Top priority questions:

Ø      What is DoD Directive 8570.1?

DoD Directive 8570.1 provides the basis for an enterprise-wide solution to train, certify, and manage the DoD Information Assurance (IA) workforce. The policy requires Information Assurance technicians and managers to be trained and certified to a DoD baseline requirement. The Directive’s accompanying Manual, currently in formal coordination, identifies the specific certifications mandated by the Directive’s enterprise-wide certification program.

Much of the Directive addresses workforce management issues. Components must identify and document in personnel and manpower databases, IA personnel and positions and make certain that IA personnel meet training and certification requirements related to their job functions.

The ultimate vision of the Directive is a sustained, professional IA workforce with the knowledge and skills to effectively prevent and respond to attacks against DoD information, information systems, and information infrastructures. This effort will enable DoD to put the right people with the right skills in the right place.

Ø      What is the status of the Manual (DoD 8570.1M)?

The Manual is currently in formal SD106 coordination (the process that collects comments from Services, COCOMs and Principle Staff Activities (PSA).) Most DoD organizations have concurred with the Manual. The Office of the Assistant Secretary of Defense for Networks and Information Integration (ASD NII) Defense-wide Information Assurance Program Office (DIAP) is in the process of responding to the many comments that have been provided. The next step following the SD106 coordination is to submit the draft for federal government union review. Upon completion of the review, the Manual will be updated and submitted to ASD NII for signature. The Manual is scheduled to be published by the end of October 2005. For a draft copy of the Manual, DoD 8570.1M, please contact the IASE Helpdesk.

Ø      Do I need any special training on how to implement DoD 8570.1? (I have received e-mails from commercial activities stating that I must attend a mandatory training session on implementing DoD 8570.1)

No. Neither you, nor your organization needs special training regarding the implementation of DoD 8570. Furthermore, the DoD has not sponsored or required any commercial 8570.1 implementation training or planning sessions. You should disregard any direct messages from vendors indicating a requirement to complete their course or information session as part of DoD 8570.1 implementation.

Ø      What support can the Office of the Secretary of Defense for Networks and Information Integration (ASD NII) offer to Components to plan for 8570 implementation?

The ASD NII Defense-wide Information Assurance Program (DIAP) is available to provide briefs and workshops to support Components’ 8570 implementation planning. You are strongly encouraged to work within your Component Human Resources and IA operations leadership chains to establish a plan for meeting the requirements outlined in DoD 8570.1.

The Annual DoD IA Workshop being held in January 2006 in Philadelphia will include a track devoted to training, certification, and workforce management initiatives.

Ø      Who needs to be certified?

Information Assurance Technical (IAT) and IA Management (IAM) personnel must be fully trained and certified to baseline requirements to perform their IA duties. The policy defines IAT workforce members as anyone with privileged system access performing IA functions. IAM functions described in the Manual are for any information system, program or organization. The training, certification, and workforce management requirements of 8570.1 apply to all members of the DoD IA workforce including military, civilians, foreign nationals, local nationals, and contractors. They apply whether the duties are performed full-time, part-time, or as an embedded duty. Future updates to the Manual will incorporate additional portions of the IA workforce

Ø      Once the Manual is signed, how long until I have to become certified?

If you are performing IA functions outlined under the technical or management categories in the DoD 8570.1M Manual, you will need to meet the DoD baseline certification requirement. In addition to being certified to the appropriate baseline certification, you will need to complete the continuous learning requirements associated with a specific certification to maintain your certified status.

Components and Agencies are required to have all identified IA personnel certified to the baseline requirement within four years of the Manual being published (currently planned for October 2005.) The Manual requires 10 percent of the IA workforce to become certified the first year and an additional 30 percent each year after that. At the end of year four all personnel performing IA functions must be certified.

Ø      What can I do now to prepare for certification requirements?

Information Assurance Technical (IAT) and IA Management (IAM) personnel are strongly encouraged to complete DoD internally available training (e.g.,, Service Schoolhouse IA courses, DISA web based training) or external training currently supported by your Component for courses with learning objectives directly aligned to baseline certifications outlined in the Manual.

Ø      What can my Component do to prepare for requirements? 

Components should identify personnel performing IA functions and identify positions with IA responsibilities. Upon identifying the workforce and positions, Components are encouraged to establish a plan for IA personnel to be trained and certified within the established implementation timeframe of four years following the Manual being published (currently planned for October 2005.)

Ø      I want more information, who can I talk to?

For more information about DoD Directive 8570.1 and the enterprise-wide training and certification initiative, contact the IASE Helpdesk.

Ø      How can I get a copy of the Manual?

For a draft copy of the Manual, DoD 8570.1M, please contact the IASE Helpdesk.

Ø      Will the training and certification requirements specified in DoD Directive 8570.1 and the 8570.1M manual replace Component or community specific training and certification requirements?

No. Directive 8570.1 is providing an enterprise-wide IA knowledge and skill baseline. You still must comply with Component/community specific requirements for IA training and certification.

Ø      I am already certified, what more will I need to do?

If you already hold a certification(s) listed in the DoD 8570 1.M Manual, notify your respective personnel point of contact once the manual is signed to make certain that your certification status is documented in the appropriate personnel database of record.

You also will need to maintain your certification status by completing continuous learning requirements as defined by the organization providing your certification (e.g., ISC², ISACA, CompTIA, etc.). Note that all certifications included in the Manual currently do require or will require in the near future, continuous learning as part of their certification requirements. You are encouraged to monitor current certification provider activity to see if they have imposed additional continuous learning requirements.

Your Component may require personnel performing IA job functions to complete specific certifications identified in the Manual. Confirm with your direct supervisor or IA leadership that you are categorized and certified at the right level and meet the appropriate Component specific requirements.

Ø      Do I have to take the training associated with a certification, or can I just take the test?

If you perform job functions outlined in one of the technical or management categories outlined in the Manual, you will need to pass a certification test for a specified certification. Under DoD Directive 8570.1, you will not be required to take specific training to prepare for the certification test.

However, your Component may require you to complete specific certifications identified in the Manual. They may also require you to hold additional certifications or to complete additional training. Once the manual is published, confirm with your direct supervisor and/or IA leadership that you are meeting the appropriate Component specific requirements.

Ø      Can DoD use appropriated funds for military personnel to take commercial certification exams?

Legislation is currently in Congress to amend Chapter 101 of Title 10, United States Code, to permit Services to use appropriated funds to pay for commercial certifications (tests) for uniformed personnel. It is expected to be included in the FY06 DoD Appropriations Bill. If passed by Congress, the law would give uniformed personnel parity with civilians.

Ø      What will qualify for continuous learning?

The minimum continuous learning requirement for certifications included under DoD 8570.1M is expected to be 120 hours over a three-year period. Certification providers determine the specific training and other activities that qualify for continuous learning credit. However, ASD NII is working with certification providers to identify proposed activities that would qualify for credit. Examples of what is likely to be acceptable include completion of DISA IA distributive training products and participation in certain DoD IA conferences, workshops, and exercises.