The US Department of Defense (DoD) hosts a number of directives that set out the requirements of their workforce. DoD 8570, titled “Information Assurance Workforce Improvement Program,” describes the expectations of the DoD in terms of required training, certification and management of DoD workforce members carrying out information assurance (IA) duties.
The directive is specific to those individuals or agencies who have privileged access to DoD systems. Persons who come under the directive include contractors and consultants as well as part-time or full-time military personnel who perform information assurance roles and functions. Personnel affected by DoD 8570 have to be trained according to the directive and also certified against specific skills sets and roles. The types of roles that DoD 8570 describes are those responsible for the protection of vital information that is in the nation’s interests.
NOTE: DoD 8570 will eventually be replaced by DoD 8140. However, at the time of writing, the manual for DoD 8140 is yet to be published. Creation of manuals for DoD directives often takes several years, and until such a time as the directive is documented, DoD 8570 will remain the key directive for the information assurance workforce at the DoD.
What is the DoD IAT?
The DoD is a highly structured organization with a distinct hierarchy. The overarching structure for IA at the DoD is called the “Information Assurance Workforce, Workforce Improvement Program” (IA WIP). Within this workforce umbrella are two separate categories called Information Assurance Technical (IAT) and Information Assurance Management (IAM).
What are the DoD IAT levels?
There are three category levels within the IAT category:
- Level 1: Computing environment information assurance
- Level 2: Network environment information assurance
- Level 3: Enclave, advanced network and computer information assurance
The category levels reflect the system architecture and not the grade of the individual working in that area. Within each level are sublevels that represent the attainment grade of the individual. These attainment levels are:
- Entry level
Each level has a set of functions within it. For example:
- Level 1 has functions such as install and operate IT systems, apply security procedures and enter assets into a vulnerability management system
- Level 2 has functions such as provide end user support, manage user accounts and analyze system performance
- Level 3 has functions such as lead teams and support actions to mitigate problems and direct operational structures and processes
Any persons wishing to work within these IAT levels must be certified to the correct level for the function they perform within a category. The IAT categories are cumulative: if you want to work at a Level 2, you need to have mastered Level 1.
How can I identify who’s in the IAT workforce?
Workers in an IAT role have privileged access to one or more category levels in a DoD environment. They also possess the right level of certification and functional requirements of the position. To identify a member of the IAT workforce, the individual needs to have:
- Privileged access to a Level 1-3 system: This is achieved by meeting certain requirements, including having the proper certification for that level
- A position that practices some of the functions required for the level
Typical entities covered by the IA WIP include:
- Local nationals
- Non-appropriated fund (NAF) personnel
What are the DoD IAT certifications?
Certification for an IA position must reflect the functions required for the position. An employee has six months from the first assignment of a position or from their start date for new employees to achieve the required DOD 8570 certification (although waivers are possible under certain circumstances).
If the employee is in a combat situation, the individual has to be fully trained and certified before beginning the assignment. Again, certain circumstances can warrant a time-limited waiver. If an individual fails to attain certification within the six-month period, they will not be allowed privileged access, which is a prerequisite for working in an IA role.
The certifications available for an IAT position are:
- A+ CE: A+ is a basic exam by CompTIA that demonstrates capability in IT system troubleshooting and problem-solving. The Continuing Education exam (CE) demonstrates knowledge of common cybersecurity threats.
- CCNA-Security: Cisco Certified Network Associate Security (CCNA) demonstrates you have the skills needed to develop a secure infrastructure and mitigate cyberthreats.
- CND: EC-Council’s Certified Network Defender (CND). The certificate is used to demonstrate knowledge in defensive cyber operations (Blue-Teaming). The CND certification teaches IT professionals about defense mechanisms when protecting IT systems against cyberattacks.
- Network+ CE: This exam demonstrates the practical skills required by an IT network administrator.
- SSCP: Systems Security Certified Practitioner shows you have the skills needed to manage and monitor IT infrastructures and apply security policies.
- CCNA Security: See Level 1.
- CySA+: This is an intermediate-level exam for security professionals focusing on vulnerability and threat analysis.
- GICSP: The Global Industrial Cyber Security Professional demonstrates your knowledge to secure critical infrastructure assets.
- GSEC: GIAC® Security Essentials is a certification exam that demonstrates hands-on IT security capability.
- Security+ CE: Security+ is a CompTIA exam focusing on cybersecurity issues.
- CND: EC-Council’s Certified Network Defender (CND). The certificate is used to demonstrate knowledge in defensive cyber operations (Blue-Teaming). The CND certification teaches IT professionals about defensive mechanisms when protecting IT Systems against cyberattacks.
- SSCP: See Level 1.
- CASP CE: Advanced Security Practitioner (CASP) is a CompTIA exam showing your skills in enterprise security operations.
- CCNP Security: Cisco Certified Network Professional shows your skills in configuration, management and maintenance of Cisco infrastructure.
- CISA: Certified Information Systems Auditor is an auditing exam by ISACA.
- CISSP (or Associate): The (ISC)2 exam for the status of Certified Information Systems Security Professional.
- GCED: Defense of network protocols, vulnerability assessment and pentesting make up the core of this exam.
- GCIH: GIAC® Certified Incident Handler is a certification exam that demonstrates your skill in handling security incidents and understanding vectors and vulnerabilities.
What are the steps to obtain a DoD IAT certification?
1. Know your starting level
When starting out obtaining DoD IAT certification, you need to look at the requirements of the level/function you will be working on:
You then need to communicate with your Information Assurance Manager (IAM) in preparation for your training and certification exam.
2. Train for your certification
It is advised to take training courses in preparation for the certification exam. The DoD 8570 manual does not recommend any specific training organization. However, certification bodies usually suggest approved training organizations.
3. Get a receipt
Once you are ready to take the exam, ask your IAM for a certification voucher.
4. Get registered
Once you have passed your certification exam, register at the Defense Workforce Certification Application portal.
5. Notify and complete
Let your IAM know you have completed the process.
Is training a requirement?
You do not have to take a training course to sit a certification. However, you do have to prove you are prepared to take the exam, and the DoD strongly encourages specialist exam preparation training. Your IAM may also require you sit a pre-exam or something similar to prove your certification readiness. Unless you can satisfy your IAM of your readiness to pass the certification, they may not release the voucher needed to progress your certification process.
Can I retake an exam if I fail?
You can retake exams if you fail, and components must support at least one retest. However, there may be a caveat over the number of times you will be funded to take retests. After the initial retest, you may have to self-fund subsequent retests.
Ideally, you should make sure that you are fully prepared to take the exam and pass the first time. This is where a good training course comes in.
Who pays for the certifications?
- Uniformed personnel: There is a specific amendment under Chapter 101 of Title 10, United States Code that allows for payment of commercial certifications.
- Civilian personnel: Funding is up to each component to decide.
- Contractors: It is advised that components should not pay for contractor certification but may provide training on specific DoD systems.
Interested in more DoD-related articles?
Information Assurance Workforce Improvement Program, esd.whs.mil
Defense Workforce Certification Application, dmd.osd.mil