UNDERSTANDING DOD 8570 TRAINING REQUIREMENTS

AND HOW TO MAKE SURE YOU'RE COMPLIANT

If you’re an information systems security professional, it’s important to be familiar with the DoD 8570. If you’re not sure what this is or aren’t clear on some aspects of it, don’t worry — this guide is here to walk you through what you need to know. In this guide, we'll go over:
  • What the DoD 8570 is
  • Who it applies to
  • Why it's important to know about DoD 8570
  • What's involved in becoming DoD 8570 compliant
  • Options for certification
By the end, you'll have a more solid understanding of what the DoD 8570 is and some concrete ideas for what to do next.

What is DoD 8570?

DoD 8570 is shorthand for Department of Defense (DoD) Directive 8570, also known as the Information Assurance Workforce Improvement Program. One of the first important things to note about the DoD 8570 is that it isn’t actually a qualification or certification — it’s a policy. That means your goal won’t be to get ‘qualified’ for the DoD 8570, instead, you should be aiming to become compliant with it. This is done by getting a range of separate certifications, which we’ll cover in more depth later in the post. You may have heard that the DoD 8570 is in the process of being replaced by the DoD 8140, which is correct. However, it’s expected to be a few years before this is complete, so the 8570 will be the relevant directive until then.

Where did DoD 8570 come from?

The DoD 8570 was established in 2005 to deal with the problem of unqualified workers doing cybersecurity work for the DoD. For obvious reasons, having staff working on issues of national security without proper training was a big concern for the federal government. The DoD 8570 ensures that all staff working with information security within the DoD are properly qualified. This is done by requiring members of staff to attain certain respected certifications. These required certifications are divided into categories based on the kind of work the person will be doing, and we’ll go into this in more detail later on.

Who does it apply to?

  • DoD employees involved in information security, such as anyone in the Office of the Secretary of Defense or Office of the DoD Inspector General
  • Part- and full-time military staff
  • Defense agencies
  • Part- or full-time contractors for the DoD
  • DoD Field Activities
  • Any local national with private access to a DoD system performing information security functions
So, anyone working in the above jobs will need to become DoD 8570 compliant. In addition to that, anyone hoping to work for the DoD at some point should also consider getting the relevant qualifications. In that sense, becoming DoD 8570 compliant comes with a lot of potential career options, such as the ability to work in defense and use your skills to make a real difference to national security.

How do you become DoD 8570 Compliant?

Your road to DoD compliance is going to depend on the kind of work you do. As mentioned above, the required qualifications are grouped into categories. The two main categories are IAT and IAM. Let’s dive into those a little deeper.
  • Information Assurance Technical (IAT) certifications are aimed at those who work in more technical roles
  • Information Assurance Management (IAM) certifications are aimed at more managerial positions
These categories are further broken down into three levels based on the responsibilities of the job. In the rest of the guide, we’ll take you through each of the levels for each category. We’ll look at the jobs you need each level for, the options for certification, some training advice, and the skills you’ll gain at each level. Only one certificate is needed at each level to become compliant. The good news here is that there are several options for certifications at each stage. Let’s start with the IAT levels, for technical-level staff. If the IAM applies to you instead, you can skip this part and scroll down to that section below.

IAT Levels and Certifications

Level I

The first level of the IAT category is for personnel with 0-5 years of experience. Their role is to fix flaws, implement IAT controls, and perform basic security controls.

What are the functions involved?

According to the DoD 8570, these are some of the functions that level 1 IAT personnel will be expected to perform:
  • Recognize a potential security violation, take appropriate action to report the incident as required by regulation, and mitigate any adverse impact
  • Apply instructions and pre-established guidelines to perform IA tasks within CE
  • Provide end user IA support for all CE operating systems, peripherals, and applications
  • Support, monitor, test, and troubleshoot hardware and software IA problems pertaining to their CE
  • Apply CE specific IA program requirements to identify areas of weakness.
  • Apply appropriate CE access controls
  • Conduct tests of IA safeguards in accordance with established test plans and procedures
  • Apply established IA security procedures and safeguards and comply with the responsibilities of the assignment
  • Comply with system termination procedures and incident reporting requirements related to potential CE security incidents or actual breaches

Which jobs does this apply to?

