D.O.D. Directive 8570.1
Since '911' the US government says that training is our first line of defense. If you deal with government contracts, or supply goods that may ultimately be used in a government sponsored effort, you may be directly subject to the Department of Defense's Directive 8570.1.
If you deal in a non-DoD industry that is subject to client privacy or data security, you have the same problem. The training mandate, in short, requires all of us to understand our data management and information systems, and have 'certified' personnel on staff to deal with it. For the government and its contractors, it has never been more important to protect and defend their data and information systems. According to a recent survey, data security intrusions have increased by more than 50%. In fact, 84% of respondents blamed their security breaches on human error - which is directly attributed to a lack of security knowledge, training, or failure to follow security procedures. The statisticsfor breaches in data security in 'privacy of information' areas were also attributed to lack of training and human error. The solution that meets these compliancy requirements is to get your staff certified in solutions that comply with the country's need for data security and privacy.
The best line of defense for all private companies is to have aware computer users and well-trained IT professionals. That's why Directive 8570.1 was put into place. This enterprise-wide mandate requires that any personnel conducting Information Assurance(IA )functions be trained and certified in a commercial certification on the concepts, principles,and applications to enhance protection of the necessary information,information systems, and networks.
On August 15, 2004 DoD Chief information officer, John G. Grimes signed The Department of Defense directive 8570.01-M, Information Assurance Workforce Improvement Program, formally activated December 2005. The directive requires all individuals possessing privileged access to a DoD Information System to be properly trained and certified in the secure operation of computer systems used throughout the DoD Global Information Grid. The DoD estimates that the directive affects more than 100,000 personnel, including full and part-time military service members, civilians, foreign nationals, local nationals, and contractors.
The DoD 8570.01-M, details the requirements for training, certification, and implementation of the directive. DoD Directive 8570.1 requires military services and defense agencies to formally identify all personnel with responsibility to Information Assurance (IA). Agencies must ensure that each worker has the appropriate training and certifications required for that position, as established by DoD.
Outlined by the directive, detailed personnel must procure the training and achieve the certifications over a four year period. Failure to meet the certification provisions could expose individuals to loss of positions and the agencies they serve to possible loss of funding by the U.S. Congress.
What is DoD Directive 8570.1?
Directive 8570.1 is part of a new National Strategy to Secure Cyberspace; a coordinated approach to ensure that computer systems throughout the public and private sectors are securely operated. The strategy was ordered by Congress in the Federal Information Security Management Act (FISMA), which became law in 2002. The statute requires that every federal agency develop, document, and implement an agency-wide program to provide information security for the information systems they use, including those provided or managed by other agencies or sources.
The law stipulates that any individual who performs an IA function must be certified in order to retain his or her job. Government agencies are required to report annually to the Office of Management and Budget (OMB) and to Congress about their compliance. If proper compliance is not met, agencies could lose funding. Proper certification must be met in four years.
Once certified, individuals are required to maintain their certification status. They can either re-certify every three years with the organization that provided their certification, or they can obtain 120 hours of continuing education in any format that supports information security in their functional area.
What Agencies are affected by 8570?
All IA Technical (IAT) and IA Management (IAM) personnel must be fully trained and certified to baseline requirements to perform their IA duties. The policy defines IAT workforce members as anyone with privileged system access who performs IA functions.
This includes:
* Office of the Secretary of Defense
* Military Departments
* Chairman of the Joint Chiefs of Staff
* Combatant Commands
* Office of the Inspector General of the DoD
* Defense Agencies
* DoD Field Activities
* all other organizational entities in the DoD
The required procedures for training, certification, and workforce management detailed in DoD 8570.01-M apply to all members of the DoD IA workforce including military personnel, civilians, foreign nationals, local nationals, and contractors, and the requirements apply whether the duties are performed full- time, part-time, or as an embedded duty. Future updates to the manual will incorporate additional members of the IA workforce.
Categories and levels within DoD 8570.1-M
In the directive, the IA workforce is identified within two overall categories: Technical and Management. These categories are subdivided into three levels, each based on functional skill requirements and system environment focus.
IA personnel must be certified under a credential that meets the criteria laid out in these six matrixed categories. Managers must meet the certification requirements outlined under the Technical III (T3) and all Management categories (M1, M2, and M3). Technical personnel must meet the certification requirements outlined under the Technical I (T1) and Technical II (T2) categories.
What types of training does the directive require?
IA certification programs are intended to produce IA personnel with the demonstrated ability to perform the functions of their assigned position. Each category and skill level has specific training and certification requirements. Meeting these requirements will require a combination of formal training (classroom or online), experiential activities such as on-the-job training, and continuing education.