DoD Directive 8570.01 provides the basis for an enterprise-wide solution to train, certify, and manage the DoD Cyberspace (CS)/Information Assurance (IA) workforce. The policy requires Cyberspace (formerly known as Information Assurance) technicians and managers to be trained and certified to a DoD baseline requirement. The Directive’s accompanying Manual identifies the specific certifications mandated by the Directive’s enterprise-wide certification program.
Much of the Directive addresses workforce management issues. Components must identify and document in personnel and manpower databases, Cyberspace/IA personnel and positions and make certain that Cyberspace/IA personnel meet training and certification requirements related to their job functions.
The ultimate vision of the Directive is a sustained, professional Cyberspace/IA workforce with the knowledge and skills to effectively prevent and respond to attacks against DoD information, information systems, and information infrastructures. This effort will enable DoD to put the right people with the right skills in the right place.
The Manual has been approved by the Assistant Secretary of Defense for Networks and Information Integration (ASD NII)/DoD Chief Information Officer (CIO) and is now mandatory for all DoD organizations to comply with its requirements. A copy of the Manual is available on the DoD Publications website located at https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/857001m.pdf.
(I have received e-mails from commercial activities stating that I must attend a mandatory training session on implementing DoD 8570.1)
No. Neither you, nor your organization needs special training regarding the implementation of DoD 8570. Furthermore, the DoD has not sponsored or required any commercial 8570.1 implementation training or planning sessions. You should disregard any direct messages from vendors indicating a requirement to complete their course or information session as part of DoD 8570.1 implementation.
The Defense-wide Information Assurance Program (DIAP) is available to provide briefs and regional or major command workshops to support Components’ 8570 implementation planning. You are strongly encouraged to work within your Component Human Resources and Cyberspace/IA operations leadership to establish a plan for meeting the requirements outlined in DoD 8570.1 and DoD 8570.1-M.
For DoD military and civilian Cyberspace/IA Workforce members, the DoD Component must budget for and pay for an individual’s required certification. The Component must also ensure appropriate training is provided for the position and preparation for the certification exam.
Yes. The DoD CIO has included funding in the Quadrennial Defense Review (QDR) and the PDM to support initial implementation requirements including certifications exams, personnel database updates, and training support. These requirements cover the Cyberspace/IA WIP implementation phase from FY07 to FY10. DoD Components are required to include Cyberspace/IA WIP sustainment requirements in their budget plans.
The Government cannot pay for contractor certification or certification preparation training. However the Government can support contractor training for the actual system and procedures they are supporting.
Information Assurance Technical (IAT) and IA Management (IAM) personnel must be fully trained and certified to baseline requirements to perform their Cyberspace/IA duties. The policy defines IAT workforce members as anyone with privileged information system access performing Cyberspace/IA functions. IAM personnel perform management functions for DoD operational systems described in the Manual.
See the question below on “How can I Identify the Cyberspace/IA Workforce?” later in this FAQ document.
The training, certification, and workforce management requirements of 8570.1 apply to all members of the DoD Cyberspace/IA workforce including military, civilians, foreign nationals, local nationals, Non-appropriated fund (NAF), and contractors. They apply whether the duties are performed full-time, part-time, or as an embedded duty.
Future updates to the Manual will incorporate additional portions of the Cyberspace/IA workforce. A chapter on "System Architecture and Engineering" is currently under development, which will establish certification requirements for members of the workforce who perform system design functions, such as requirements gathering, that are not currently covered by the manual. Additional Chapters will be drafted for "Certification and Accreditation" and "Vulnerability Analysts."
Until these chapters are published positions/personnel performing these functions with privileged access for the Computing, Network, or Enclave Environment should be included as IAT or IAM Levels I – III based on the environment they are working in.
Components and Agencies are required to have all identified Cyberspace/IA personnel certified to the baseline requirement within four fiscal years of the Manual’s publication date (19 Dec 2005). The Manual requires 10 percent of the Cyberspace/IA workforce to become certified in FY07 and an additional 30 percent each fiscal year after that. At the end of year fourth (FY 2010) all personnel performing Cyberspace/IA functions described in the DoD 8570.1-M should be certified.
