DoD Directive 8570-1 reflects the efforts of the Department of Defense to create and maintain a world-class, digital battlefield-ready information assurance workforce. This new DoD-wide policy, made official in August 2004 and implemented in December 2005, mandates that any full or part-time military service member, contractor, or foreign employee with privileged access to a DoD information systems, regardless of job or occupational series, obtains a commercial information security credential accredited by ANSI or equivalent authorized body under ISO/IEC Standard 17024:2003. The directive also requires that those same personnel must maintain their certified status with a certain numbr of hours of continuing professional education each year.

Additionally, DoD Directive 8570-1 defines two Information Assurance Categories (Technical and Management) and three levels (Level I, Level II, Level III) as well as defines baseline commercial certifications for each level as outlined below. The Learning Center has made the acquisition and compliancy with this program an easy purchase for all DoD agencies.

Per DoD 8570.01-M (Information Assurance Workforce Improvement Program) Incorporating Change 2, April 20, 2010, the following additional certifications are required:

C3.2.4.8.3. In addition to the baseline IA (Information Assurance) certification requirement for their level, IATs (Information Assurance Technicians) with privileged access must obtain appropriate Computing Environment (CE) certifications for the operating system(s) and/or security related tools/devices they support as required by their employing organization. If supporting multiple tools and devices, an IAT should obtain CE certifications for all the tools and devices they are supporting. At a minimum the IAT should obtain a certification for the tool or device he or she spends the most time supporting. For example, if an IAT is spending most of his or her time supporting security functions on a CISCO router, the IAT should obtain a CE certification for that equipment.

This requirement ensures they can effectively apply IA requirements to their hardware and software systems.

What is the DoD Directive 8570.1?

• The Directive provides the basis for an enterprise-wide solution to train, certify, and manage the DoD Information Assurance (IA) workforce.
• It requires Information Assurance technicians, managers, and members of IA specialties to be trained and certified to a DoD baseline requirement.
• The Directive's accompanying DoD 8570.01-M Manual identifies the specific certifications mandated by the Directive's enterprise-wide certification program.

The ultimate vision of the Directive is a sustained, professional IA workforce with the knowledge and skills to effectively prevent and respond to attacks against DoD information, information systems, and information infrastructures.

What is DoD 8570.01-M?

• DoD 8570.01-M is the Information Assurance Workforce Improvement Program Manual (click here for link to complete manual).
• It provides guidance and procedures for the training, certification, and management of the DoD workforce conducting Information Assurance (IA) functions in assigned duty positions.
• It provides guidance for the identification and categorization of positions and certification of personnel conducting Information Assurance (IA) functions within the DoD workforce supporting the DoD Global Information Grid (GIG).
• It provides guidance to develop a DoD IA workforce with a common understanding of the concepts, principles, and applications of IA for each category, specialty, level, and function to enhance protection and availability of DoD information, information systems, and networks.
• It provides information and guidance on reporting metrics and the implementation schedule.

What is Information Assurance (IA)?

• IA functions focus on the development, operation, management, and enforcement of security capabilities for systems and networks.
• Personnel performing IA functions establish IA policies and implement security measures and procedures for the Department of Defense and affiliated information systems and networks.
• IA measures protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for their restoration by incorporating protection, detection, and reaction capabilities.
• IA Personnel perform the following IA oversight responsibilities:  
  • Work closely with data owners, information system owners, and users to ensure secure use and operation of information systems (IS) and networks.
  • Ensure rigorous application of IA policies, principles, and practices in the delivery of all information technology (IT) services.
  • Maintain system audit functions and periodically review audit information for detection of system abuses.
  • Identify IA requirements as part of the IT acquisition development process.
  • Assess and implement identified corrections (e.g., system patches and fixes) associated with technical vulnerabilities as part of the Information Assurance Vulnerability Management (IAVM) program.
  • Maintain configuration control of hardware, systems, and application software.
  • Identify and properly react to security anomalies or integrity loopholes such as system weaknesses or vulnerabilities.
  • Install and administer user identification or authentication mechanisms.