Persons who come under the directive include contractors, consultants, part-time or full-time military personnel, and civilian employees who perform management and technical information assurance roles and functions. Personnel that are affected by DoD 8570 have to be trained according to the directive and certified. The certification requirements of the various functions demonstrate the ability of the individual to perform that specific duty. The types of roles that DoD 8570 defines are those responsible for the protection of vital information that is in the nation’s interests. NOTE: DoD 8570 will eventually be replaced by DoD 8140. However, at the time of writing the manual for DoD 8140 is yet to be published. Creation of manuals for DoD directives often take several years, and until such a time as the directive is documented, DoD 8570 will remain the key directive for the Information Assurance workforce at the DoD.
What is the DoD IAM?
The DoD is a highly structured organization with a distinct hierarchy. The overarching structure is called the “Information Assurance Workforce, Workforce Improvement Program” (IA WIP). Within this workforce umbrella are two separate categories called Information Assurance Technical (IAT) and Information Assurance Management (IAM).
What are the DoD IAM Levels?
Within the IAM category are three levels, each having its own sub-levels:
Level 1: Computing environment information assurance Level 2: Network environment information assurance Level 3: Enclave information assurance
The category levels reflect the system architecture and not the grade of the individual working in that area. Within each level are sublevels that represent the attainment grade of the individual. These attainment levels are:
Entry level Intermediate Advanced
Each level has a set of functions within it. For example:
Level 1 has functions such as apply IA policies and procedures, manage secure computing environments, and recognize and report possible security violations Level 2 has functions such as develop and implement IA policies, assist in gathering of evidence around computer crimes, and coordinate IA inspection and reviews Level 3 has functions such as prepare and oversee certification and accreditation procedures, cost benefit and economic reviews around IA policies, and analyze patterns of non-compliance
The levels in IAM become increasingly management orientated. Any persons wishing to work within these IAM levels must be certified to the correct level for the function they perform within a category. The IAM categories are cumulative, if you want to work at a Level 2 you need to have mastered Level 1.
How can I identify who’s in the IAM workforce?
The IAM workforce is at management level, and this is reflected in how you identify an IAM team member. The IAM workforce needs to be able to:
Demonstrate responsibility for managing information system security in Levels 1-3 – this is achieved by meeting certain requirements, including having the proper certification for that level. Work at a position that practices the functions required by the level as outlined in Chapter 4 of the manual “DoDD 8570.01, Information Assurance Workforce Improvement Program”
To demonstrate an IAM position, an individual must show proof of working within both requirements above. They must also possess the right level of certification and functional requirements for the position. Unlike their IAT counterparts, the IAM workforce do not have to sign a privileged access statement. Typical entities covered by the IA WIP include:
Military Civilians Local nationals Non-appropriated fund (NAF) personnel Contractors
What are the DoD IAM certifications?
Certification for an IAM position must reflect the functions required for the position. An employee has six months from the first assignment of a position, or from their start date for new employees, to achieve the required certification (although waivers are possible under certain circumstances). If the employee is in a combat situation, the individual has to be fully trained and certified before beginning the assignment. Again, certain circumstances can warrant a time-limited waiver. The certifications available for an IAM position are: Level 1
CAP: A Certified Authorization Professional certification aligns your skills with NIST’s Risk Management Framework (RMF) GSLC: GIAC® Security Leadership is a management-level certification for security professionals with supervisory responsibility Security+ CE: A CompTIA exam focusing on cybersecurity issues with an element of Continued Education (see below)
Level 2
CAP: See Level 1 CASP CE: Advanced Security Practitioner is a CompTIA exam showing your skills in enterprise security operations with an element of Continued Education (see below) CISM: Certified Information Security Manager demonstrates your business know-how in applying cybersecurity CISSP (or Associate): Certified Information Systems Security Professional demonstrates your knowledge and skills across the entire security landscape GSLC: See Level 1 CCNA Security: Cisco Certified Network Associate Security (CCNA) demonstrates you have the skills needed to develop a secure infrastructure and mitigate cyber threats
Level 3
CISM: See Level 2 CISSP (or Associate): See Level 2 GSLC: See Level 1
Some certifications expect a degree of continued education (CE) and continuous learning. The minimum continuous learning requirement for certifications included in DoD 8570 is 40 hours annually or 120 hours over a three-year period.
What are the steps to attain a DoD IAM certification?
IAM professionals must be trained and certified for the functions and the level they wish to work at.
Begin the process to certification
To start the process of DoD IAM certification you need to look at the requirements of the level/function you will be working at:
Position Level Certification
Communicate with your more senior Information Assurance Manager (IAM) in preparation for your training and certification exam. NOTE: IAM positions that also perform IAT tasks will need to acquire the relevant certifications for both the IAT and IAM levels and functions as appropriate. Also, a specific certification may cover more than one category.
Certification training
Training should be used in preparation for the certification exam to ensure best chances of success. The DoD 8570 manual does not recommend any specific training organization. However, certification bodies usually suggest approved training organizations, such as Infosec. Training can also involve on-the-job activities and continuing education.
Certification voucher
Once you are ready to take the exam, ask your senior IAM for a certification voucher.
Registering your certification
Successfully completed certifications need to be registered at the Defense Workforce Certification Application portal (DWCA).
Notify and complete
Let your IAM know you have completed steps 1-4. Once you have a completed certification and have registered with the DWCA portal, you should make sure your component’s IA Workforce personnel point of contact (POC) is aware of your certification status. This will ensure that your status is correctly recorded in the personnel databases of record. The Designated Accrediting Authority (DAA) may authorize waivers for certified IAM staff at Levels 1 or 2 to fill higher management positions in combat zones
Is training a requirement?
No, training is not specifically required to sit a certification exam. However, it is expected that you can prove you are ready to take the exam, and the DoD strongly encourages specialist exam preparation training. Your IAM may also expect you to sit a pre-exam or similar to prove you are ready to sit the exam. Unless you can satisfy your IAM of your readiness to pass the certification, they may not release the voucher needed to progress your certification process.
Can I retake an exam if I fail?
Yes, an exam retake is allowed. However, there is a limit on the number of times you will be funded to take retests. After the first funded retest you may have to self-fund subsequent retests. To avoid having to pay for retest, make sure that you are fully prepared and trained to sit the exam and pass first-time.
Who pays for the certifications?
Uniformed personnel: There is a specific amendment under Chapter 101 of Title 10, United States Code that allows for payment of commercial certifications. Civilian personnel: Funding is up to each component to decide. Contractors: It is advised that components should not pay for contractor certification but may provide training on specific DoD systems.
Some certifications expect a degree of continued education (CE) and continuous learning. The minimum continuous learning requirement for certifications included in DoD 8570 is 40 hours annually or 120 hours over a three-year period.
What Can Infosec do for you?
Infoec has many specialized training packages that meet the stringent requirements of DoD 8570 approved certifications. The training courses offered by Infosec are designed to be highly accessible and prepare you for exam success. Infosec Boot Camps for certifications such as A+, Network+ and CySA+ will give you the best possible chance of getting through your IAM focused certifications.
Sources
DoDD 8570.01, Information Assurance Workforce Improvement Program Defense Workforce Certification Application