Adapting to new cyber threats and managing new technologies remains a major focus of federal government agencies. As agency policies evolve to meet new challenges, it usually brings a host of acronyms that correspond to new certifications or technological “best practices” designed to maintain secure technology systems. As such, the Department of Defense (DoD) has put out comprehensive technology standards that federal contractors seeking to do business with DOD (and other government agencies) must meet in order to be awarded certain federal contracts. Whether you are a contractor interested in pursuing defense-related business opportunities or IT professionals interested in jobs in the cybersecurity field, familiarizing yourself with DoD Directives 8570 and 8140 is a great place to start.
A. The Inception of DoD Directive 8570
The catalyst for Directive 8570 stems from the federal government’s perceived vulnerabilities in technology and cyber-security threats to national security. With increase of cyber-attacks and security threats to software and IT systems, DoD realized that its ability to protect the confidentiality of sensitive or classified information related to the government or military could be severely compromised. The purpose of Directive 8570 is to set best practices, to safeguard and govern data and information, and to increase the knowledge base of both government agencies and private federal contractors about how to prevent and defend against such attacks.
B. What is DoD 8570?
DoD Directive 8570 was established in 2005, in part, to ensure all staff working with information security within DoD are properly qualified. This was accomplished by requiring members of staff to attain certain enterprise-wide baseline IT certifications to assess tasks for specific job roles. DoD Directive 8570 requires every part-time or full-time military member or defense contractor with privileged access to a DoD information system to carry an approved certification for their particular job classification.
C. To Whom Does DoD Directive 8570 apply?
Anyone working in the following jobs should be DoD 8570 compliant:
- Part time and fulltime military staff and DoD contractors;
- DoD employees involved in information security;
- Defense agencies;
- DoD Field Activities; or
- Any local national with private access to DoD systems performing information security functions.
D. What are the Baseline Certification Requirements?
DoD Directive 8570 established three levels of certification requirements for Information Assurance Management (IAM) and Information Assurance Technicians (IAT). The DoD 8570.01-m manual lists the approved IT certifications that DoD uses to assess and manage its workforce. DoD information assurance and cybersecurity personnel must obtain one of the certifications listed for their job category and level. Job roles are divided into broad categories that have baseline level requirements:
- Information Assurance Technical (IAT) levels I, II and III;
- Information Assurance Management (IAM) levels I, II and III;
- Information Assurance Security Architecture and Engineering (IASAE) levels I, II and III; and
- Cyber Security Service Provider (CSSP) levels of Analyst, Infrastructure Support, Incident Responder, Auditor and Manager.
E. New DoD Directive 8140 – Cyberspace Workforce Management
Directive 8140 was signed by DoD representatives on August 11, 2015, and is designed to accommodate the evolving digital boom and technology advancements driven by the increased prevalence of such things as smartphones, cloud platforms, and wireless internet services, to name a few. Directive 8140 undertakes certain modifications to Directive 8570 to add more categories and redefine some others.
Directive 8140 was modeled on the National Institute of Standard and Technology (NIST) and National Initiative for Cybersecurity Education (NICE) standards. It further expands Directive 8570 to leverage the Defense Cybersecurity Workforce Framework (DCWF) to add cyber personnel categories and additional work roles not included in the original Directive 8570.
Directive 8140 includes the existing IT certifications like A+, Network+, Security+, and CISSP as well as new approved baseline cyber security certifications, including CASP, CEH, and more. Directive 8140 also includes seven (7) broad categories, thirty-three (33) specialty areas and fifty-four (54) work roles. The categories include:
- Security Provision – may include IT jobs such as architecture and engineer (for example software and system development, information assurance compliance and security engineering);
- Operate and Maintain – may include customer service, IT support, network administration and maintenance services;
- Protect and Defend – defense against cyber-attacks, vulnerability assessment and incident handling and reporting;
- Analyze – includes network analysis, risk analysis, resource intelligence and exploitation analysis;
- Operate and Collect – includes cyber and collections operations, planning and implementation;
- Oversight and Development – pertains to legal consequences of conducting operations in the digital realm; and
- Investigate – includes investigations and forensics work as it relates to online security.
F. Who must comply with DoD Directive 8140?
It may be a few years before DoD publishes the manual for Directive 8140. For this reason, the DoD will, for the time being, continue using the Directive 8570 manual (called 8570.01-M). When a new Directive 8140 manual is released, it will most likely replace 8570.01-M.
One major change the DoD 8140 manual will likely bring is that it will focus on live, hands-on training exercises that will give the Cybersecurity Workforce real time exercises in which to practice defending and securing classified networks, digital assets and information in the event of a cyberattack.
The following include some of the groups that may be required to be DoD 8140 compliant:
- Office of the Secretary of Defense;
- Military Departments;
- Chairman of the Joint Chiefs of Staff;
- Combatant Commands;
- Office of the Inspector General of the DoD;
- Defense Agencies;
- DoD Field Activities;
- Anyone performing IAT and IAM functions must be certified;
- Anyone in CSSP and IASAE roles must be certified; and
- All IA jobs require certification whether categorized as ‘Technical’ or ‘Management’ Level I, II, or III positions.
G. Takeaway for Federal Contractors
As cyber threats become more prevalent and sophisticated, federal contractors and IT professionals working at government sites will need to keep pace with the federal government’s evolving IT certification standards to ensure they are compliant. Many of the certification requirements are onerous and can be expensive to complete. Contractors should closely scrutinize contract requirements in this regard, particularly during the solicitation and bid phase to ensure they understand the cybersecurity certifications that their workers and company systems will be required to achieve and maintain.
C2 provides strategic HR outsourcing to clients who want to develop optimal workforce strategies and solutions to allow them to be more competitive and profitable. C2 blog posts are intended for educational and informational purposes only.
