Directive 8570 FAQs

  1. What is DoD Directive 8570.1?
  2. What is the status of the manual (DoD 8570.01-M)?
  3. What support can the Office of the DoD CIO offer to components to plan for 8570 implementation?
  4. Who has to pay for certifications?
  5. Has the IA workforce Improvement Program (IA WIP) been funded?
  6. Who needs to be certified?
  7. What are IAT category training requirements?
  8. Now that the manual is signed, how long until I have to become certified?
  9. What can I do now to prepare for certification requirements?
  10. What can my component do to prepare for requirements?
  11. If I fail a certification can I retake the exam?
  12. How do I identify the IAT workforce?
  13. How to identify the IAM workforce?
  14. I want more information; who can I talk to?
  15. How can I get a copy of the manual?
  16. Will the training and certification requirements specified in DoD Directive 8570.1 and 8570.01-M replace component-, command-, or community-specific training and certification requirements?
  17. I already hold a certification listed in DoD 8570.01-M; what more will I need to do?
  18. Do I have to take the training associated with a certification, or can I just take the test?
  19. Can DoD use appropriated funds for military or civilian personnel to take commercial certification exams?
  20. What will qualify for continuous learning?
  21. What are the contractor certification implementation requirements?
  22. Has the DoD developed standard contract language for IA WIP requirements?
  23. How can components address the requirements for contractors to be certified under the DoD 8570?

What is DoD Directive 8570.1?

DoD Directive 8570.1 provides the basis for an enterprise-wide solution to train, certify, and manage the DoD Information Assurance (IA) workforce. The policy requires Information Assurance technicians and managers to be trained and certified to a DoD baseline requirement. The Directive’s accompanying manual identifies the specific certifications mandated by the Directive’s enterprise-wide certification program.

Much of the Directive addresses workforce management issues. components must identify and document in personnel and manpower databases, IA personnel and positions and make certain that IA personnel meet training and certification requirements related to their job functions.

The ultimate vision of the Directive is a sustained, professional IA workforce with the knowledge and skills to effectively prevent and respond to attacks against DoD information, information systems, and information infrastructures. This effort will enable DoD to put the right people with the right skills in the right place.

What is the status of the manual (DoD 8570.01-M)?

The manual has been approved by the assistant secretary of defense for Networks and Information Integration (ASD NII)/DoD chief information officer (CIO). It's now mandatory for all DoD organizations to comply with its requirements. A copy of the manual is available on the DoD Publications website.

What support can the Office of the DoD CIO offer to components to plan for 8570 implementation?

Defense-wide Information Assurance Program (DIAP) personnel are available to provide briefs and to support regional or major command workshops for 8570 implementation planning. You are strongly encouraged to work within your component Human Resources and IA operations leadership to establish a plan for meeting the requirements outlined in DoD 8570.1 and DoD 8570.01-M.

Who has to pay for certifications?

For DoD military and civilian IA workforce members, the DoD component must budget for and pay for an individual’s “required” certification. The component must also ensure appropriate training is provided for the position and preparation for the certification exam.

Has the IA workforce Improvement Program (IA WIP) been funded?

Yes. The DoD CIO has included funding in the PDM to support initial implementation requirements including certifications exams and personnel database updates. Funding via the PDM does not include training, components should already have IA training in their budgets. These requirements cover the IA WIP implementation phase from FY07 to FY10. DoD components are required to include IA WIP sustainment requirements in their budget plans.

The government cannot pay for contractor certification or certification preparation training. However, the government can support contractor training for the actual system and procedures they are supporting.

Who needs to be certified?

Information Assurance Technical (IAT) and IA Management (IAM) personnel must be fully trained and certified to baseline requirements to perform their IA duties. The policy defines IAT workforce members as anyone with privileged information system access performing IA functions. IAM personnel perform management functions for DoD operational systems described in the manual.

The training, certification, and workforce management requirements of 8570.01-M apply to all members of the DoD IA workforce including military, civilians, local nationals, non-appropriated fund (NAF) personnel, and contractors. The requirements apply whether the duties are performed full-time, part-time, or as an embedded duty.

What are IAT category training requirements?

Chapter 3.2 of the manual outlines that all Information Assurance (IA) personnel be trained and certified according to their job functions. All IA workforce in the technical category (IAT) must obtain IA certification and operating system certification for the operating system(s) they support, as required by their employing organization.

If you are in the IAT category, Red Hat can help you comply with the Directive's requirement for the operating system certification.

Now that the manual is signed, how long until I have to become certified?

Components are required to have all identified IA personnel certified to the baseline requirement within five fiscal years of the manual’s publication date (19 Dec 2005). FY06 is the planning year to develop component and local IA workforce Improvement Program (IA WIP) implementation plans. The manual requires 10 percent of the IA workforce to become certified in FY07 and an additional 30% each fiscal year following. By the end of FY2010, all personnel performing IA functions described in the DoD 8570.01-M should be certified.

What can I do now to prepare for certification requirements?

Information Assurance Technical (IAT) and IA Management (IAM) personnel are strongly encouraged to complete DoD internally available training (e.g., Service Schoolhouse IA courses, DISA web-based training) or external training currently supported by your component for courses with learning objectives directly aligned to baseline certifications outlined in the manual.

What can my component do to prepare for requirements?

Components should identify IA workforce positions and personnel based on the categories, levels, and functions for IAT and IAM levels I – III described in DoD 8570.01-M. Positions/Personnel performing specialized functions for the computing, network, or enclave environment should be included as IAT or IAM Levels I – III based on the environment in which they are working. Specialized IA positions include certification and accreditation, computer network defense, vulnerability analysts, and information system architects and engineers.