  • Security Analyst
  • System Administrator
  • Application Administrator
  • Network Administrator
  • Computer Technician

What are the certification options?

CompTIA A+

This is a solid base for any IT career, focusing on IT operations, problem-solving, troubleshooting, and networking. It includes operating systems and mobile devices. The exam contains 90 multiple choice questions and is 90 minutes long. The CompTIA A+ would be a good fit for jobs such as support specialist and field service technician.

CompTIA Network+

This is another fundamental IT qualification, with a sharper focus on networks. Skills gained here include how to troubleshoot, manage, and configure networks, and how to design and implement functional networks. It covers basic networking concepts and infrastructure, with some focus on security. The exam contains 90 multiple choice questions and is 90 minutes long. The CompTIA Network+ is a good choice for computer technicians, IS consultants, systems engineers, and network analysts.

(ISC)² SSCP

The Systems Security Certified Practitioner from (ISC)² is focused on operation security. It teaches students how to implement, monitor, and administer IT infrastructure with security best practices. The exam consists of 125 multiple choice questions with a time limit of 3 hours. This qualification applies best to job titles like network security engineer, security consultant, and security analyst.

Level II

Level two of the IAT generally applies to people with at least 3 years experience in information assurance technology or a similar area. It requires mastery of the IAT level 1 functions. At this level, personnel tend to focus more on security-related duties like intrusion detection, finding and fixing vulnerabilities, and improving the security of systems.

What are the functions involved?

According to the DoD 8570, these are some of the functions that level 2 IAT personnel will be expected to perform:
  • Demonstrate expertise in IAT Level I computing environment (CE) knowledge and skills
  • Examine potential security violations to determine if the network environment (NE) policy has been breached, assess the impact, and preserve evidence
  • Support, monitor, test, and troubleshoot hardware and software IA problems pertaining to the NE
  • Recommend and schedule IA related repairs in the NE
  • Perform IA related customer support functions including installation, configuration, troubleshooting, customer assistance, and/or training, in response to customer requirements for the NE
  • Provide end user support for all IA related applications for the NE
  • Analyze patterns of non-compliance and take appropriate administrative or programmatic actions to minimize security risks and insider threats
  • Manage accounts, network rights, and access to NE systems and equipment
  • Analyze system performance for potential security problems

Which jobs does this apply?

Jobs for IAT level 2 professionals include:
  • Systems Administrator
  • IT Security Specialist
  • Information Security Analyst

What are the certification options?

GSEC

This certification is aimed at security professionals. It requires candidates to demonstrate an understanding of information security beyond basic concepts and terminology, covering areas like active defense, contingency plans, endpoint security, threat hunting, and wireless network security. The exam contains 180 questions with a time limit of 5 hours. It’s a pathway to jobs like Information Security Systems Officer, Information Security Engineer, Information Security Analyst, and Senior Cyber Security Engineer.

CompTIA Security+

This focuses on baselines skills for core security functions. It’s made up of performance based questions, with an emphasis on practical skills, and comprises some of the latest trends and techniques. The exam consists of 90 multiple choice questions with a 90-minute time limit. This is a good fit for jobs like Systems Administrator, Network Administrator, Security Specialist, Security Consultant, and Junior IT Auditor/Penetration Tester.

SCNP

The SCNP stands for Security Certified Network Professional and covers hands-on information security skills. For this qualification, you’ll need to already have the SCNS certification. The SCNP demonstrates prevention techniques, risk analysis, and security policy creation among other things, and builds on foundational skills like cryptography, ethical hacking techniques, and creating a security policy. The exam takes the form of multiple choice questions. Jobs the SCNP qualifies students for include Security Analyst, Information Security Consultant, and Systems Administrator.

(ISC)² SSCP

(Covered in Level I section above)

Level III

Level 3 of the IAT concerns professionals with at least seven years experience in information assurance who have expert knowledge of the IAT level 2 and 3 functions. Professionals at this level are expected to fulfill high-level, possibly leadership roles and be responsible for secure integration and operation of systems.

What Functions are involved?

