Wayne Frazee.com
Login
DoD 8570 and the Transformation of the Information Assurance Workforce
  • Home
  • Scribblings
  • Avanade
  • The effect of DoD IA guidelines on the IA workforce at large

Originally posted on my corporate blog at http://blog.avanadeadvisor.com/blogs/waynea

With the release of Department of Defense manual 8570.01M, I think it is fair to say that the private sector for Information Assurance (AKA IT Security) will see an accompanying transformation over the next 1-3 years as 8570-subject public-sector technical staff in current positions are certified and then look at other opportunities.

I admit that I began this article with a fair degree of tongue-in-cheek humor on what is, assuredly, a somber topic for some.  I am a generalist System Engineer by trade, with a certain interest in security, and I hold several certifications relavent to my position.  I am a consultant.  My employer requires it.  Our customers look for it.  I was reading through the DoD 8570 requirements as well  GIAC's explanation of the same and the accompanying marketing spiel (availible at http://www.giac.org/certifications/dod8570.php).  When I moved on to read community reaction, frankly I was amazed at how tame it was.

First, if you really want to understand the nuts and bolts of 8570.01M, I would encourage you to click the links provided and read to your heart's content.  Second, understand that I am neither a government nor HR expert, I am merely providing my opinion on the subject.  That having been said, lets take a look... 

DoD 8570 ... What is it?

Or... "The Falconic Code Read it So You Dont Have To"

The Department of Defense Information Assurance Workforce Improvement Program manual was issued December 19, 2005 and published by the Assistant Secretary of Defense for Networks and Information Integration in conjunction with the Department of Defense CIO pursuant to the actual Department of Defense Directive 8570.1 issued August 15, 2004.  In a nutshell, the new program mandates that those professionals engaged on the behalf of the DoD in providing Information assurance functions in whatever thier position happens to be, should be trained and certified in whatever they are doing, according to the level of thier duties and responsibilities. 

The first part of making sure that everyone gets certified who needs certified is identifying who and what should be certified, and to what level.  To that end, the manual provides a break down and definition of who is subject to these guidelines.  It then breaks down that identification further into two separate classes of Information Assurance worker: technical and management.  Within each of these general categories, three classes of required certification are enacted suitable to the assigned duties and sensitivity of the responsibility that person holds.  So....

  1. From the pool of any given DoD agency, identify who, exactly, is involved in "Information Assurance" (IA).
  2. From the pool of those involved in Information Assurance, determine who is an "Information Assurance Manager" (IAM) and who is "Information Assurance Technical" (IAT) staff.
  3. From those that are now identified as IAM and IAT, determine discrete categories or "Levels" of each type, IAM and IAT, according to the scope of responsibility or the systems they manage.
  4. Identify the specific requirements of each identified level for each IAM and IAT that should be trained and certified for deployment in the field (e.g. in the offices or duties they maintain).
  5. Based on these requirements, identify the industry-availible certifications that correspond to correctly and fully address the specific requirements identified for each level.
  6. Based on the derived list of certifications, identify the industry-availible training methods that will assist IAM and IAT resources in achieving the prescribed level of training and certification to meet the skill content objectives.


[Incidentally, superimposed over my spiffy little table is my new Falconic Code official logo thingy!]

This, obviously, is the logical interpretation of the specifications hastily drawn up by yours truly to offer an idea of where they went with the identification process.  In the manual, they have some nice, fancy graphics on the subject that I will not bother to reproduce here.  Essentially, Level I is considered to be those security resources who support the computing environment.  Level II is for Network and Advanced Computer resources (think Level 2 or 3 tech support, network engineers, WAN engineers, and anyone with "Senior" in the title).  Level III is designated "Enclave" in the manual.  These are essentially isolated support areas for advanced network and computing functions that support high security areas or have a large scope of responsibility.

Now if you read the manual for yourself, there are a number of other areas covered, including making sure that each contractor in an IA position has an appropriate level of clearance, making sure that IA responsibilities are clearly defined and spelled out in any statement of work for a contractor, as well as establishing other guidelines specific to civilians in IA positions and a process for identifying and provisioning new certifications and training for each identified level and specialty.  Oh, and just for fun, there is a code in there that Contractor personnel supporting IA functions in Chapters 3 and 4 shall be appropriately certified prior to being engaged.

The Certification Breakdown

Identified in the manual, are each of the current credentials that are accepted at time of release for the purposes of this program according to the specialization and level of the resources involved in IA functions.  These certifications must test on-the-job skills, contain all of the identified objectives for the given track and level, and the approved certifications are generally vendor-neutral in nature.  Accordingly, the approved certifications hail from CompTIA, (ISC)2, ISACA, SecurityCertified.Net, and the SANS Institute (AKA GIAC).