Yes. As part of the DoD’s formal staffing process, USD P&R conducted a “national consultation” (NCR) where the unions have an opportunity to comment on the Manual. The National Unions either made no comment or were supportive of the Cyberspace/IA WIP.
The National Consultation (NCR) mentioned above does not absolve local parties from fulfilling their local bargaining obligations as appropriate prior to implementation of DoD policy. They can participate in the planning for meeting the Cyberspace/IA WIP requirements for the Civilian Cyberspace/IA Workforce. The local union can not negotiate the actual local implementation requirements.
Information Assurance Technical (IAT) and IA Management (IAM) personnel are strongly encouraged to complete DoD internally available training (e.g., Service Schoolhouse Cyberspace/IA courses, DISA web based training) or external training currently supported by your Component for courses with learning objectives directly aligned to baseline certifications outlined in the Manual.
Components should identify Cyberspace/IA workforce positions and personnel based on the categories, levels, and functions for IAT and IAM levels I – III described in DoD 8570.01-M. Positions/personnel performing specialized functions for the Computing, Network, or Enclave Environment should be included as IAT or IAM Levels I – III based on the environment they are working in. Specialized Cyberspace/IA positions include Certification and Accreditation, Computer Network Defense, Vulnerability Analysts, and Information System Architects and Engineers (defined below) (see question on Identifying the Cyberspace/IA Workforce below for more information):
Certification and Accreditation: Personnel who support the documentation and compliance with the standard process, set of activities, general tasks, and management structure to certify and accredit DoD Information Systems that will maintain the information assurance and security posture of the Defense Information Infrastructure (DII).
Computer Network Defense: Computer Network Defense (CND) personnel provide CND situational awareness, implement CND protect measures, monitor and analyze in order to detect unauthorized activity, and implement CND operational direction. CND Services are commonly provided by Computer Emergency or Incident Response Teams (CERT/CIRT) and may be associated with a Network Operations Center (NOSC).
Information System Architecture and Engineering: Personnel who design, develop, implement, and/or integrate a DoD IA architecture, system, or system component for use in IA level I, II, or III environments. They may perform these tasks as either Technical or Management levels depending on whether they have privileged access or perform management type tasks.
Vulnerability Analysts (VA): Provide on site information system analysis to develop and provide a site “security profile”. Vulnerability Analysts travel to various sites to collect and analyze system configuration data to provide an accurate security profiles to the local IAM.
Yes. The 8570.1 and 8570.01-M do not set a limit on the number of times a person may attempt to qualify for certification. However, Components must support at least one retest attempt but may set a limit on the number of additional retests they will support. Remember, until a DoD military or civilian employee completes the requirements of the Cyberspace/IA WIP, to include becoming fully certified, they are not authorized to fill an IAT or IAM billet (after the 4 year implementation phase). If the member’s Component has set a limit on the number of retest attempts, an individual may take a subsequent test at their own expense. If they qualify for certification, then they would qualify to fill an IAT or IAM position (assuming they meet the other requirements such as background investigation, OJT, etc.).
First, the Cyberspace/IA WIP is a workforce management program. The key to workforce management is the position. All positions required to perform Cyberspace/IA functions must be identified. Second any person filling that position is then automatically part of the Cyberspace/IA WF whether it is full time, part-time, or embedded duty or whether it is their “primary specialty”, secondary or not a specialty but just another duty as assigned (the intent of the Cyberspace/IA WIP is to minimize or eliminate IATs in embedded duty group).
To identify whether a position is an IA position is basically very simple. The DoD 8570.01-M establishes the basic requirements. The current version of the Manual has two categories, technical (IAT) and management (IAM). Each category has three levels based on where the position is located within the overall IS architecture. Each level of architecture is specifically defined in Appendix 1 to the manual. The Computing Environment is IAT and IAM Level I, the Network Environment is IAT and IAM Level II, and the Enclave Environment is IAT and IAM Level III. Note that the “IA Level” is related to the system architecture, not to an individual’s grade or experience.
Chapters 3 and 4 of the Manual list Cyberspace/IA functions for each level of the information system architecture depicted above. Positions/personnel required to perform any of these functions are part of the Cyberspace/IA workforce.
