (IAVB), and technical advisories (TA) for the CE operating system(s).
• Install, test, maintain, and upgrade CE operating systems software and hardware to comply with IA requirements.
• Understand and implement technical vulnerability corrections.
• Enter assets in a vulnerability management system.
• Apply system security laws and regulations relevant to the CE being supported.
• Implement DoD and DoD Component password policy.
• Implement specific IA security countermeasures.

Networking Environments/IAT Level II

The second level IAT baseline certifications include:

• GSEC
• Security+ CE
• SSCP
• CCNA-Security

The DoD requires that you have at least three years of experience in IA technology or a related area, as well as experience with networking environments (NE) and advanced CE. You should have completely mastered the IAT Level I functions, as well. You’ll have up to six months to earn your baseline certifications after being assigned to the IAT Level II position.

Level II functions are also set forth in the DoD 8570.01-M Information Assurance Workforce Improvement Program, and are as follows from that manual:

• Recommend and schedule IA related repairs in the NE (network environment).
• Perform IA related customer support functions including installation, configuration, troubleshooting, customer assistance and/or training, in response to customer requirements from the NE.
• Provide end user support for all IA related applications for the NE.
• Analyze patterns of non-compliance and take appropriate administrative or programmatic actions to minimize security risks and insider threats.
• Manage accounts, network rights and access to NE systems and equipment.
• Analyze system performance for potential security problems.
• Assess the performance of IA security controls within the NE.
• Identify IA vulnerabilities resulting from a departure from the implementation plan or that were not apparent during testing.
• Provide leadership and direction to IA operations personnel.
• Configure, optimize and test network servers, hubs, routers and switches to ensure they comply with security policy, procedures and technical requirements.
• Install, test, maintain and upgrade network operating systems software and hardware to comply with IA requirements.
• Evaluate potential IA security risks and take appropriate corrective and recovery action.
• Ensure that hardware, software, data and facility resources are archived, sanitized, or disposed of in a manner consistent with system security plans and requirements.
• Diagnose and resolve IA problems in response to reported incidents.
• Research, evaluate and provide feedback on problematic IA trends and patterns in customer support requirements.
• Perform system audits to assess security related factors within the NE.
• Develop and implement access control lists on routers, firewalls, and other network devices.
• Install perimeter defense systems, including intrusion detection systems, firewalls, grid sensors, etc., and enhance rule sets to block sources of malicious traffic.
• Work with other privileged users to jointly solve IA problems.
• Write and maintain scripts for the NE.
• Demonstrate proficiency in applying security requirements to an operating system for the NE or CE used in their current position.
• Implement applicable patches including IAVAs, IAVBs, and TAs for their NE.
• Adhere to IS security laws and regulations to support functional operations for the NE.
• Implement response actions in reaction to security incidents.

Enclave/IAT Level III

The third level IAT baseline certifications include:

• CISA
• GCIH
• GCED
• CISSP (or Associate)
• CASP

This level requires that you have roughly seven years of experience in IA technology or a related area. You should have experience with Enclave Environment, NE and advanced CE, as well. CE and NE should be familiar by this point, but what is an enclave environment? It is nothing more than a controlled and secured environment in which network users complete their work.

You should have completely mastered IAT Level I and IAT Level II, and be able to apply extensive knowledge to problems and challenges. You will usually work independently and solve problems on your own. In some instances, Level III professionals will also lead teams while reporting to the enclave manager. You will need to have earned your baseline certifications for Level III within six months of being assigned to the position.

Note that, previously, Level III required you to obtain a GSE, but that was eliminated in 2013. GSE certification is a less in-depth information security credential than the CISSP. While professionals with a GSE already involved with the DoD as an IAT Level III will remain certified, it is no longer an acceptable credential for incoming professionals. Previously certified professionals with a GSE may also be required to obtain a new certification when changing positions.

Like the other two IA levels, Level III has specific functions mandated by the Department of Defense. The manual lists these as follows (note that these were updated at the end of 2015 and replace those previously issued):

• Master of IAT Level I and IAT Level II CE/NE knowledge and skills.
• Recommend, schedule and/or implement IA related repairs within the enclave environment.
• Coordinate and/or provide support for all enclave applications and operations.
• Lead teams and/or provide support actions to quickly resolve or mitigate IA problems for the enclave environment.
• Formulate or provide input to the enclave’s IA/IT budget.
• Support the installation of new or modified hardware, operating systems, and software applications ensuring integration with IA security requirements for the enclave.
• Identify and/or determine whether a security incident is indicative of a violation of law that requires specific legal action.
• Direct and/or implement operational structures and processes to ensure an effective enclave IA security program including boundary defense, incident detection and response, and key management.
• Provide direction and/or support to system developers regarding correction of security problems identified during testing.
• Evaluate functional operation and performance in light of test results and make recommendations regarding C&A.
• Examine enclave vulnerabilities and determine actions to mitigate them.
• Monitor and evaluate the effectiveness of enclave IA security procedures and safeguards.
• Analyze IA security incidents and patterns to determine remedial actions to correct vulnerabilities.
• Support development and/or implementation of the enclave termination plan to ensure that IA security incidents are avoided during shutdown and long term protection of archived resources is achieved.
• Implement vulnerability countermeasures for the enclave.
• Provide support for IA customer service performance requirements.
• Provide support for the development of IA related customer support policies, procedures and standards.
• Write and maintain scripts required to ensure security of the enclave environment.
• Implement and maintain perimeter defense systems including, but not limited to, intrusion detection systems, firewalls, and grid sensors.
• Schedule and perform regular and special backups on all enclave systems.
• Establish enclave logging procedures to include: important enclave events, services and proxies, and log archiving facility.
• Provide OJT (on the job training) for IAT Level I and II DoD personnel.
• Analyze Information Assurance Vulnerability Announcements and Information Assurance Vulnerability Bulletins for enclave impact and take or recommend appropriate action.
• Obtain and maintain IA certification appropriate to position.

IA Levels Requiring CISSP

The only IA level that requires you to have your CISSP certification is Level III/Enclave. You may also earn your CISSP certificate and become an (ISC)² Associate if you do not have the required real-world experience. Becoming an associate allows you a little extra time to get the experience required, although you still have to pass the exhaustive examination to earn your credentials.

CISSP Instant Pricing – InfoSec

It’s also important to understand that while you can obtain CISSP training and education from a number of providers, the Department of Defense requires that you get your training from a Designated Accrediting Authority (DAA) that has completed the DoD’s computer-based training program for DAAs. Verify that the training provider (whether you’re going through a company or obtaining training from an individual) has a Department of Defense DAA certificate of completion.

The training and exam will be the same as for professionals not involved with the Department of Defense, and the test will still take six hours to complete. You are responsible for the costs of the CISSP exam and training, as well as any other certification program.

The DoD does require that you keep your CISSP certification up to date and recertify on the schedule required by (ISC)². You must also remain a member of (ISC)² in good standing.

Finally, understand that all the certifications mentioned above are baseline, and that they are not the end of your training, but the beginning. The Department of Defense also requires any IAT with privileged access to obtain certification in the particular computing environment in which they will be working, and with all the tools they will be using.

Sources

http://www.cedsolutions.com/military-dod-it-certification/military-dod-8570.cfm

http://imgva.com/8570-requirements/

http://www.cool.navy.mil/usmc/ia_documents/ia_iat_flow.htm

http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf

Be Safe

Section Guide

Ryan
Fahey

View more articles from Ryan

Earn your CISSP the first time with InfoSec Institute and pass your exam, GUARANTEED!

Learn More!