DoD 8570

Is it Really Working?

The Department of Defense 8570 provides guidance and procedures for the training, certification, and management of the DoD workforce conducting Information Assurance functions in assigned duty positions. It also provides guidance on reporting metrics.

Agencies covered by 8570 include:

Office of the Secretary of Defense
Military Departments
Chairman of the Joint Chiefs of Staff
Combatant Commands
Office of the Inspector General of the DoD
Defense Agencies
DoD Field Activities
All other organizational entities in the DoD

Who is affected by 8570?

Any full- or part-time military service member, contractor, or local nationals with privileged access to a DoD information system performing information assurance (security)functions -- regardless of job or occupational series.

The manual, 8570.01M, specifies that the Department of Defense requires approximately 110,000 identified Information Assurance professionals to be certified within a five year time period. The Defense Information Assurance Program office has divided its Information Assurance workforce into six defined categories (see chart below). The manual also specifies the types of commercial information assurance credentials that qualify for each of the defined categories.¹

Are Agencies on track to get their people certified?

Obviously we do not have access to the official number, but we believe Agencies are running a bit behind. From the manual, year one was fiscal year 2006 and Agencies were to identify Information Assurance workforce positions and fill 10 percent of the IA positions with certified personnel.² Most people agree that did not happen. Thereafter:

Fiscal year 2007 the goal was to fill a total of 40 percent of the Information Assurance positions with certified personnel.
Fiscal year 2008 the goal was to fill a total of 70 percent of the Information Assurance positions with certified personnel.
Fiscal year 2009 and beyond the goal was to fill a total of 70 percent of the Information Assurance positions with certified personnel.

Is 8570 achieving its goals?

If we put the number of people that have completed the requirement aside, yes the program really is working well. Let's examine the goals and see.

"Develop a DoD IA workforce with a common understanding of the concepts, principles, and applications of IA for each category, level, and function to enhance protection and availability of DoD information, information systems, and networks." I have personally reviewed a number of the training courses and yes, there are some small differences in terminology or philosophy, but they are all remarkably consistent. As an example, I have reviewed our CISSP training course, as well as the Shon Harris CISSP study book and my own course, SANS Security Leadership Essentials, and they are 99.9% in alignment. In addition, when making any updates to my course I am carefully reading the NIST SP 800 security guidance to make sure I am consistent with that as well.
"Establish baseline technical and management IA skills among personnel performing IA functions across the DoD enterprise." This is working as well. A certification sets a minimum standard. When DoD students show up in my class, they are focused, clearly paying attention, want to learn, want to pass the GIAC GSLC exam. No question about it and I have taught hundreds of 8570 DoD students at this point. I had my doubts at one point, but I can tell you that certification really matters, I have been researching that for years.
"Provide warfighters qualified IA personnel in each category and level." This is probably the worst performing objective of the 8570 program. For some reason they put the CISA and CISSP in for their highest level technical folks the IAT level 3. Neither of those certification test advanced technical knowledge. However, it is a starting point and if we focus on the success of bringing up the base, they can update the document as the program moves forward.
"Implement a formal IA workforce skill development and sustainment process, comprised of resident courses, distributive training, blended training, supervised on-the-job training, exercises, and certification/recertification." This is happening! Industry has jumped to meet the demand and the Department of Defense has a large number of options. Simply type 8570 into Google and you will see what I mean.
"Verify IA workforce knowledge and skills through standard certification testing." The key point here is the word standard. 8570 requires the certifications to be ANSI certified. This is not easy, but it really helps improve the quality.
"Augment and expand on a continuous basis the knowledge and skills obtained through experience or formal education." Education cannot end simply because the class is over and the individual is certified. This happens in several ways. Courses are always being updated, I know I drive our book people crazy, because after I teach my course four or five times, I want to do an update to put in the newest threat data. So as people attend SANS Security Leadership Essentials or other 8570 courses and come back to the workplace, they can share the latest information with their co-workers. Also, we have a mailing list for all alumni, so they can help each other and share what they are learning. And, I am always looking for ways to adjust the course to meet the needs of the warfighter.

The bottom line!

Agencies appear to be a bit behind in sending people to be trained and certifieddds and there is a bit of a lowest common denominator problem where some of the courses and certifications are not technical enough to meet the needs of the warfighter. However those are minor nits, overall, the program is clearly meeting its objectives. This was a very forward thinking program and it will benefit the Department of Defense for years to come.