Two basic questions to help identify IA Technical positions:
Two basic questions to help identify IA Management positions:
Note: additional categories of the IA WF have been identified and chapters will be added to include them in the future such C&A, CND, ISS Architects, Vulnerability Analysis.
For more information about DoD Directive 8570.1 and the enterprise-wide training and certification initiative, contact the DoD Cyber Exchange Help Section.
For a copy of the Manual, DoD 8570.1M Check the DoD Publications Web-site at https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/857001m.pdf.
No. The 8570 provides a DoD enterprise-wide IA knowledge and skills baseline. You are still required to comply with Component, command, or community specific requirements for Cyberspace/IA training and/or certification.
Your Component may require personnel performing Cyberspace/IA job functions to complete specific certifications in addition to those identified in the Manual. Confirm with your direct supervisor or Cyberspace/IA leadership that you are categorized and certified at the right level and meet the appropriate Component specific requirements.
Notify your respective personnel point of contact to make certain that your certification status is documented in the appropriate personnel database of record.
Also you will need to maintain your certification status by completing continuous learning requirements as defined by your respective certification provider (e.g., ISC2, ISACA, CompTIA, etc.). Note that all certifications included in the Manual currently do require or will require in the near future, continuous learning as part of their certification requirements. You are encouraged to monitor current certification provider activity to see if they have imposed additional continuous learning requirements.
In addition, the Manual requires IATs to obtain a local operating system certification.
Under DoD Directive 8570.1 and as specified in DoD 8570.1-M, you are not required to take specific training to prepare for the certification test. However, you should be able to demonstrate the ability to pass the test (e.g., take and pass a “pre-test” or assessment exam). Your IAM should verify that you are prepared to take the certification exam before authorizing you to request an exam voucher.
Yes. Chapter 101 of Title 10, United States Code has been amended to permit Services to use appropriated funds to pay for commercial certifications (tests) for uniformed personnel. The FY06 DoD Appropriations Bill gives uniformed personnel parity with civilians.
The minimum continuous learning requirement for certifications included under DoD 8570.1M is typically 40 hours annually or 120 hours over a three-year period. Certification providers determine the specific training and other activities that qualify for continuous learning credit. However, DOD CIO is working with certification providers to identify proposed activities that would qualify for credit.
Note that all certifications included in the Manual currently require or will require continuous learning as part of retaining certification status.
Contractors performing Cyberspace/IA functions on a DoD system must meet the certification requirements established in the DoD 8570.1-M for the category and level functions they are performing. Like the Military and Civilian Cyberspace/IA workforce, contractors have four years to meet the requirements of the 8570.1-M. The requirement is for 10% to be certified in the first year and 30% each year after that. Other specific requirements from the Manual include:
The DoD Chief Information Officer (CIO) has coordinated with the Undersecretary of Defense for Acquisition, Technology, and Logistics (AT&L) body, the Defense Acquisition Regulations (DARs) Council to propose language to include in the Defense Acquisition Regulations (DFARS). These changes were approved by the Council and are currently in the “formal” staffing process before they can be added to the DFARS.
Until these changes are made in the DFARS, Components may use “local” clauses to implement these requirements for the contractor community. This web-site will contain a sample clause currently in use by a DoD Component.
In general contractors must certify 10% in FY07 and 30% each subsequent year attaining 100% by the end of FY10.
There are a variety of ways Components can operationalize this requirement. After reviewing and assessing current Cyberspace/IA support contracts and considering: new requirements; renewal/expiration dates; the contractor implementation requirements described above; and length of current contracts; Component should plan on one of the following:
The answer to this question depends on the purpose of the report and the organizational relationships.
For this purpose the DoD 8570.1-M reporting requirements are position driven. To effectively “manage” the IA workforce, the DoD Components and local commands must know any position (table of organization or manning document) required to perform IA functions by category and level.
We must also know the qualifications of the person filling that billet. Therefore if a person is filling more than one Cyberspace/IA position that person and their qualifications must be reported against that position requirement. However, if the person is performing those functions due to under manning, then the position should be reported as not filled.
