DoD 8570

The ultimate guide to DoD 8570 certification and compliance

August 30, 2018 by Beth Osborne

If you are either a systems security engineer or an IT security contractor who is interested in working for the DoD (Department of Defense), then you need to know about DoD Directive 8570. It is a baseline criterion for operating the Department of Defense’s IT systems. Specifically put, it’s a policy designed by DoD’s Information Assurance Workforce Improvement program (AI WIP) that requires all DoD personnel with privileged access to DoD systems, including defense contractors, military service personnel, foreign and civilian employees, to hold certain Information Assurance certifications and training.

The aim of the directive is a skilled, uniform Information Assurance workforce with the ability and knowledge to effectively identify and mitigate attacks against the Department of Defense’s information infrastructures, information systems, and information.

Who needs to comply with DoD 8570?

DoD 8570 applies to any part or full-time contractor, member of the military, or local nationals with private access to a DoD system executing information assurance functions, regardless of role or branch of occupation. Hence, defense agencies, combatant commands, military departments, Office of the Secretary of Defense, Office of the DoD Inspector General, and all other organizational bodies within DoD are subjected to its requirements.

Are contractors & government employees treated differently?

DoD Components must individually budget and cover DoD civilian and military IA Workforce members’ recommended certifications. These requirements include the AI WIP period from FY07 to FY10. Also, Components should consist of the sustainment requirements of IA WIP in their budget plans. Also, Services are permitted to utilize appropriated funds to pay for commercial tests (certifications) for uniformed personnel. Whether or not appropriate funding for commercial certifications is available to the service is up to each component.

When it comes to contractors, Components should not pay for them to retain/obtain necessary certifications. However, Components are free to offer additional training on DoD-specific or local system procedures.

How DoD 8570 changed over the years?

Signed December 19, 2005, DoD 8570 was established to address the concern of unqualified workers repeatedly taking up cyber-security positions. This Directive meant that anyone who touched missions, security, and intelligence in cyberspace working with or for the DoD would need to be qualified and trained per the standards set in the directive. At the same time, the 8570 manual was published, and so marked the beginning of the DoD abiding by these rules for qualifying and managing cyber personnel.

The guideline brought several changes in the way the government dealt with cybersecurity personnel. Units were able to place requests for funds to train current employees to enhance the skills of the current staff to the level required to do their jobs efficiently. It also made way for the form of training to change before new personnel was assigned IA jobs. Most noteworthy, the Department of Defense was able to raise the standards of its professionals and the industry. It broke down 8570 into certifications, categories, and helped set standards that were needed for a long time.

Needless to say, a lot has changed since the release of DoD 8570. Recently, stakeholders apprehended there was a need to tweak the way DoD handled network security and data. Advancements in these technologies and the uptick in cyber-attacks were the driving force behind the development of a new directive that is gradually replacing DoD 8570.

Signed August 11, 2015, the DoD 8140 Directive focuses on hands-on experience and confirms how crucial renowned IT certifications like CISSP are to landing IT security positions in DoD. The training framework in its manual is expected to be based on the NICE (National Initiative for Cybersecurity Education) framework, which emphasizes “live fire” training, and gives actual exercises to determine whether someone is qualified to tackle real-world cybersecurity challenges.

Consequently, there’s a clear indication that the 8140 Directive will replace DoD 8570. In fact, the transference has already occurred with the adoption of the DoD 8570 Approved Baseline Certifications.

That said, it will take DoD 8140 a few years to mature, so DoD is expected to continue following the 8570 manual for the time being.

How does DoD 8570 work?

DoD 8570 states that all individuals in charge of information assurance for department IT systems must possess the certifications for them to do jobs effectively. The certifications fall into different categories such as:

  • IAT (Information Assurance Technical) certifications: Prepare students to handle the technical side of things.
  • IAM (Information Assurance Management) certifications: Prepares students to handle the managerial side of things.

Each of these categories has levels or subcategories outlined in them. IAT, IAM & IASAE are sub-categorized into three levels based on the nature of job skills. Level 1 jobs are based on system/PC assets. Level 2 jobs relate to managing network-level equipment and the supporting architecture. Level 3 contains all the elements of previous levels and introduces enterprise or enclave server environments.

Additionally, there are specialties like the IASAE (Information Assurance System Architecture & Engineering) and Cyber Security Service Provider (CSSP) certifications available to pursue. In general, these higher-end certifications are suitable for anyone who has the responsibility for the development, design, integration, and/or implementation of DoD IA infrastructure, architecture, or system component for a DoD network, enclave, or computing environment. Ideally, mid- and senior-level managers who have already secured positions as Senior Security Engineers, CISOs or CSOs would benefit most from these specializations.

Certifications required for DoD 8570 compliance

An individual must obtain only one of the listed certifications in his or her IA category or level and specialty to fulfill the minimum requirement. However, conditions apply whether the duty is performed part-time, full-time, or as an embedded duty. Below is a table that highlights certifications needed for DoD 8570 compliance.

Position category, specialty and level Certification
IAT Level I A+
CCNA
Network+
SSCP
CND
IAT Level II CCNA
CySA+
Security+
SSCP
GSEC
GICSP
CND
IAT Level III CASP+
CCNP
CISA
CISSP
GCIH
GCED
IAM Level I CAP
Cloud+
Security+
CND
GSLC
IAM Level II CAP
CASP+
CISM
CISSP
GSLC
CCISO
IAM Level III CISM
CISSP
GSLC
CCISO
IASAE I CASP+
CISSP
CSSLP
IASAE II CASP+
CISSP
CSSLP
IASAE III CISSP-ISSAP
CISSP-ISSEP
CSSP Analyst CEH
CCNA Cyber Ops
CCNA
CySA+
Cloud+
PenTest+
GCIH
CFR
GCIA
GICSP
SCYBER
CSSP Infrastructure Support CEH
CySA+
SSCP
Cloud+
GISCP
CHFI
CFR
CND
CSSP Incident Responder CEH
CCNA Cyber Ops
CCNA
CySA+
PenTest+
GCIH
CFR
CHFI
GCFA
SCYBER
CSSP Auditor CEH
CySA+
CISA
PenTest+
GSNA
CFR
CSSP Manager CISM
CISSP-ISSMP
CCISO

Obtaining these certifications not only enhances your ability to do well in IA, but can also get you promoted, increasing your pay scale and prospects.

Do higher-level certifications satisfy lower-level requirements?

IAT certifications are cumulative. In this case, high-level certifications fulfill lower-level requirements. However, IAM certifications equivalent to the level of position do not satisfy lower-level requirements. The latter requires personnel to gain one of the certifications relevant to that Management position. CISSP shouldn’t be taken by an IAM unless he/she is already eligible for the certification present in the IAM level 1 section. However, if they already hold an IAM level 2 or level 3 certification before they’re asked to take up an IAM level 1 position, they may leverage that certification to fulfill IAM level 1 requirement.

Conclusion

For those with the desire to work with DoD, the certifications mentioned above are the first step. Under the DoD 8570 Directive, the ultimate vision is a sustained, knowledgeable IA workforce with the aptitude and right mindset to defend DoD systems from both potential and lurking threats. The Directive continues to allow DoD to place the right individuals with the right abilities in the right positions.

Posted: August 30, 2018
Articles Author
Beth Osborne
View Profile

Leave a Reply

Your email address will not be published. Required fields are marked *