Given the signing of the DoD Directive 8140.01 on August 11, 2015, what is the impact on the DoD 8570.01-M?
The DoD Directive 8140.01, “Cyberspace Workforce Management,” reissues, renumbers, and cancels DoD Directive (DoDD) 8570.01 to update and expand established policies and assigned responsibilities for managing the DoD cyberspace workforce. The DoD 8570.01-M governing the IA workforce certification program is still in effect. See Change 4 to DoD 8570.01-M dated November 10, 2015.
Is the DoD 8570.01-M titled Information Assurance Workforce Improvement Program still in effect?
Yes, DoD 8570.01-M will remain in effect until it is cancelled formally. The DoD Directive (DoDD) 8140.01, “Cyberspace Workforce Management,” dated August 11, 2015, is now the overarching governance document. DoDD 8140.01 reissued, renumbered, and canceled DoDD 8570.01 to update and expand established policies and assigned responsibilities for managing the DoD cyberspace workforce.
The DoD Chief Information Officer (CIO) and other stakeholders are developing and will publish instructions and manuals to implement the policies in DoDD 8140.01. Until those policies are vetted and published, the DoD 8570.01-M policies and guidance are considered the most current. A copy of the current Manual is available on the DoD Publications website located at: http://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/857001m.pdf
When will the DoD 8570.01-M go away?
DoD 8570.01-M should still be in effect until DoD implements new requirements through future qualification manuals developed for the cyber workforce. We anticipate there will be a transition period from the requirements of DoD 8570.01-M to the new requirements of future qualification manuals.
Why did the Information Assurance (IA) Workforce change to the Cybersecurity Workforce?
As the cyberspace domain continues to mature, DoD, the rest of the Federal Government, as well as the private sector have recognized that cybersecurity encompasses a much broader range of activities and responsibilities. Specifically DoD Instruction (DoDI) 8500.01 paragraph 1d states DoD adopts the term “cybersecurity” as it is defined in the National Security Presidential Directive-54, Homeland Security Presidential Directive-23. Cybersecurity incorporates the functions previously included under the IA umbrella. Thus, DoD is transitioning from the IA workforce to the Cybersecurity Workforce, which is a subset of the overall “Cyber Workforce” (also called the Cyberspace Workforce). In the interim, DoD 8570.01-M requirements are still identified as IA Workforce requirements.
What is the DoD Directive 8140.01?
The DoD Directive (DoDD) 8140.01 was officially signed August 11, 2015. It unifies the overall cyber workforce and establishes specific workforce elements (cyber effects, cybersecurity, cyber information technology (IT), and intelligence (cyber)) to align, manage and standardize cyberspace work roles, baseline qualifications, and training requirements. It authorizes establishment of a DoD Cyberspace Workforce Management Council with representation from the Offices of the DoD CIO, Under Secretary of Defense for Personnel and Readiness (USD(P&R)), Under Secretary of Defense for Policy (USD(P)), Under Secretary of Defense for Intelligence (USD(I)), the Joint Staff, the Director, National Security Agency/Chief, Central Security Service (DIRNSA/CHCSS), and other DoD Components
The DoDD 8140.01 does NOT address operational employment of the work roles. Operational employment of the cyberspace workforce will be determined by the Joint Staff, Combatant Commands, and other DoD Components to address mission requirements.
How does the DoD Directive 8140.01 affect me as an IA professional? Does my job change?
There are no changes to the IA job descriptions within the DoD 8570.01-Manual, which is still in effect.
Do I still have to be certified in accordance with the DoD 8570.01-M?
How can I get a copy of the DoD 8570.01-M?
For a copy of the manual, DoD 8570.01-M, check the DoD Issuances Website at http://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/857001m.pdf
I have a version of the DoD 8570.01-M, with some words in red font or crossed out. Is this a draft?
No. It is Washington Headquarters Services (WHS) policy that any change to an existing DoD policy be designated by red strike through for deleted text and red italics for new text. Though the DoD 8570.01-M may have the appearance of a draft document or one written with its changes tracked, it is actually finalized and published policy.
Do I need any special training on how to implement DoD 8570.01-M?
No. Neither you, nor your organization, need special training regarding the implementation of DoD 8570.01-M. Furthermore, the DoD has not sponsored or required any commercial DoD 8570.01-M implementation training or planning sessions. You should disregard any direct messages from vendors indicating a requirement to complete their course or information session as part of DoD 8570.01-M implementation.
What do you mean by Computing Environment, Network Environment, or Enclave?
