CISSP: DoD 8570 Overview

July 2, 2019 by Ki Nang Yip


Cyberspace has been officially considered as a battlefield for approximately a decade in many states. Not only cybercriminals, but also states actively participate in launching cyberattacks aiming at sabotaging their adversaries for both monetary gain and strategic considerations. Consequently, in this troubled water, the defensive side has to overview potential attackers of multidimensional objectives and backgrounds to handle increasingly sophisticated cyber threats and attack techniques. With the evolving cyber threat landscape, the risks of digital assets and critical infrastructures rapidly expands. Both private companies and government institutions are at stake when it comes to defending themselves in cyberspace. Qualified professionals in the industry of cybersecurity, who are capable of anticipating and mitigating risk for their institutions, are highly valued.

In the United States, the Department of Defense (DoD) has been implementing the DoD 8570 directive manual, also known as DoDD 8570 (Department of Defense Directive 8570), since 2005. The objective of the initiative is to define and require a series of training specifications and certifications for professionals, contractors and military officers having ‘exclusive’ access to the computer systems and supply chain network of the DoD. This initiative is associated with the Certified Information Systems Security Professionals (CISSP) certification. It provides a quality standard for the DoD recruitment. Indeed, the DoD 8570 directive aims at equipping professionals working in information assurance (IA) with further knowledge and skills in a fast-paced environment. In the information security industry, knowledge and skills become outdated fast. Although most cybersecurity professionals are trained by rigorous programs at higher education institutions, the regularly changing threat landscape swiftly revolutionizes industry practices, tools, protocols, to name a few, and obsoletes conventional solutions overnight. Moreover, it is not surprising that these professionals focus on only one of the diversified cybersecurity disciplines. The DoD endeavors, hence, fills this professional gap and provides up-to-date conditions to train personnel holding key cyber functions. The CISSP covers eight domains of cybersecurity issues ranging from security and risk management, asset security, security engineering, communication and network security, identity and access management, security assessment and testing, security operations to software development security. It complements the competences of cybersecurity professionals.

Since its introduction, the DoD 8570 directive has been vigorously updated until 2015. Lately, the DoD implements a renewal of this initiative with the DoD 8140 directive update. The existing DoD 8570 directive will then be replaced with the DoD 8140 directive. Meanwhile, it is important to acknowledge the time needed in editing a more comprehensive guideline. Thus, the DoD 8570.01-M directive, an enriched guideline based on the existing DoD 8570 one, is introduced as a transition version before the DoD 8140 directive manuals are published.

The scope of the DoD 8570 directive

The DoD is the head of a huge network of military departments and contractors. The fact that the U.S. has an international military presence also suggests the widespread operations and activities of the DoD in the world. Thus, the DoD 8570 directive affects a great deal of national and international stakeholders ranging from the Office of the Secretary of Defense, Chairman of Joint Chiefs of Staff, Combatant Commands, Office of the Inspector General of the DoD to all other U.S. defense, field and organizational activities. As long as the personnel of the relevant department or institution have privileged access, either supervised or unsupervised, to the computer networks of the DoD, they are obliged to pass the necessary certifications and accreditations (C&A) for their duties. Naturally, the IA personnel are further required to sign privileged access statement. The specific functions, responsibilities, capabilities and experience requirements of the entire IA workforce framework are well defined to make the entire DoD structure more secure. Hence, to a certain extent, the DoD 8570 directive can be an extremely valuable reference to education institutions, private companies and even foreign governments participating and planning collaborations with the DoD.

The DoD 8570 directive requirements

The DoD 8570 directive has developed a five-year timeframe for institutions falling in the DoD and its affiliated network such as internal departments and external contractors to get the relevant personnel certified. The certification can therefore be pertinent to considerable employees and coworkers performing duties of Information Assurance Technical (IAT), Information Assurance Management (IAT), Computer Network Defense Service Provider (CND-SP) and IA Workforce System Architecture and Engineering (IASAE). The IAT and IAM professions are further categorized into three levels (based on experience). Professionals holding such positions were expected to get their skills certified by the end of 2010 whereas those with CND-SP and IASAE functions by the end of 2011. Thus, to a great extent, the DoD 8570 directive has already improved and standardized the IA requirements for five years. As the complexity of cyber operations and threats evolves fast nowadays, it is unsurprising that the DoD has to keep revolving the various IA workforce training and certification programs.

