Home > DoD-Military > DoD Instruction 8570

DoD Instruction 8570

DoD 8570.01-M, the DoD Information Assurance Workforce Improvement Program ( IA Training ) provides guidance and procedures for the training, certification, and management of the DoD workforce conducting Information Assurance functions in assigned duty positions.

Enlist Hyperlearning Technologies to be your one-stop-training service provider for 8570 training compliance. Give our Training consultant, Kathleen Morelli, a call at (757) 495-0714. Kathleen has many years of experience in managing computer training needs for DoD components and military-industrial-complex contractor companies.

We provide training for all of the military, commercial, and municipalities within the Southeastern Virginia Military complex surrounding Hampton Roads and Tidewater Virginia - including US Navy, US Army, US Air Force components at NOB / Naval Station Norfolk, NAS Oceana, NAB Little Creek, Fleet Combat Training Dam Neck, Ft Story, USAFB Langley, Ft Monroe, Fort Eustis, Naval Weapons Station ( NWS ) Yorktown, Joint Forces training center Portsmouth VA, and others.

The full DoD directive 8570 can be read or downloaded online.

If you have anything to do with SIPRNET, NIPRNET, or any DoD computer system or network, which hosts DoD Personnel or Medical records, you are probably REQUIRED to comply with this mandate. This is a DoD wide mandate, so that includes all .mil network components; US Army ( USA ), Defense Information Systems Agency ( DISA ), National Security Agency ( NSA ), Office of the Secretary of Defense ( OSD ) / ( OUSD ), US Navy ( USN ), Navy Individual Augmentee Combat Training ( NIACT ), US Coast Guard ( USCG ), US Air Force ( USAF ), National Guard, and most of the DoD "alphabet soup" of acronyms.

Compliance can ONLY be met by computer training and accredited computer CERTIFICATIONS. A+ and N+ are required for most DoD IT trusted positions, and S+ is required for mid-level trusted DoD positions. Our Information Assurance Support Environment (IASE) programs provide a one-stop-shop for Contractor Off the shelf ( COTS ) IA compliance training and IA certifications.

Let HyperLearning Technologies create a DoD 8570.01 M compliant training program for you, which will meet these Dod Information Assurance Certification Requirements at the lowest price per certification. (Before you consider other offers, ask yourself - "but will it result in the required certifications?") Our Information Assurance Support Environment (IASE) programs provide a one-stop-shop for Contractor Off the shelf ( COTS ) IA compliance training and IAT certifications.

About the DoD 8570.01-M DoD Information Assurance Workforce Improvement Program timeline:

This Document, which was actually mandated as a requirement on ALL DoD components on Dec 19, 2005, is just coming into focus, because the DoD 8570.01 M included a phased plan, which include mostly planning and budgeting for the first year (FY 2006). FY 2007 actually requires 1/3 of the on-board personnel to be certified, and ALL NEW HIREs to be certified by the end of FY 2007. [FY 2007 ends 31 OCT 2007.] The phase-in plan mandated in DoD 8570.1 M training is:

  • The first year provides time for the identification of specific requirements to support budget and staffing planning, and to certify the initial 10 percent of the Information Assurance (IA) workforce. The next three years provide time to bring the full IA workforce into compliance with the requirements in phases. Thirty percent of the workforce must come into compliance each yearr
  • Year One (FY-06): Identify IA workforce positions, fill 10 percent of the IA positions with certified personnel. Develop budget to support follow-on implementation years two - four.
  • Year Two: Fill a total of 40 percent of the IA positions with certified personnel.
  • Year Three: Fill a total of 70 percent of the IA positions with certified personnel.
  • Year Four: All IA positions are held by trained and CERTIFIED personnel.
  • Thereafter, all incumbents and new hires must be trained, certified, and recertified in accordance with the DoD 8570.1-M Manual. Individuals performing IA functions and who are DoD employees or contractors on the effective date of this Manual [ DoD Instruction 8570.01-M ] have up to four years to comply with the certification requirements. New hires’ qualification periods begin the date they start in the position (i.e., they must obtain the appropriate certification within six months of being assigned to IA functions). Waivers will not extend beyond six months and must include an expiration date. New contract language must specify 8570.1M certification requirements. Existing contracts must be modified.

Purpose of DoD 8570.1 M:

It identifies and categorizes positions and certification of personnel conducting Information Assurance (IA) functions within the DoD workforce supporting the DoD Global Information Grid (GIG) per DoD Instruction 8500.2. The DoD IA Workforce includes all individuals performing any of the IA functions. The abbreviation for Security, INFOSEC, established in this Manual, supports civilian IA workforce identification and management requirements across the Department of Defense (DoD).

It Implements formal IA workforce skill development and sustainment, comprised of instructor-led resident courses, distributive training, blended training, supervised on-the-job training, exercises. Certification and recertification are no longer "nice-to-have." Certification is REQUIRED, even if you have the skills.

