Information Assurance Workforce Frequently Asked Questions
Published, September 9, 2009
The following is a list of questions that are frequently asked of the Department of the Navy Chief Information Officer Information Technology Workforce Team for compliance with:
1. What is DoD Directive 8570.1?
DoD Directive 8570.1 provides an enterprise-wide mandate to manage, train and certify the DoD Information Assurance (IA) workforce. The policy requires Information Assurance Technical and Management personnel, Computer Network Defense Service Providers and IA Architects and Engineers to be trained and commercially certified to a DoD baseline requirement. The directive’s accompanying manual identifies the specific certifications approved to meet the Defense Department's standard. Furthermore, the directive requires the DON leadership to identify and document in personnel/manpower/training databases, all IA positions and personnel with their accompanying certification.
The ultimate vision of the directive is a sustained, professional Cybersecurity/IA workforce with the knowledge and skills to effectively prevent and respond to attacks against DoD information,
information systems and information infrastructures. The manual maps training to functions, but
does not propose or change specific job titles or roles.
DoD 8570.01 Manual was signed 19 December 2005, by the Assistant Secretary of Defense for Networks and Information Integration (ASD NII) and is compulsory for all DoD organizations to comply with its requirements.
DON IA Workforce Managers and Training Officers use the DoD 8570.01-M requirements as the IA training baseline. However, in addition to the baseline standards the Navy and Marine Corps IA training commands will meet the Committee on National Security Systems Instruction (CNSSI) training requirements. The Navy's Center for Information Dominance and Marine Corps Communication-Electronics School are revising course curricula to integrate CNSSI and commercial certifications.
2. Is there DON level instruction to carry out the DoD Directive?
SECNAVINST 5239.3B of 17 June 2009, "DON Information Assurance Policy," and SECNAV M-5239.2 of 29 May 2009, "The DON IAWF Management Manual to Support the IA Workforce Improvement Program," provide direction and guidance for Department of the Navy IA Workforce Management. The Navy and Marine Corps promulgated additional implementation guidance through numerous official messages.
3. Who needs to be certified?
Personnel with "privileged access" working in Information Assurance Technical (IAT) environments and IA Management (IAM) personnel with significant IA tasks, CND SP and IASAE must be fully trained and certified to baseline requirements to perform their IA duties. The 8570.01-M training, certification and workforce management requirements apply to all members of the DoD IA workforce including military, civilians and contractors whether the duties are performed full-time, part-time or as an embedded duty. To determine DON Cybersecurity/IA job roles and certification requirements refer to SECNAV M-5239.2.
4. How long until I have to become certified?
If you are performing IA functions outlined under the technical or management categories in the DoD 8570.01-M, you will need to meet the DoD baseline certification requirement as soon as possible. In addition to being certified to the appropriate IA baseline certification, if you are filling a technical function you will need to hold an Operating System/Computing Environment certification and also complete the continuous learning requirements associated with a specific certification to maintain your certified status.
DON is required to have all identified IA personnel certified to the baseline requirement by the end of Calendar Year 2010 or 2011 as specified by 8570.01-M. At 31 Dec 2009, the DON must have 70 percent of the management and technical workforce and 40 percent of the CND SP and IASAE certified.
5. What can I do now to prepare for certification requirements?
Information Assurance Technical (IAT) and IA Management (IAM) personnel are strongly encouraged to complete available training (e.g., E-Learning, Service Schoolhouse IA courses, commercial courses and virtual training environment). If you have already matriculated through Navy and Marine Corps school house training, you should plan to take a commercial course refresher via NKO or MarineNET. Both service E-learning and the Carnegie Mellon Virtual Training Environment is available at no cost to the Marine, Sailor or civilian, but should be suited to your IA level and functional requirement and approved by your supervisor.
For Marines/Sailors/civilians who have taken earlier classroom training, go to Navy E-Learning or MarineNET to take the e-learning course that supports the appropriate Commercial Certification test. Once the refresher is completed, personnel may take the pretest/test at any time with Command approval. DoD 8570.01-M requires on-the-job training, which may be satisfied by Personnel Qualification Standards (PQS).
Personnel who have not received sufficient training should discuss training possibilities with their mentors. Most of the certification tests warrant classroom and/or robust e-learning; both supplemented with on-the-job training.
6. What can my organization do to prepare for requirements?
Commands should identify personnel performing IA functions and identify positions with IA responsibilities. DON CIO msg 092050Z Mar 09: "Information Assurance And Computer Network Defense Workforce Improvement Program Implementation Status And CY 2009 Action Plan" tasks the services to comply. This annual DON CIO message was supplemented by NETWARCOM and HQMC C4 direction on meeting this requirement. 1) MARADMIN 638/08: DTG: 181637Z Nov 08, CMC Washington DC C4 IA// SUBJ/MCBUL 5239, "Information Assurance Workforce Identification, Tracking, Monitoring and Reporting;" or 2) NETWARCOM msg 091353Z Jul 09 - ALCOM 118/09 - "Navy Guidance For CY 2009 Navy Information Assurance Workforce." The intent of this data collection is to identify all personnel performing IA functions whether or not their functions are specifically called out in 8570.01-M.