Computing Environment, Network Enclave and Enclave essential to understand in order to use the DoD 8570.01-M to code and qualify your cyber workforce. These terms are based on basic system architecture not on base, station, or command structure.
Appendix 1 of the DoD 8570.01-M contains definitions for each of these environments. Specifically:
- Computing Environment (CE). A CE has a server with multiple stations working from it. The stations can be standard computers, remote sensors, satellite feeds, etc.
- Network Environment (NE). Examples of possible networks in the basic enclave include Operations Networks, Logistics Networks, and Human Resources networks connecting to a Component Enclave. Each network consists of at least one Computing Environment.
- Enclave. An enclave consists of at least two networks controlled by the enclave security policy and procedures.
How can I identify who is in the IA Workforce?
The Information Assurance Workforce, Workforce Improvement Program (IA WIP) is a workforce management program. The key to workforce management is the position. All positions required to perform IA functions must be identified. Any person filling that position is automatically part of the Cyber or IA Workforce whether it is full-time, part-time, or an embedded duty, whether it is their primary specialty, secondary specialty, or just another duty as assigned.
The DoD 8570.01-M establishes the basic identification requirements. The current version of the Manual has two categories, IA Technical (IAT), and IA Management (IAM). The Manual also has two specialties, Cyber Security Service Provider (CSSP) and IA System Architects and Engineers (IASAEs). These categories and specialties are subdivided into levels, each based on functional skill requirements and/or system environment focus (see DoD 8570.01-M Chapters 3, 4, 5, 10, and 11).
The IAT and IAM categories have levels I, II, and III, based on where the position is located within the overall information system architecture (see Diagram below). Each level of architecture is specifically defined in the Manual. For example, the Computing Environment is IAT and IAM Level I, the Network Environment is IAT and IAM Level II, and the Enclave Environment is IAT and IAM Level III. Note that the “IA Level” is related to the system architecture, not to an individual’s grade or experience. Also see the Diagram under “What do you mean by Computing Environment, Network Environment or Enclave?” FAQ.
Chapters 3, 4, 5, 10 and 11 of DoD 8570.01-M list IA functions for each level within a category. Positions/personnel required to perform any of these functions are part of the IA workforce.
The IASAE specialty has levels I, II, and III, also based on where the position is located within the overall information system architecture. The CSSP specialty levels are tied to functional positions, i.e., Analyst, Infrastructure Support, Incident Responder, Auditor, and Manager.
How do I identify the IAT workforce?
Two basic questions can help identify IA Technical (IAT) positions:
- Does the position require privileged access to a DoD Information System Computing, Network, or Enclave environment?
- Does the position include any of the functional requirements listed in Chapter 3 of DoD 8570.01-M for that level of the information system architecture?
- If the answer to both #1 and #2 is yes, the position is an IAT position.
- If the answer is no to both, then it is not an IAT Position.
- If the answer is yes to #1 and no to #2, it is not an IAT position.
- If the answer is no to #1 and yes to #2, it may be an IAM or other IA position
How do I identify the IAM workforce?
Two basic questions can help identify IA Management (IAM) positions:
- Does the position have responsibility for managing information system security for a DoD Information System Computing, Network, or Enclave environment?
- Does the position include any of the functionslisted in Chapter 4 of DoD 8570.01-M for that level of the information system architecture?
- If the answer to both #1 and #2 is yes, then the position is an IAM position.
- If the answer is no to both #1 and #2, it is not an IAM position.
- If the answer is yes to #1 and no to #2, it is not an IAM position.
- If the answer is no to #1 and yes to #2, it may be an IA position but not an IAM position as currently defined in the Manual.
Under DoD’s Risk Management Framework, there is no longer a Designated Approval Authority (DAA). How do we account for the Authorizing Official (AO) in the former DAA role?
Under the DoDI 8510.01 Risk Management Framework for DoD Information Technology, the DAA is now referred to as the AO. The AO is appointed, usually a senior leadership position within the business or mission owner organization. Specifically, the AO is the senior official who has responsibility for operating and ensuring that the information systems and platform information technology, or PIT, systems and IT services and products under their authority operate securely.
Whenever possible, refer to the former DAA position as the AO position and the person filling the position as the AO.
DoD Authorizing Official (AO) Training
How do I report personnel who are filling one or more IA positions?