If you are a contractor - or work for a contractor - or expect to work for a contractor it specifies contractor certification and training requirements in all contracts that include acquisition, repair, maintenance, or day-to-day support of IA services.

DoD 8670.01 M outlines requirements for an initial IA orientation and annual awareness training to all authorized users to ensure they know, understand, and can apply the IA requirements of their system(s).

It requires all DoD and Contractors to specify contractor certification and training requirements in all contracts that include IA services.

It ensures that ALL IA personnel performing IA functions obtain and maintain a certification corresponding to the highest level function(s) required by their position.

It identifies two overall categories within the IA workforce: Technical and Management. These categories are subdivided into three levels each based on functional skill requirements and system environment focus. The levels and functional requirements in both the technical and the management categories apply to all civilian, military, and contractor personnel.

DoD 8570.01 M specifies that "Contractor personnel supporting IA functions shall be appropriately certified prior to being engaged. The contracting officer will ensure that contracting personnel are appropriately certified." New hire civilians and contractor personnel must agree as a "condition of employment" that they will obtain the appropriate certification for the position to be filled.

In addition to the baseline IA certification requirement for their level, Information Assurance Technicians (IATs) with privileged access MUST OBTAIN APPROPRIATE COMPUTING ENVIRONMENT (CE) CERTIFICATIONS for the operating system(s) they support. (e.g. appropriate level of Microsoft certifications for Microsoft systems support technicians, vendor-specific Linux or Linux+ certifications for Linux-based systems technicians, Cisco certifications for Cisco equipment technicians, etc.)

Completion of training, certification, and continuing education required to maintain certification status is normally "20 to 40 hours annually, or 120 hours over three years." [Footnote: none of the minimum certifications specified in DoD 8570.01-M can be completed in less than 40 hours. Technical certifications, such as Microsoft job-related certifications, also specified, often require 160 to well over 200 hours.]

Details included in the DoD Inst 8570.01-M:

Information Assurance (IA) certification programs are intended to produce IA personnel with the demonstrated ability to perform the functions of their assigned position. Each category and skill level has specific training and certification requirements. Meeting these requirements will require a combination of formal training, experiential activities such as on-the-job training, and continuing education.

This applies to all positions with Information Assurance (IA) duties, whether performed as primary or additional embedded duties. This requirement applies to military and civilian positions including those staffed by contractors.

Personnel performing IA functions described in this Manual must satisfy both the preparatory and sustaining DoD IA training and certification requirements. These certification requirements apply to DoD civilian employees, military personnel, and support contractors performing the IA functions.

Participation in initial training (instructor-led classroom, distributive, or blended) before, or immediately on, assignment of IA responsibilities. must be sufficient to meet minimum certification standards, including obtaining the certification(s) specified from the designated certifying agency (e.g. A+, Network+, Security+; from CompTIA: MCITP, MCSA, MCSE etc from Microsoft). Certification holders must ensure that their certificates stay active. Expired certifications must be renewed.

Purpose of DoD 8570.1 M:

Levels of Information Assurance (IA) privileges, and required certifications in DoD Inst 8570.01-M:

  • Level 1 certification is required prior to being authorized any unsupervised privileged access. Personnel performing these functions, regardless of their occupational title (e.g., system administrator, help desk technician, information system technician, etc,) shall be identified as part of the IA workforce and must comply with these requirements.
  • IAM Level I personnel are responsible for the implementation and operation of a DoD IS or system component within their CE. Incumbents ensure that IA related IS are functional and secure within the CE.
  • IAT Level II personnel provide network environment (NE) and advanced level Computing Environment (CE) support. They pay special attention to intrusion detection, finding and fixing unprotected vulnerabilities, and ensuring that remote access points are well secured.
  • IAM Level II personnel are responsible for the IA program of an Information System (IS) within the Network Environment (NE). Incumbents in these positions perform a variety of security related tasks, including the development and implementation of system information security standards and procedures. They ensure that the IS are functional and secure within the NE.
  • IAT Level III personnel focus on the enclave environment and support, monitor, test, and troubleshoot hardware and software IA problems pertaining to the CE, NE, and enclave environments. [An enclave is any secured, self-contained computational system within a system of local area networks.]
  • IAM Level III personnel are responsible for ensuring that all enclave IS are functional and secure. They determine the enclaves’ long term IA systems needs and acquisition requirements to accomplish operational objectives. They also develop and implement information security standards and procedures.

  • Minimum Certifications Required by DoD Inst 8570.01 M, by IAT levels:
    IAT Level 1 IAT Level 2 IAT Level 3
    A+ Security+ CISA
    Network+ GSEC CISSP
    SSCP SCNP GSE
    - SSCP CSNA
  • Minimum Certifications Required by DoD Inst 8570.01 M, by IAM levels:
    IAM Level 1 IAM Level 2 IAM Level 3
    Security+ CISSP CISSP
    GISF GSLC GSLC
    GSLC CISM CISM

  • Acronym List from DoD Inst 8570.01-M
    AIS - Automated Information System
    ASD(NII) - Assistant Secretary of Defense for Networks and Information Integration
    CBT - Computer Based Training
    CE - Computing Environment
    CMIS - Corporate Management Information System
    COTR - Contracting Officer’s Technical Rep.