This leads to the entire point of this thought... 

The Change in the Information Assurance Workforce

For years, I have worked in organizations that employed security personnel whose sole credential and basis for the position was that they had handled shared security duties as part of some previous position, or they had experience with a given technical system (for example, lets say WSUS) and thus were given the job on the basis that they had more availible experience than other candidates.  What DoD 8570 is doing here is ensuring that anyone that wants to work as, consult, or act as a contractor in any DoD related agency will have to be appropriately certified for the given type and level of the capacity they are being asked to work in.

Immediately, this will see two things happen.  Any existing or near future requirements for contractors or subcontractors will see the bar raised so that the candidates will not even be looked at without the base certifications required by the level of the given position.  The second thing is that the new requirements  will drive a fair size segment of contractors and consulting firms to push staff or prospective employees to certify with these certifications immediately. 

In the long term, I would speculate that as positions shift, contracts come and go, and DoD gains and loses staffers, this will have a further pressure on Information Assurance candidates as there will be staff out there who have in the past been proven meet the various levels specified by DoD 8570 and will push candidates to ride the upper edge of the certification window for each level.  This, on the whole, is not by any means a bad thing either for position candidates or for the organizations that would like to make use of thier expertise.  Ensuring that every candidate for a certain position meets a certain level of proven skills and expertise is a huge step forward.  The further requirement of a practical observation of on the job applicable skill will further assist in ensuring that these people who protect our country's information systems are people will the neccessary skills to do so adequately. 

At the present time, as an aside, I have a great deal of respect for GIAC certifications.  I know two GSLC certified professionals who are, at present, senior security consultants, and I have seen the study materials they used as well as a printed copy of the study guides and subject matter material that GIAC uses to build the certification.  One of these people acted in an advisory capacity building the GSLC.  Suffice it to say that my experience with the certifications leads me to a great deal of respect for them. 

You will note that many of the certifications being cited above (GSE, GSEC, GSLC, GISF, etc) are certifications provided by SANS/GIAC.  According to statistics on the GIAC website at the present time: 14,117 professionals have been certified in some capacity through GIAC.  I wonder at the distortion that these certifications will see as the pool of interested professionals grow exponentially over the 1-2 year period that existing staff have to get trained and certified under the new guidelines.  Knowing that a base of professionals potentially 10 times the number currently certified are looking at these certifications for possible needs in the future makes me wonder whether they will retain thier value in the field over the next 2-5 years as many more professionals are certified either in existing positions or in order to fill contracting and consulting needs of the Department of Defense.

This same dynamic will be happening, to a lesser extent, to some of the less pragmatic but still respectable certifications such as the Security+, CISM, and CISSP. 

My Take

In my own personal experience, Certifications are useful to get your foot in the door and show that you have some degree of interest in a given subject area.  By and large however, experience has been the true indicator for potential candidates that I have had to consider, as many certified professionals that have crossed my path have turned out to be paper thin.  Still, I do not and cannot deny that any step forward that approaches ensuring that professionals acting in a security capacity within the IT industry are trained and certified appropriate to thier position is a good thing.  I think that combined with practical on the job observation and recertification of security professionals is a real step in the right direction.

To security professionals everywhere (and particularly the currently unemployed): spend a few bucks now and make sure that you are not shut out of being part of this certified labor pool.  If ever you were kicking about the idea of getting certified, get in now, get some experience, work to obtain a certified position while the field is still relatively sparse of certified candidate.  Understand that the dynamics of the industry will ensure that a year from now there will be quite a pool of candidates for recruiters and contracting agencies to choose from so that if you take too long to move your own career forward, you risk being shut out of the industry for quite a while.

Finally, I would challenge those in private industry to realize that these steps that are deemed good for the government, despite thier relative cost, are a framework suitable for many private organizations, particularly those in high risk sectors.  Banks, Brokers, Information Warehousers, Information Processors, you are high profile, critical targets for Information Assurance, and implementation of the same training and certification requirements of your own organizational structure would do well for both ensuring the protection of your enterprise, and for ensuring that all of your employees in a given function have at least an academic knowledge of the same general concepts.  I would submit that the expense of getting existing staff certified lies as a small expendature against the value of the experience that they will soon be able to put to work for your organization, preventing and reacting to vulnerabilities before they end up against the bottom line.

All content and materials Copyright ©2004 by Wayne S. Frazee. All Rights Reserved.

Please note that the postings on this site, including news, scribblings, past writings, posted files, and other material, are my own and don't necessarily represent neither Avanade's nor Avanade's Customers' positions, strategies or opinions nor that of any organization I have previously worked with or represented.