If I fail a certification can I retake the exam?

Yes. The 8570.1 and 8570.01-M do not set a limit on the number of times a person may attempt to qualify for certification. However, components must support at least 1 retest attempt, but may set a limit on the number of additional retests they will support.

Remember, until a DoD military or civilian employee completes the requirements of the IA WIP, to include becoming fully certified, they are not authorized to fill an IAT or IAM billet (after the 4-year implementation phase). If the member’s component has set a limit on the number of retest attempts, an individual may take a subsequent test at their own expense. If they qualify for certification, then they would qualify to fill an IAT or IAM position (assuming they meet the other requirements, such as background investigation, OJT, etc.).

How do I identify the IAT workforce?

2 basic questions to help identify IA Technical positions:

  1. Does the position require privileged access to a DoD information system computing, network, or enclave environment?
  2. Does the position include any of the functional requirements listed in Chapter 3 of the manual for that level of the information system architecture?
    • If the answer to both 1 and 2 is yes, the position is an IAT position.
    • If the answer is no to both, then it is not an IAT position.
    • If the answer is no to either 1 or 2, it is not an IAT position.
    • If the answer is yes to 1 and no to 2, it is not an IAT position.
    • If the answer is no to 1 and yes to 2, it might be an IA manager or other IA position.

How to identify the IAM workforce?

Two basic questions to help identify IA management positions:

  1. Does the position have responsibility for managing information system security for a DoD information system computing, network, or enclave environment?
  2. Does the position include any of the functions listed in Chapter 4 of the manual for that level of the information system architecture?
    • If the answer to both 1 and 2 is yes, then the position is an IAM position.
    • If the answer is no to both 1 and 2, it is not an IAM position.
    • If the answer is yes to 1 and no to 2 it is not an IAM position.
    • If the answer is no to 1 and yes to 2, it might be an IA position but not an IAM position as currently defined in the manual.

I want more information; who can I talk to?

For more information about DoD Directive 8570.1 and the enterprise-wide training and certification initiative, contact the IASE Helpdesk.

How can I get a copy of the manual?

For a copy of the manual, DoD 8570.01-M, check the DoD Publications website.

Will the training and certification requirements specified in DoD Directive 8570.1 and 8570.01-M replace component-, command-, or community-specific training and certification requirements?

No. The 8570 provides a DoD enterprise-wide IA knowledge and skills baseline. You are still required to comply with relevant component-, command-, or community-specific requirements for IA training and/or certification.

Components may require personnel performing IA job functions to complete specific certifications in addition to those identified in the manual. Confirm with your direct supervisor or IA leadership that you are categorized and certified at the right level and meet the appropriate component-specific requirements.

I already hold a certification listed in DoD 8570.01-M, what more will I need to do?

Notify your respective personnel point of contact to make certain that your certification status is documented in the appropriate personnel database of record.

Also you will need to maintain your certification status by completing continuous learning requirements as defined by your respective certification provider (e.g., ISC2, ISACA, CompTIA, etc.). Note that all certifications included in the manual currently do require, or will require in the near future, continuous learning as part of their certification requirements. You are encouraged to monitor current certification provider activity to see if they have imposed additional continuous learning requirements.

Furthermore, the manual requires IATs to obtain a local operating system certification in addition to the baseline requirements.

Do I have to take the training associated with a certification, or can I just take the test?

Under DoD Directive 8570.1 and as specified in DoD 8570.01-M, you are not required to take specific training to prepare for the certification test. However, you should be able to demonstrate the ability to pass the test (e.g., take and pass a pretest or assessment exam). Your IAM should verify that you are prepared to take the certification exam before authorizing you to request an exam voucher.

Can DoD use appropriated funds for military or civilian personnel to take commercial certification exams?

Yes. Chapter 101 of Title 10, United States Code, has been amended to permit services to use appropriated funds to pay for commercial certifications (tests) for uniformed personnel. The FY06 DoD Appropriations Bill gives uniformed personnel parity with civilians.

What will qualify for continuous learning?

The minimum continuous learning requirement for certifications included under DoD 8570.01-M is typically 40 hours annually or 120 hours over a 3-year period. Certification providers determine the specific training and other activities that qualify for continuous learning credit. However, DOD CIO is working with certification providers to identify proposed activities that would qualify for credit.

Note that all certifications included in the manual currently require or will require continuous learning as part of retaining certification status.

What are the contractor certification implementation requirements?

Contractors performing IA functions on a DoD system must meet the certification requirements established in the DoD 8570.01-M for the category and level functions in which they are performing. As with the military and civilian IA workforce, contractors have 4 years to meet the requirements of the 8570.01-M. The requirement is for 10% to be certified in the first year and 30% each year following. The manual includes other specific requirements (link to manual).

Has the DoD developed standard contract language for IA WIP requirements?

The DoD chief information officer (CIO) has coordinated with the undersecretary of defense for acquisition, technology, and logistics (AT&L), Defense Acquisition Regulations (DARs) Council, to propose language to include in the Defense Acquisition Regulations (DFARS). These changes were approved by the Council and are currently in the formal staffing process before they will be added to the DFARS.

Until these changes are made in the DFARS, components may use local clauses to implement these requirements for the contractor community.

How can components address the requirements for contractors to be certified under the DoD 8570?

In general, components must ensure that 10% of contractors are certified in FY07 and 30% of contractors are certified each subsequent year attaining 100% certification status by the end of FY10.

Enroll today for RHCSA and RHCE track courses, or contact a Red Hat Government specialist for further information by email or by telephone at 1 866-273-3428 x45909.