Approximately 2,100 professionals in the Defense Intelligence community are gathered this week at the 2010 Annual Department of Defense Intelligence Information Systems (DoDIIS) Worldwide Conference, hosted by the DIA’s (Defense Intelligence Agency) Directorate for Information Management. There is a lot of buzz in the air about the status of the DoD 8570, as December 2010 was set as the deadline for compliance. I have been very interested in 2 key questions:
- How close are the components to achieving 8570 Compliance?
- How effective has the DoD 8570 been in improving the Information Assurance / Cyber Security Work Force in the DoD?
I found from talking to folks and attending some presentations that the DoD 8570 can be considered a success story, but that it has also exposed significant problems. It’s a success in that internal studies have shown that 8570 certified IA professionals can detect threats better, that certified individuals who are trained in their respective “Computing Environment” (such as CCNAs or other vendor certified individuals) are better at defending systems in Red Team tests performed at agency events, and that overall IA skills performance is measurably superior for individuals that have taken the steps towards training and certifying for 8570 compliance. There is also the extremely important fact that retention of talent is 100% better in units that are pushing for certification.
On the problematic side, however, overall compliance of the components seems to be guess work and a moving target. Officials are reporting “somewhere between 60% and 70% compliance so far”. Identifying the IA workforce is not cut and dry, apparently. It is also suggested from officials that ‘we will never make 100% compliance”, largely due to turnover.
Last note before I get back to the show: As many have expected, it looks very likely that the DIAP will extend the deadline out an additional year. CAVEAT: This does NOT mean that the components will be changing their deadlines: The Navy, Air Force, Marines and Army may very well aim for compliance by year end, and this means that the IA workforce needs to keep plowing ahead with there certification and training missions.
Stay tuned to my blog posts for more info soon on upcoming changes to the DoD 8570 that I have learned about, guidance to the components, changes to particular certs and more!
Highest Regards,
Barry Kaufman, CISSP, CEH, MCSE, ITILv3
Worldwide Line of Business Executive, InfoSec and Boot Camps
Fast Lane US: www.fastlaneus.com
Email: barry.kaufman_at_fastlaneus.com
Tags: 8570, cybersecurity, DoD8570, security training
Given the periodic waves of cyber attacks handled by DoD security professionals, the measurable improvement in their skill at fighting these attacks is good news indeed. The next logical question is whether or not “critical infrastructure” (electric grid, banking, municipal water systems and so on) information technology professionals are getting the training they need to safeguard these assets. It would appear that if they get the training, they will be ready to handle more security challenges.