According to the DoD 8570, these are some (but not all) of the functions that level 3 IAT personnel will be expected to perform:
  • Mastery of IAT Level I and IAT Level II CE/NE knowledge and skills
  • Coordinate and/or provide support for all enclave applications and operations
  • Formulate or provide input to the enclave's IA/IT budget
  • Identify and/or determine whether a security incident is indicative of a violation of law that requires specific legal action
  • Provide direction and/or support to system developers regarding correction of security problems identified during testing
  • Examine enclave vulnerabilities and determine actions to mitigate them
  • Analyze IA security incidents and patterns to determine remedial actions to correct vulnerabilities
  • Implement vulnerability countermeasures for the enclave

Which jobs does this apply to?

Jobs for IAT level 3 professionals include high-level technical roles like Chief Information Security Officer, Information Technology Manager, and PCI Security Specialist.

What are the certification options?

CISA

The Certified Information Systems Auditor certification is aimed at high-level IT professionals and demonstrates the ability to audit, monitor, access, and control data. It concerns IT government systems and infrastructure lifecycle management. The exam is four hours long and features 200 multiple choice questions. Jobs for CISA certified professionals include Internal Auditor, Public Accounts Auditor, Information Security Analyst, IT Audit Manager, and PCI Security Specialist.

CISSP

The Certified Information Systems Security Professional qualification from (ISC)² is aimed at information security professionals with deep experience in senior level roles, with at least five years on the job. It demonstrates the ability to design, implement, and manage a security program and is one of the most highly respected certifications in the field. Jobs for a CISSP include Chief Information Security Officer, Security Systems Administrator, Information Assurance Analyst, and Senior IT Security Consultant. Although the CISSP exam is challenging with a minimum of 100 questions and a 3-hour time limit, the Beyond20 CISSP Bootcamp is a great way to prepare and give yourself the best possible chance of success.

GSE

The GIAC Security Expert qualification was developed by infosec industry leaders and experts. It focuses on the assessment of hands-on skills and practical knowledge, and candidates are expected to demonstrate advanced ability and knowledge of security functions. Topics covered in the exam include incident handling skills, intrusion detection and analysis, and general security skills. The assessment is split into a 3-hour multiple choice exam and a 2-day hands-on lab. It’s tough and highly respected, and candidates need a GSEC, GCIA, and GHIC certificate to even begin. However, the GSE qualifies you for some of the top jobs in information security.

SCNA

The Security Certified Network Architect certification is the top qualification in the SCP program. It requires an SCNP certificate and focuses on the skills and technology required to build trusted networks. Topics include legal issues, wireless security, biometrics, digital certificates and signatures, and PKI policy and architecture. The exam is 2 hours long. The SCNA is relevant for leadership roles such as Security Administrator and Information Technology Manager.

IAM Levels and Certifications

Level I

Level 1 of the IAM category contains professionals with 0-5 years of experience. They're expected to apply knowledge of IA policy, procedures, and structure to develop, implement, and maintain a secure computing environment. Compared to the IAT group, this category is more focused on managerial and leadership skills, and the required qualifications reflect that.

What functions are involved?

According to the DoD 8570, these are some (but not all) of the functions that level 1 IAM personnel will be expected to perform:
  • Use federal and organization-specific published documents to manage operations of their computing environment (CE) system(s)
  • Support and administer data retention and recovery within the CE
  • Validate users’ designation for IT Level I or II-sensitive positions, per Reference (bc)
  • Recognize a possible security violation and take appropriate action to report the incident, as required
  • Ensure that system security configuration guidelines are followed
  • Ensure that IA requirements are integrated into the Continuity of Operations Plan (COOP) for that system or DoD Component
  • Ensure that IA security requirements are appropriately identified in computer environment operation procedures

What jobs does it apply to?

IAM level 1 qualifications generally relate to junior-level management jobs in infosec, such as:
  • Cybersecurity analyst
  • IA manager
  • Information systems security officer (ISSO)
  • Information systems security manager (ISSM)

What are the certification options?

GISF

The GIAC Information Security Fundamentals certification requires candidates to demonstrate key concepts of information security, understand threats and risks, and be aware of how to defend against these. Topics on the exam include application security, computer math, cryptography, and network attacks. It’s aimed at professionals who want to get familiar with information assurance. The exam is 2 hours long and contains 75 questions. Jobs for GISF certified professionals include Information Security Officer, Managers, and System Administrators.