  • NOTE: IATs must also obtain certifications required to implement the IA requirements for their specific operating system environment (e.g., Microsoft Operating Systems Administrator Certification - MCDST / MCSA / MCSE / Linux+ ). The A+ or Network+ certifications qualify only for Technical Level I and could not be used for Technical Level II positions.

  • NOTE: The Security+ or GISF certifications qualify only for Management Level I and could not be used for Management Level II positions. An IAM I must obtain one of certifications shown in the IAM I box such as the Security +. The IAM I should not take the CISSP unless already qualified in one of the certifications listed in the IAM I box (e.g., Security +).

  • DAA - Designated Approving Authority
    DCPDS - Defense Civilian Personnel Data System
    DEERS - Defense Eligibility Enrollment Reporting System
    DIMHRS - Defense Integrated Military Human Resources System
    DISA - Defense Information Systems Agency
    DMDC - Defense Manpower Data Center

  • An IAT I must obtain one of certifications shown in the IAT I box such as the A+. The IAT I should not take the Security+ unless already qualified in one of the certifications listed in the IAM I box (e.g., A+, or Network+).Commercial, vendor specific, or component developed equivalent certifications approved for the DoD IA workforce requirement must align to the IA functional requirements.

  • Commercial, vendor specific, or component developed equivalent certifications approved for the DoD IA workforce requirement must align to the IA functional requirements. Additionally, to ensure validity, certifications must be accredited and maintain accreditation under the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 17024.

  • e-JMAPS - e-Joint Manpower and Personnel System
    Enclave Environment - A contained computing environment
    FISMA - Federal Information Security Management Act
    FN - Foreign National
    GIG - DoD Global Information Grid
    IA - Information Assurance
    IAM - Information Assurance Manager


Purpose of DoD 8570.1 M:

This requirement, specified in Appendix C, paragraph C6.3 mandates a minimum level of awareness for all Information Assurance (IA) users. It is anticipated that this requirement will be fulfilled by the organization using seminars, handouts, online, and CBT courses. HyperLearning Technologies offers a 2-day training program which covers all of this and more. The Ec-Council Security5 certification. DoD Inst 8570.01-M requirements includes:

SPECIFIC REQUIREMENTS
User orientation and awareness programs will address:

  • The importance of IA to the organization and to the authorized user.
  • Relevant laws, policies, and procedures, and how they affect the authorized user (e.g., copyright, ethics, standards of conduct).
  • Examples of external threats such as script kiddies, crackers, hackers, protesters, or agents in the employ of terrorist groups or foreign countries.
  • Examples of internal threats such as malicious or incompetent authorized users, users in the employ of terrorist groups or foreign countries, disgruntled employees or service members, hackers, crackers, and self-inflicted intentional or unintentional damage.
  • The potential elevated sensitivity level of aggregated unclassified information.
  • Authorized user risk from social engineering.
  • Common methods to protect critical system information and procedures.
  • Principles of shared risk in networked systems (i.e., how a risk assumed by one person is imposed on the entire network) and changes in the physical environment (e.g. water, fire, dust/dirt).
  • Risks associated with remote access (e.g., telecommuting, during deployment, or on temporary duty).
  • Legal requirements regarding privacy issues, such as email status (DoD Directive 2500 and the need to protect systems containing payroll, medical and personnel records.
  • Knowledge of malicious codes (e.g., logic bomb, Trojan horse, malicious mobile code, viruses, and worms) including how they attack, how they damage an IS, how they may be introduced inadvertently or intentionally, and how users can mitigate their impact.
  • The impact of distributed denial of service attacks and what users can do to mitigate them.
  • How to prevent self-inflicted damage to system information security through disciplined application of IA procedures such as proper log on, use of passwords, preventing spillage of classified information, e-mail security, etc.
  • Embedded software and hardware vulnerabilities, how the Department of Defense corrects them (e.g., IAVA process), and the impact on the authorized user.
  • Prohibited or unauthorized activity on DoD systems (e.g., peer-to-peer file sharing, gambling, personal use and gain issues).
  • Requirements and procedures for reporting spillages, unauthorized or suspicious activity, and local IA office point of contact information.
  • Categories of information classification and differences between handling information on the Non-Classified Internet Protocol Router Network (NIPRNet) or the SECRET Internet Protocol Router Network (SIPRNet).
  • Software issues including license restrictions on DoD systems, encryption, and media sanitation requirements and procedures.
  • Definition of Information Operations Condition (INFOCON) and its impact on authorized users.
  • Sources of additional information and training.