DoD Directive 8570.1 Changes Everything

Last night I attended my local ISSA-NoVA meeting. I listened to Steven Busch from the Defense-wide Information Assurance Program (DIAP). He is a "Change and Workforce Management Senior Managing Consultant" with IBM working on implementing DoD Directive 8570.1, "Information Assurance Training, Certification, and Workforce Management", which I mentioned yesterday. He's also a Marine. (Notice I said "Marine," not "ex-Marine." Even though Mr. Busch is no longer in uniform, I recognize there are no "former Marines.")

I will try to summarize what I heard, with the expectation that Mr. Busch's slides will be posted at the ISSA-NoVA Web site soon. I managed to get related material from this earlier briefing (.pdf, slow). There's also a summary at (ISC)2.

The vision for 8570.1 is the following:

A professional, efficiently managed IA workforce with knowledge and skills to securely configure information technology, effectively employ tools, techniques and strategies to defeat adversaries, and proactively identify and mitigate the full spectrum of rapidly evolving threats and vulnerabilities in order to protect the network.

After reading my comments, you may agree that the implementation of 8570.1 will not meet this vision.

8570.1 will apply to anyone with privileged access (e.g., system administration) to DoD systems, to include uniformed military personnel, civilians, and contractors. The following chart summarizes 8570.1 (incorrectly called "8570" below) and 8570.1-M, the Manual which was signed on 19 December 2005 and provides implementation guidance.



Essentially, to administer a DoD system, military, civilian, and contractor operators will have to attain these goals:

1. Vendor-neutral security certification


2. Vendor-specific platform certification


3. On-the-job training

Before I discuss the approved certifications, let's look at the people affected by these requirements.



The slide shows two existing tracks. One is an IA Technical Category (for system and network administrators) and the other is an IA Management Category. Now let's see the certification list as displayed last night.



The Tech I and Management I categories are the bottom of the pyramids shown previously, while the IIIs are the top of the pyramids.

Let's break out those acronyms, since I didn't recognize all of them. First, the certifications for technical people:

• A+: CompTIA's basic system administration cert


• Network+: CompTIA's basic network administration cert


• TICSA: TruSecure ICSA (formerly International Computer Security Association) Certified Security Associate; never encountered this before


• SSCP: Systems Security Certified Practitioner, an (ISC)2 certification that just received ANSI accreditation -- a requirement for all of the vendor-neutral certifications


• GSEC: GIAC (Global Information Assurance Certification, formerly Global Information Assurance Center) Security Essentials Certification, a SANS entry-level certification


• Security+: basic security; why is Security+ here, and come to think of it, why is A+ and Network+ listed earlier for security certifications?


• SCNP: Security Certified Network Professional, offered by the Security Certified Program; never even heard of them


• CISSP: Certified Information Systems Security Professional from (ISC)2, which is also ISO/IEC 17024 certified. All of these certifications need to be ISO compliant, but I do not think they all presently are compliant.


• SCNA: Security Certified Network Architect, another SCP cert I've never seen before


• CISA: Certified Information System Auditor, offered by the Information Systems Audit and Control Association (ISACA); also ANSI-certified.


• GSE: GIAC Security Expert; this is a SANS cert held by five people. It is absolutely ridiculous to put the tech-less CISSP in the same category as the GSE, which requires "five intermediate level GIAC certifications" and "3 days of testing!"

Here are the certifications for managers, only listing those not covered above:

• GSLC: SANS GIAC Security Leadership Certification


• GISO: SANS GIAC Information Security Officer; this is already obsolete, replaced by the GSLC or GISF


• CISM: Certified Information Security Manager, another ISACA cert

The list will not necessarily be used by everyone in DoD. The DoD components can choose the certs on this list that they will accept. They cannot independently add certs to the list, although the oversight board managing this program for DoD can add new certs in the future.

You are probably wondering about the vendor-specific certification requirements. Mr. Busch explained that if a person administers Microsoft systems, they will need Microsoft certification. If they are a Cisco network admin, they will need Cisco certification. He admitted they have "not done much" yet in this area.

Earlier I reported on this story which inaccurately states the following:

[DoD] requires frontline security professionals to have certifications from CompTIA and (ISC)2 but not from the SANS Institute or vendors.

That is patently not true. When I first read that statement, I thought I understood why Alan Paller was upset. Now that I see there are some SANS certifications accepted by DoD, I realize he is more upset by DoD's choice of certifications. I agree with him.

Essentially, if you have your CISSP, you have the "golden ticket" for technical or managerial work in DoD. While that might be appropriate for management, it is absolutely worthless for operators. This DoD program is not going to result in any better security if the emphasis is placed on certs that have little or no technical relevance.

There may be benefit to having vendor-specific certs. Someone responsible for administering Solaris, Red Hat, or Cisco products are probably going to benefit from those programs. Unfortunately, DoD seems to be treating these programs as an afterthought.

One audience member asked Mr. Busch what he should tell an admin he knows that works on Oracle, Microsoft SQL, Solaris, and slew of other applications and operating systems. Mr. Busch replied "Most DoD components don't have that many OS' in one environment." This will be a real shock to the people on the front lines!

DoD plans to collect "IA performance data" to "measure the effectiveness" of this program. I would like to see if the people they consider "certified" (and they want 10% of the force ready by 30 Dec 06) are any more capable than the uncertified crowd.

I also wonder why DoD didn't leverage the CERT®-Certified Computer Security Incident Handler (CSIH) certification program. It's practically DoD already, is vendor-neutral, has been around for a long time, and appears to cover the subjects I would want to see in DoD security people.

There are some aspects of this program that I think are beneficial, without reservations. Mr. Busch said DoD is trying to include IA training within Professional Military Education, such as that found at the war colleges. This is a great idea and I would be interested in helping with that program. People with IA certifications will also be tracked DoD-wide, and IA will be treated less as an "additional duty" and more of a professional obligation.

Crucially, Mr. Busch recognizes that receiving training helps retention. Someone during the ISSA meeting asked what DoD will do when it trains its people and then watches them separate from the service. That attitude absolutely infuriates me. The alternative means keeping untrained people in place, because they have no marketable skills? That is completely idiotic. I argued with a colonel at the Pentagon about this when I was a captain.

I would like to hear your thoughts on this program. Overall, I think the intentions are good, but the selection of certs is on the whole misguided. I also hope to hear more details from Alan Paller, who seems to have a good grasp on this issue.