7. I am already certified, what more will I need to do?
If you already hold a certification(s) listed in the DoD 8570.01-M, make certain that your certification status is documented in Defense Workforce Certification Application (DWCA): ( https://www.dmdc.osd.mil/appj/dwc/index.jsp); notify your respective personnel point of contact to ensure the appropriate service database of record holds your data. Your Command IAM, in cooperation with the administrative office, will be tasked to ensure your data is documented in Navy or Marine Corps specific IAWF Management Systems.
You, also, will need to maintain your certification status by completing continuous learning requirements as defined by the organization providing your certification (e.g., ISC2, ISACA, CompTIA, etc.).
8. Do I have to take the training associated with a certification, or can I take the test?
You will not be required to take specific training to prepare for the certification test. However, by DON policy you will need to demonstrate that you are prepared to take the commercial certification test. Confirm with your direct supervisor or IA leadership that you are categorized at the right level and take a pretest prior to the exam. If you pass the pre-test by 80 percent you may be ready to take the actual certification exam and can request a test voucher. Navy personnel go to https://www.cool.navy.mil and request a free test voucher through the Credentials Program Office. Marine Corps personnel should request a voucher through the Marine Corps Communications Training Centers at firstname.lastname@example.org.
9. What organization bears the cost of the training and examination fees?
As this is a DoD requirement the military and civilian commercial certification testing will be paid for by the government. Under no circumstance should an IAWF professional pay for a test voucher or a sustainment fee. These are paid by the enterprise to reduce cost.
Professionals should utilize e-learning strategies, with mentors and labs, as much as practical, since this training is "no cost" to the individual command.
10. Is there an automated system that I can use to identify and track my IA Workforce?
All civilian information should be input into the Defense Civilian Personnel Data System (DCPDS). Navy information should be aligned to Total Force Manpower Management System (TFFMS) and Marine Corps information is tracked in the MC TECOM Information Management System (MCTIMS). All Navy military, civilian and contractor information will be aggregated in the Total Workforce Management System (TWMS). All IAWF personnel must release their IA certification status through registration in the Defense Workforce Certification Application (DWCA) database at the web site noted above.
11. What will qualify for continuous learning?
The minimum continuous learning requirement is 40 hours a year. The DON Training POCs, along with Commercial Certification providers, determine the specific training and other activities that qualify for continuous learning credit or Continuing Professional Education (CPE). Examples of what is likely to be acceptable include completion of DISA IA distributive training products and participation in certain DoD IA conferences, workshops, simulations, and exercises. Additionally, personnel matriculating toward a college degree will be able to use their college credits to count toward continuing education. Refer to SECNAV M-5239.2 for complete listing of authorized CPE.
12. What are the contractor certification implementation requirements?
Any contractor performing IA functions on a DoD system must meet the certification requirements established in the DoD 8570.01-M for the category and level functions they are performing. See Defense Acquisition Regulations System, 48 CFR Parts 239 and 252, RIN 0750–AF52, Defense Federal Acquisition Regulation Supplement; Information Assurance Contractor Training and Certification (DFARS Case 2006–D023.) Requirements from the Manual include:
Effective immediately, ensure that all new contracts, contracts up for renewal, or modified contracts that require performance of IA functions comply with the certification and reporting requirements of the manual. Contractors also must meet the security clearance requirements.
For new contracts awarded after publication of the DoD 8570.01-M (December 19, 2005) contractor personnel supporting IA functions in Chapters 3, 4, 10 and 11 shall be appropriately certified prior to being engaged. The contracting officer will ensure that contracting personnel are appropriately certified and provide verification in assist visits. Additional training on local or system procedures may be provided by the DoD organization receiving services.
13. What support does the DON CIO offer to the services to plan for 8570 implementation?
DON CIO supports 8570.1 Implementation by chartering the IA Workforce Management Oversight and Compliance Council (IAWF MOCC). The MOCC is a "thought leadership" forum for development/refinement of enterprise workforce processes, plans and procedures. The MOCC executive board consists of DON CIO, OPNAV N2/N6, Navy Network Warfare Command, HQMC C4 IA and CP Divisions. The IAWF MOCC leadership will work with the Human Resources, Manpower/Personnel/Training, and IA operations leadership to establish a plan for meeting the requirements outlined in DoDD 8570.1, DoD 8570.01-M, SECNAVINST 5239.3B and SECNAV M-5239.2. See the IAWF MOCC Charter.
14. I want more information, who can I talk to?
For DON IA workforce management enterprise issues contact: