The US Department of Defense (DoD), In 2004, established Directive 8570.1: Information Assurance Training, Certification and Workforce Management. It still stands and it is a mandate based on the requirement that all DoD information assurance technicians and managers are trained and certified. This is how it aims to ensure that all involved are able to effectively defend DoD information, information systems, and information infrastructures.
DoD 8570.01-M. DoD Approved/Required Certifications
IAT Level I
IAT Level II
Question: Who is impacted by this mandate?
Answer: Any employees of DoD or contractors doing business with DOD.
The relevant authorities at DoD have added a clause to the Defense Federal Acquisition Regulation Supplement (DFARS) that requires any company bidding on new DoD information technology (IT) contracts do so exclusively with personnel compliant with Directive 8570.
Question: What are the ramifications of Directive 8570?
Answer: The mandate may have far-reaching implications, such as:
- It is generally viewed as a government endorsement of the effectiveness and cost efficiency of commercial certification.
- An important factor in selecting above certifications is that they are internationally recognized and vendor-neutral i.e. more geared towards job-specific skills than vendor-specific products.
- An advantage for the employee is that these certifications are portable in the sense that they are recognized in both the public and private sectors.
- The international standards ANSI/ISO/IEC 17024 are now mandated and endorsed by DoD for professional development.
- It emphasizes that the information security profession as a distinct class of jobs and careers.
Question: Are the certification requirements for managers and for technically-oriented information assurance or information security personnel the same?
The complete directive matrix includes six different classes of job roles and responsibilities and different certifications applicable for each category. Information assurance personnel is required to be certified under the credential(s) that meets the criteria laid out in these six classes. Managers are to meet the certification requirements listed under the Technical III (T3) and all Management categories (M1, M2 and M3). Technical personnel working at the DoD or on DoD contracts (external vendors/employees) is expected to abide by the certification requirements listed under the Technical I (T1) and Technical II (T2) categories.