If you are either a systems security engineer or an IT security contractor who is interested in working for the DoD (Department of Defense), then you need to know about DoD Directive 8570. It is a baseline criterion for operating Department of Defense’s IT systems. Specifically put, it’s a policy designed by DoD’s Information Assurance Workforce Improvement program (AI WIP) that requires all DoD personnel with privileged access to DoD systems, including defense contractors, military service personnel, foreign and civilian employees, to hold certain Information Assurance certifications and training.

The aim of the directive is a skilled, uniform Information Assurance workforce with the ability and knowledge to effectively identify and mitigate attacks against the Department of Defense’s information infrastructures, information systems, and information.

To Whom Does the DoD 8570 Apply?

DoD 8570 applies to any part or full-time contractor, member of the military, or local nationals with private access to a DoD system executing information assurance functions, regardless of role or branch of occupation. Hence, defense agencies, combatant commands, military departments, Office of the Secretary of Defense, Office of the DoD Inspector General, and all other organizational bodies within DoD are subjected to its requirements.

Are Contractors & Government Employees Treated Differently?

DoD Components must individually budget and cover DoD civilian and military IA Workforce members’ recommended certifications. These requirements include the AI WIP period from FY07 to FY10. Also, Components should consist of the sustainment requirements of IA WIP in their budget plans. Also, Services are permitted to utilize appropriated funds to pay for commercial tests (certifications) for uniformed personnel. Whether or not appropriate funding for commercial certifications is available to the service is up to each component.

When it comes to contractors, Components should not pay for them to retain/obtain necessary certifications. However, Components are free to offer additional training on DoD specific or local system procedures.

How Has the DoD 8570 Changed Over the Years?

Signed December 19, 2005, DoD 8570 was established to address the concern of unqualified workers repeatedly taking up cyber-security positions. This Directive meant that anyone who touched missions, security, and intelligence in cyberspace working with or for the DoD would need to be qualified and trained per the standards set in the directive. At the same time, the 8570 manual was published, and so marked the beginning of the DoD abiding by these rules for qualifying and managing cyber personnel.

The guideline brought several changes in the way the government dealt with cybersecurity personnel. Units were able to place requests for funds to train current employees to enhance the skills of the current staff to the level required to do their jobs efficiently. It also made way for the form of training to change before new personnel was assigned IA jobs. Most noteworthy, the Department of Defense was able to raise the standards of its professionals and the industry. It broke down 8570 into certifications, categories, and helped set standards that were needed for a long time.

Needless to say, a lot has changed since the release of DoD 8570. Recently, stakeholders apprehended there was a need to tweak the way DoD handled network security and data. Advancements in these technologies and the uptick in cyber-attacks were the driving force behind the development of a new directive that is gradually replacing DoD 8570.

Signed August 11, 2015, the DoD 8140 Directive focuses on hands-on experience and confirms how crucial renowned IT certifications like CISSP are to landing IT security positions in DoD. The training framework in its manual is expected to be based on the NICE (National Initiative for Cybersecurity Education) framework, which emphasizes “live fire” training, and gives actual exercises to determine whether someone is qualified to tackle real-world cybersecurity challenges.

Consequently, there’s a clear indication that the 8140 Directive will replace DoD 8570. In fact, the transference has already occurred with the adoption of the DoD 8570 Approved Baseline Certifications.

That said, it will take DoD 8140 a few years to mature, so DoD is expected to continue following the 8570 manual for the time being.

How Does the DoD 8570 Work?

DoD 8570 states that all individuals in charge of information assurance for department IT systems must possess the certifications for them to do jobs effectively. The certifications fall into different categories such as:

  • IAT (Information Assurance Technical) certifications: Prepare students to handle the technical-side of things.
  • IAM (Information Assurance Management) certifications: Prepares students to handle the managerial-side of things.

Each of these categories has levels or subcategories outlined in them. IAT, IAM & IASAE are sub-categorized into three levels based on the nature of job skills. Level 1 jobs are based on system/PC assets. Level 2 jobs relate to managing network level equipment and the supporting architecture. Level 3 contains all the elements of previous levels and introduces enterprise or enclave server environments.

Additionally, there are specialties like the IASAE (Information Assurance System Architecture & Engineering) and Cyber Security Service Provider (CSSP) certifications available to pursue. In general, these higher-end certifications are suitable for anyone who has the responsibility for the development, design, integration, and/or implementation of DoD IA infrastructure, architecture, or system component for a DoD network, enclave, or computing environment. Ideally, mid- and senior-level managers who have already secured positions as Senior Security Engineers, CISOs or CSOs would benefit most from these specializations.

Ethical Hacking Training – Resources (InfoSec)

Certifications Required for DoD 8570 Compliance

An individual must obtain only one of the listed certifications in his or her IA category or level and specialty to fulfill the minimum requirement. However, conditions apply whether the duty is performed part-time, full-time, or as an embedded duty. Below is a table that highlights certifications needed for DoD 8570 compliance.

Level 1

Level 2

Level 3

Network+

SSCP

CISA

A+

SCNP

SCNA

SSCP

Security+

CISSP

 

GSEC

GSE

IAM

Level 1

Level 2

Level 3

GSLC

CISM

GSLC

CAP

GSLC

CISM

Security+

CISSP (or Associate)

CISSP (or Associate)

 

CAP

 

IASAE

Level 1

Level 2

Level 3

CASP

CASP

CISSP-ISSAP

CISSP

CISSP

CISSP-ISSEP

CSSLP

CSSLP

 

CSSP

Analyst

Infrastructure Support

Incident Responder

Auditor

Manager

CEH

CEH

CEH

CEH

CISM

GCIA

GICSP

GCFA

CISA

CISSP-ISSMP

GCIH

SSCP

GCIH

GSNA

 

GICSP

 

SCYBER

 

 

SCYBER

 

 

 

 

Obtaining these certifications not only enhances your ability to do well in IA, but it can also get you promoted, increasing your pay scale and prospects.

Do Higher Level Certifications Satisfy Lower Level Requirements?

IAT certifications are cumulative. In this case, high-level certifications fulfill lower level requirements. However, IAM certifications equivalent to the level of position do not satisfy lower level requirements. The latter requires the personnel to gain one of the certifications relevant to that Management position. CISSP shouldn’t be taken by an IAM unless he/she is already eligible for the certification present in the IAM level 1 section. However, if they already hold an IAM level 2 or level 3 certification before they’re asked to take up an IAM level 1 position, they may leverage that certification to fulfill IAM level 1 requirement.

Conclusion

For those with the desire to work with DoD, the certifications mentioned above are the first step. Under the DoD 8570 Directive, the ultimate vision is sustained, knowledgeable IA workforce with the aptitude and right mindset to defend DoD systems from both potential and lurking threats. The Directive continues to allow DoD to place the right individuals with the right abilities in the right positions.