The answer to this question depends on the purpose of the report and the organizational relationships. Whereas there were multiple reporting requirements in different systems in the past to satisfy the annual reporting requirement of the DoD 8570.01-M, there has been consolidation over the past few years using FISMA reporting. Please note there are further changes under discussion which aim to clarify Cyber Workforce reporting requirements and comply with DoD 8570.01-M. Thus, Cyber workforce reporting requirements will be promulgated separately.
Do the training and certification requirements specified in DoD 8570.01-M replace Component, command or community-specific training and certification requirements?
No. The DoD 8570.01-M provides a DoD enterprise-wide IA knowledge and skills baseline. You are still required to comply with relevant Component, command, or community specific requirements for IA training and/or certification.
Components may require personnel performing IA job functions to complete specific certificates or certifications in addition to those identified in the Manual. Confirm with your direct supervisor or IA leadership that you are categorized and certified at the right level and meet the appropriate Component-specific requirements.
Do the National Unions support these requirements?
Yes. As part of the DoD’s formal staffing process, USD P&R conducted a “national consultation” (NCR) in which the unions had an opportunity to comment on the Manual. The National Unions either made no comment or were supportive of the IA WIP.
What role can the local unions play in the IA WIP?
The National Consultation Rights (NCR) does not absolve local parties from fulfilling their local bargaining obligations as appropriate prior to implementation of DoD policy. They can participate in the planning for meeting the IA WIP requirements for the DoD civilian IA Workforce. The local union cannot negotiate the actual implementation requirements.
- Who needs to be certified is non-negotiable.
- Order/priority to certify the local IA Workforce may be negotiated.
- The number of retests the organization will fund may be negotiated.
What are the approved DoD 8570.01-M IA baseline certifications?
The most up-to-date listing of approved IA baseline certifications can be found on the DISA Cyber Exchange website.
Who needs to be certified?
Information Assurance Technical (IAT) and IA Management (IAM) personnel must be fully trained and certified to baseline requirements to perform their IA duties. DoD 8570.01-M defines IAT workforce members as anyone with privileged information system access performing IA functions. IAM personnel perform management functions for DoD operational systems described in the Manual.
The training, certification, and workforce management requirements of DoD 8570.01-M apply to all members of the DoD IA workforce including military, civilians, local nationals, Non-appropriated fund (NAF) personnel, and contractors. The requirements apply whether the duties are performed full-time, part-time, or as an embedded duty.
Certification requirements also exist for members of the workforce who perform system design functions such as System Architecture and Engineering (IASAE) and Cyber Security Service Providers (CSSP). See Chapters 10 and 11 of the Manual for more information on these positions and their requirements.
What are the contractor certification requirements?
Contractors performing IA functions on a DoD system must meet the certification requirements established in the DoD 8570.01-M for the category and level functions in which they are performing. Contractors shall obtain the appropriate DoD-approved IA baseline certification outlined in Chapters 3, 4, 10 and 11 prior to being engaged. Contractors have up to six months to obtain the rest of the qualifications for their position. See Appendix 3 to the DoD 8570.01-M
- The contracting officer will ensure that contracting personnel are appropriately certified. In the future they will need to provide verification to the Defense Eligibility Enrollment System (DEERS).
- Components should not pay for contractors to obtain/retain required certifications. However, Components may provide additional training on local or DoD specific system procedures. (See “Has the DoD developed standard contract language for IA WIP requirements?” FAQ for additional guidance on contractor implementation requirements.)
Who pays for the certifications?
DoD Components should individually budget and pay for DoD military and civilian IA Workforce members’ required certifications and include IA WIP sustainment requirements in their budget plans.
The Government does not pay for contractor certifications or certification preparation training.
(Reviewed October 17, 2017)
If I am new to the IA Workforce, how long do I have to become certified?
DoD 8750.01-M states Six months. Please refer to specific jobs identified within the manual.
What can I do to prepare for certification requirements?
Information Assurance Technical (IAT) and IA Management (IAM) personnel are strongly encouraged to complete DoD training available internally (e.g., Service Schoolhouse courses, DISA web-based training) or external training currently supported by your Component for courses with learning objectives directly aligned to the IA baseline certifications outlined in DoD 8570.01-M. Contact your Component’s IA Workforce Office of Primary Responsibility Points of Contact (OPR POC) for more information.
Do I have to take the training associated with a certification, or can I just take the test?
As specified in DoD 8570.01-M, you are not required to take specific training to prepare for the certification test. However, you should be able to demonstrate the ability to pass the test (e.g., take and pass a “pre-test” or assessment exam). Your IAM should verify that you are prepared to take the certification exam before authorizing you to request an exam voucher.