GSLC

The GIAC Security Leadership certification focuses on leadership and management skills in information security. This includes managing security operation centers, managing application security, managing security policy, managing system security, and vulnerability management. It’s a single 3-hour exam with 115 questions. A GSLC certification can be a route to a range of managerial and supervisory roles in information security.

CompTIA Security+

(Covered in the previous section)

Level II

Level 2 of the IAM category concerns professionals with at least 5 years of management experience. It focuses on knowledge of IA policy, procedures, and workforce structure to develop, implement, and maintain a secure network environment.

What functions are involved?

According to the DoD 8570, these are some (but not all) of the functions that level 2 IAM personnel will be expected to perform:
  • Develop, implement, and enforce policies and procedures reflecting the legislative intent of applicable laws and regulations for the network environment (NE)
  • Prepare, distribute, and maintain plans, instructions, guidance, and standard operating procedures concerning the security of network system(s) operations
  • Recommend resource allocations required to securely operate and maintain an organization’s NE IA requirements
  • Develop security requirements for hardware, software, and services acquisitions specific to NE IA security programs
  • Assist in the gathering and preservation of evidence used in the prosecution of computer crimes
  • Review IA security plans for the NE
  • Identify alternative functional IA security strategies to address organizational NE security concerns
  • Review the selected security safeguards to determine that security concerns identified in the approved plan have been fully addressed
  • Evaluate the presence and adequacy of security measures proposed or provided in response to requirements contained in acquisition documents

What jobs does it apply to?

Level 2 IAM includes high-level management and leadership roles in information security.

What are the certification options?

CISM

The Certified Information Security Manager qualification is aimed at those looking for leadership and management roles in the information security industry. Candidates should demonstrate how to build, design, and implement enterprise infosec programs. The exam contains 200 multiple choice questions in a time limit of 4 hours. Candidates must have 5 years of experience in infosec, although this time can be lower if supplemented with other qualifications such as the CISSP. Jobs for CISM professionals include Senior Cybersecurity Manager, Senior IT Security Analyst, and Network Security Consultant.

GSLC

(Covered in the previous section)

CISSP

(Covered in the previous section)

Level III

Level 3 of IAM features professionals with at least 10 years of management experience. They’re expected to apply their knowledge of IA policy, procedures, and workforce structure to develop, implement, and maintain a secure enclave environment.

What functions are involved?

According to the DoD 8570, these are some (but not all) of the functions that level 3 IAM personnel will be expected to perform:
  • Securely integrate and apply Department/Agency missions, organization, function, policies, and procedures within the enclave
  • Ensure IAT Levels I – III, IAM Levels I and II, and anyone with privileged access performing IA functions receive the necessary initial and sustaining IA training and certification(s) to carry out their IA duties
  • Ensure information ownership responsibilities are established for each DoD IS and implement a role based access scheme
  • Evaluate proposals to determine if proposed security solutions effectively address enclave requirements, as detailed in solicitation documents
  • Evaluate cost benefit, economic and risk analysis in decision-making process
  • Interpret patterns of non-compliance to determine their impact on levels of risk and/or overall effectiveness of the enclave’s IA program
  • Ensure that security related provisions of the system acquisition documents meet all identified security needs
  • Evaluate and approve development efforts to ensure that baseline security safeguards are appropriately installed

What jobs does it apply to?

Level 3 IAM and the associated certifications apply to the highest-level management roles in information security.

What are the certification options?

CISM

(Covered in the previous section)

GSLC

(Covered in the previous section)

CISSP

(Covered in the previous section)

IASAE

Information Assurance System Architecture & Engineering (IASAE) and Cybersecurity Service Provider (CSSP)  are additional, more specialized categories. These are higher end qualifications aimed at personnel with some experience and a desire to specialize. Training options here include the CISSP, CSSLP, and CASP+. Becoming DoD 8570 compliant is an important step if you’re working with the DoD or planning to do so. The good news is there are plenty of routes you can take and a lot of support out there, regardless of your current level.

Questions about DoD 8570?