IA Workforce Certifications

The C&A of the DoD 8570 directive can be discussed in a ‘2+2’ approach. On the one hand, the first ‘2’ refers to the IAT and IAM categories. The IAT category focuses on the technical (hardware and software) and computer operation environment. It covers every position having access to manage the services, servers and end-point devices of the DoD Information Networks Operations (DoDIN Ops). The first level of IAT requires the personnel to be capable of coping with security vulnerabilities in both the hardware and software on client level workstations. The second level of IAT emphasizes on identifying intrusion and fixing unprotected vulnerabilities. The third level of IAT is expected to be able to make technical decision and incident response depending on anomalies. In addition, the IAM category demands a managerial perspective. Most of the time, the IAM personnel do not have privileged technical access to the computer operation environment.

On the other hand, the second ‘2’ concerns the specialties, CND and IASAE, that demand deeper and more specific technical competences to fulfill the expectations of the certifications. IASAE is an individual position that personnel are responsible for the design, development, implementation, of the cybersecurity architecture and systems for the use of the DoD. The first level of IASAE should be capable of supporting the client level workstations and components. The second level of IASAE concentrates on the network environment of the developed systems among the interconnected end-point devices. In case of hostile and adverse impact detected in one system, IASAE level II personnel have to be able to isolate and prevent the impact from spreading across the other networks. The third level of IASAE involves the capabilities to comprehensively evaluate the operation and security of the developed system.

If you’re ready to take your skills to the next level, consider enrolling in an intensive CISSP class. Fill out the form below for details on InfoSec Institute’s bootcamp pricing.

Furthermore, the role of CND is different from the other three categories. It is an organizational level specialty requirement. The CND functions: analyst (CND-A), infrastructure support (CND-IS), incident responder (CND-IR), auditor (CND-AU) and service provider manager (CND-SPM) are positions within a CND service provider. A CND-A can use various cybersecurity tools such as firewall, network traffic and host system logs as well as advanced malware detection systems to critically examine the data of intrusion endeavors. A CND-IS copes with the maintenance issues and performance assessment regarding the infrastructure assets, equipment and resources, namely, routers, firewalls, and intrusion detection/prevention systems. A CND-IR inspects and analyzes all response activities related to any network breaches and cybersecurity events. A CND-AU ensures the optimal security of the operation and network environment through system and network audit. The system auditors correct the deviations of systems and networks that do not correspond to required configurations and policies. A CND-SPM plays the key role to administer the overall CND functions. This position is responsible for developing guidance, managing risks and the technical classification. The following table illustrates the necessary certifications for each category of the ‘2+2’ structure:

(click to enlarge)

In this chart, it is evident that the CISSP is a key indicator of the qualifications for cybersecurity professionals. Getting the CISSP certification an entry requirement for the challenges in these positions. It is obvious that CISSP talents are of exceptional value for the DoD.

Conclusion—DoDD 8140

The DoD 8570 directive can be seen as the ultimate reference to the cybersecurity vision of the DoD. It significantly details each the functions of each category and level in the IA workforce improvement initiative. Nevertheless, since the introduction of the DoD 8570 directive in 2005, challenges in cyberspace and technologies have evolved. The complexity of cybersecurity intensifies with increasing state-funded cyber operations. It is understandable that the DoD has to strengthen, perfect and grow this original 8570 directive. This is the reason for which, in August 2015, the representatives of the DoD confirmed the decision of replacing the DoD Directive 8570 with the DoDD 8140 directive. The DoD 8570 directive would be integrated into the DoDD 8140 directive to enrich the new IA workforce improvement program. As the development of a new IA framework demands approximately several years of time, the DoD 8570.01-M directive is made to present new elements to the existing program.

Meanwhile, it is foreseeable that the framework used in the National Initiative for Cybersecurity Education (NICE) will provide the main structure of the DoDD 8140 directive. The notion of ‘live fire’ is emphasized in this new IA workforce training program. It further encourages individuals pursuing these qualifications to recognize, focus, develop the capabilities of real-world scenarios and case studies. The CISSP, as a highly recognized qualification in the cybersecurity industry, helps candidates prepare the challenges they will face if they intend to work for the DoD in the future. As suggested in the DoDD 8140 directive, the notion of ‘live fire’ is emphasized in this new IA workforce training program. In this way, the certifications will be more convincing and tailored to the cyberspace landscape of the near future.

Posted: July 2, 2019
Ki Nang Yip
View Profile

Ki Nang is a researcher in cybersecurity, industrial espionage and political science. He conducts his PhD research in Paris. He studies state-funded cyber-espionage, political impacts in cyberspace for corporate development, and new forms of cybercrime. In his spare time, he also follows cybersecurity and political issues in China, U.S. and Russia.

Leave a Reply

Your email address will not be published.