(Reviewed October 17, 2017)
What is the DWCA?
DWCA stands for Defense Workforce Certification Application. This is the authoritative database of DoD Military, Civilian and Contractor personnel who hold active DoD 8570.01-M certifications used by the DoD CIO office to validate, monitor and report on the certification status of certified IA workforce members.
Once I become certified, what do I do?
The Department of Defense Workforce Certification (DWC) application has moved to milConnect. In order to access DWC, please login to milConnect portal using your CAC. Navigate to DWC by clicking the ‘Correspondence’ tab and selecting DWC (https://www.dmdc.osd.mil/milconnect).
In addition to registering your IA baseline certification in the DWCA, you should also notify your Component’s IA Workforce personnel point of contact (POC) to make certain that your certification status is properly documented in all your Component’s personnel databases of record. The Manual also requires IATs to obtain a local operating system certificate in addition to the IA baseline requirements. Your Component POC should be able to assist you in identifying and meeting any additional requirements of your Component.
You will need to maintain your certification status by completing continuous learning requirements as defined by your respective certification provider. You are encouraged to monitor current certification provider activity to see if they have imposed additional continuous learning requirements.
I already hold a certification listed in DoD 8570.01-M, what more will I need to do?
The Department of Defense Workforce Certification (DWC) application has moved to milConnect. In order to access DWC, please login to milConnect portal using your CAC. Navigate to DWC by clicking the ‘Correspondence’ tab and selecting DWC (https://www.dmdc.osd.mil/milconnect). You are encouraged to monitor current certification provider activity to see if they have imposed additional continuous learning requirements.
(Reviewed October 17, 2017)
If I fail a certification can I retake the exam?
Yes. The DoD 8570.01-M does not set a limit on the number of times a person may attempt to qualify for certification. Components must support at least one retest attempt but may enforce a limit on the number of additional retests they will fund. If the individual’s Component has set a limit on the number of retest attempts, individuals may take a subsequent test at their own expense. If they qualify for certification, then they would qualify to fill an IAT or IAM position (assuming they meet the other requirements such as the background investigation, OJT, etc.).
Can DoD use appropriated funds for military or civilian personnel to take commercial certification exams?
Yes. Chapter 101 of Title 10, United States Code has been amended to permit Services to use appropriated funds to pay for commercial certifications (tests) for uniformed personnel. Whether or not the service has appropriated funding for commercial certifications is up to each component.
(Reviewed October 17, 2017)
What qualifies as “continuous learning”?
Continuing education requirements and acceptable continuous learning activities vary based on certification provider. Certification providers determine the specific training and other activities that qualify for continuous learning credit. The minimum continuous learning requirement for certifications included in DoD 8570.01-M is 40 hours annually or 120 hours over a three-year period. Contact your certification provider to find out more.
The DoD 8570.01-M talks about CND-SP categories, but there are no CND-SP Baseline Certifications, and the Table of Approved Baseline Certifications has CSSP categories and certifications. Are the CSSP categories the same as the CND-SP categories? Are the CSSP baseline certifications valid for the CND-SP certifications?
The DoD 8570.01-M CND-SP categories are the same as the CSSP Categories, and the certifications in the Table of Approved Baseline Certifications are valid. On the CyberEx website, the names were changed from CND-SP to CSSP to reflect current terminology in the DoD Instruction 8530.01 “Cybersecurity Activities Support to DoD Information Network Operations.
I had the CCNA Security, but Cisco recently converted it to CCNA. Is this still a valid certification for 8570 or 8140?
The DoD Deputy CIO for Cyber Security issued a waiver for those DoD civilians, military and contractors who had a valid CCNA Security for an 8570 designated position. The waiver can be found in the Cyber Workforce Management Program >> Documents Library
Point of Contact Questions
I want more information, who can I talk to?
For more information about the DoD 8570.01 Manual, contact the Office of the CIO Cyber Workforce
How do I submit suggestions or new ideas for inclusion in the IA WIP?
DoD 8570.01-M established the DoD IA Workforce Improvement Program Advisory Council as well as sub-committees focused on training, workforce management, and certification. The Council keeps the requirements of the IA WIP current by making appropriate updates and improvements. Each major DoD Component is represented by at least one voting member to the Council. Each representative has the role of gathering input from their Component’s IA Workforce to submit to the Council. Contact your Component’s Office of Primary Responsibility (OPR) Point of Contact (POC) to provide direct feedback.
(Updated December 30, 2015)