Department of Defense Directive (DoDD) 8570.1-M

The Department of Defense's directive DoDD 8570.01-M, Information Assurance Workforce Improvement Program, supports DoD Directive 8570.1, which requires all individuals possessing privileged access to a DoD Information System (IS) to be properly trained and certified in the secure operation of computer systems used throughout the DoD's Global Information Grid.

DoD estimates that the directive affects more than 100,000 personnel, including full- and part-time military service members, civilians, foreign nationals, local nationals, and contractors.

DoD Directive 8570.1 was signed in August 2004 and formally activated in December 2005 with the release of DoD 8570.01-M, a manual detailing the requirements for training, certification, and implementation of the directive. DoD Directive 8570.1 requires military services and defense agencies to formally identify all personnel with responsibility for any aspect of Information Assurance (IA). The agencies must assign those individuals positions within a new organizational structure and ensure that each worker has the appropriate certifications required for that position, as established by DoD.

According the directive, all affected personnel must achieve certification over a four-year, phased-in period. Failure to meet the certification provisions could expose individuals to loss of position and the agencies they serve to possible loss of funding by the U.S. Congress.

DoD 8570.01-M is the most comprehensive response to the law by any federal department or agency since it lays out, for the first time, an IA architecture for the DoD. While the architecture applies only to training and certification requirements of DoD personnel, it is expected to become the basis of a government-wide approach to security.

What is DoD Directive 8570.1?

Directive 8570.1 is part of a new National Strategy to Secure Cyberspace, a coordinated approach to ensure that computer systems throughout the public and private sectors are securely operated. The strategy was ordered by Congress in the Federal Information Security Management Act (FISMA), which became law in 2002. The statute requires that every federal agency develop, document, and implement an agency-wide program to provide information security for the information systems they use, including those provided or managed by other agencies or sources.

The law stipulates that any individual who performs an IA function must be certified in order to retain his or her job. In addition, government agencies are required to report annually to the Office of Management and Budget (OMB) and Congress about their compliance with the law, and they could lose funding if they don't meet compliance thresholds. Agencies have only four years to have their IA personnel properly certified.

Once certified, individuals are required to maintain their certification status. They can either re-certify every three years with the organization that provided their certification, or they can obtain 120 hours of continuing education in any format that supports information security in their functional area.

What Agencies are affected by 8570?

All IA Technical (IAT) and IA Management (IAM) personnel must be fully trained and certified to baseline requirements to perform their IA duties. The policy defines IAT workforce members as anyone with privileged system access who performs IA functions. This includes:

• Office of the Secretary of Defense
• Military Departments
• Chairman of the Joint Chiefs of Staff
• Combatant Commands
• Office of the Inspector General of the DoD
• Defense Agencies
• DoD Field Activities
• all other organizational entities in the DoD

DoDD 8570 Requires:

• By the end of CY 2010, all personnel performing IAT and IAM functions must be certified.
• By the end of CY 2011 all personnel performing CND-SP and IASAE roles must be certified.
• All IA jobs will be categorized as 'Technical' or 'Management' Level I, II, or III, and to be qualified for those jobs, you must be certified.

The required procedures for training, certification, and workforce management detailed in DoD 8570.01-M apply to all members of the DoD IA workforce including military personnel, civilians, foreign nationals, local nationals, and contractors, and the requirements apply whether the duties are performed full- time, part-time, or as an embedded duty. Future updates to the manual will incorporate additional members of the IA workforce.

Categories and levels within DoD 8570.1-M

In the directive, the IA workforce is identified within two overall categories: Technical and Management. These categories are subdivided into three levels, each based on functional skill requirements and system environment focus.

IA personnel must be certified under a credential that meets the criteria laid out in these six matrixed categories. Managers must meet the certification requirements outlined under the Technical III (T3) and all Management categories (M1, M2, and M3). Technical personnel must meet the certification requirements outlined under the Technical I (T1) and Technical II (T2) categories.

What types of training does the directive require?

IA certification programs are intended to produce IA personnel with the demonstrated ability to perform the functions of their assigned position. Each category and skill level has specific training and certification requirements. Meeting these requirements will require a combination of formal training (classroom or online), experiential activities such as on-the-job training, and continuing education. Our CompTIA A+ Certification Training , CompTIA Security+ Training or (ISC)² CISSP training series are excellent, cost-effective ways to train you or your personnel for certification and meet the 8570.1 requirement.