Paragraph C7.2.5. of the DoD 8570.01-M says Components must ”…track IA personnel training and certification against position requirements. Positions performing both management and technical functions must be identified individually in the appropriate manpower database. Personnel filling these positions must be aligned with both positions and maintain the appropriate certification/qualifications for each.”
Example A: A person filing an IAT Level I position and also performing IAM Level I functions should have positions indicated in the manpower documents for each category. That person and their qualifications would be reported against each position. This is how management can analyze the Cyberspace/IA workforce requirements achievement both from a “positions filled” and “positions filled with qualified people” viewpoint.
Personnel performing Cyberspace/IA functions as both Government Service (GS) civilian personnel and military reservist must be reported separately for each position.
Example B: A GS-12 IAT Level I performs full time Cyberspace/IA functions in a designated civilian Cyberspace/IA position. This individual is also a Major (0-4) in the Army reserve and performs IAM Level II position functions in that role. Since these positions support completely separate manning and personnel requirements, both positions should be reported individually (reported from each respective organization). The person requirement would also be reported against each position, since the person is filling two completely separate personnel, manning requirements.
FISMA reporting is based on Office of Management and Budget reporting requirements and is person driven. Their basic requirement is to identify anyone performing Cyberspace/IA functions and weather they have been trained to perform those functions. The 2006 FISMA Guidance notes that “if an individual is performing multiple IA categories, only count them once based on the Cyberspace/IA role they spend the highest percentage of their time/effort” on. Thus for FISMA, only report a person performing Cyberspace/IA functions one time based on the position they spend the most time performing. If the person is “double hated” due to covering functions for an unfilled Cyberspace/IA position, only count them in positions they spend the most time performing.
Example A: An IAT Level I is assigned a primary duty (25 hours + per week) to support Cyberspace/IA requirements for System A. There is another empty official “documented position” for System B which is collocated and the individual is required to cover the Cyberspace/IA functions of that position (as an additional or embedded duty, 24 hours or less per week). Since FISMA is person focused, you would only report the individual based on the position requiring the highest percentage of their time – System A in this case.
Example B: A GS-12 IAT Level I performs full time Cyberspace/IA functions in a designated civilian Cyberspace/IA position. This individual is also a Major (0-4) in the Army reserve and performs IAM Level II position functions in that role. Since these positions support completely separate manning and personnel requirements, both positions should be included in the FISMA report (reported from each respective organization). The person requirement would also be reported against each position since the person is filling two completely separate personnel requirements.
Example C: A Marine Corps Master Sergeant performs full time IAT Level II functions in a joint combatant command headquarters. Who should report his position and personnel qualifications to FISMA? The Combatant Command owning the “joint” billet should report the MSgt. as one of their positions in their FISMA Report to the J-6. Every joint billet is supported by one of the Components, so in this case the Marine Corps is responsible to provide an appropriately certified Marine for the Cyberspace/IA position. However, the Joint Staff or Combatant Command is responsible to fill that billet with a qualified person and report for FISMA. Note joint billets should be identified in the e-Joint Manpower and Personnel System (e-JMAMP).
However, in all cases, the operational management of the Cyberspace/IA workforce (the IAM) for all systems must know their Cyberspace/IA positions and the qualifications of the people filling them.
Components must track their personnel against authorized end strength. They must also track each persons’ Cyberspace/IA qualifications (no mater what their current position assignment). End strength is people driven. For end strength, only count a person one time. Each person’s Cyberspace/IA certification/qualification will be maintained whether or not they are currently in an IA position.
The DoD 8570.1 Directive and the DoD 8570.01-M established the DoD IA Workforce Improvement Program Advisory Council. This Council will work to keep the requirements of the Cyberspace/IA WIP current and make appropriate updates and improvements. Each major DoD Component is represented. Under the Council will be committees. The Component representative to the Committee will be able to gather input from their Cyberspace/IA WF to submit to their Committees.
Understanding these terms are essential to properly identifying your Cyberspace/IA Workforce. These terms are based on basic system architecture not on base, station, or command structure.
The DoD Appendix 1of the 8570.01-M contains definitions for each of these environments.
The diagram below portrays the basics of the three levels. They key to the architecture is the location within the GIG and the purpose of the server the IAT or IAM supports.
This diagram depicts a basic enclave within a DoD Component: