For most professionals in InfoSec / IA community around the defense industry, the DoD Directive 8570 has largely been an exercise in knowledge acquisition—Certifications like the CompTIA Security+, the (ISC)2 CISSP and the ISACA CISM require candidates to absorb “vendor-neutral” security concepts rather than skills on how to harden, attack or defend specific systems or infrastructures. Concerns are perhaps justified that, to some degree, the 8570 has been a boon to the Certifying Bodies and the IT/InfoSec training industry, but have not fully addressed the true intention of the DoD8570 Directive—namely, to creating a better IA workforce in the DoD and to improve our most critical infrastructure’s security posture. It is also observed that some in the defense community view the 8570 as largely a “box-checking” activity to meet compliance.
This is naturally frustrating for many involved. I have spoken with several DoD IA manages (both .mil and contractors) who wished that the certification requirements aligned better with the skills requirements they had. And by requirements we are talking about the kind of skills gap that can have mortal consequences. IA Managers have to ramp up, in some cases, individuals who have very minimal experience on computers or on the particulars of the systems they are working on, and for the sake of compliance/survival, they now need to devote themselves to a Security+ because the IA task they are doing is at the Network environment level (IAT II). What if that person really needs fundamental training supporting their IA task (for example Cisco routing fundamentals or Linux fundamentals)? At present, many express concern that compliance is trumping pragmatics, and this can be leading to a less secure posture.
A new emphasis, however, emerging out of the DIAP (the agency overseeing the DoD 8570 Directive) is on 1) specific skills development and on 2) the “Computing Environment” training and certification requirements for IATs (Information Assurance Technical personnel). This emphasis has led to the recent release of a Memo from the DoD CIO to the component heads stating that “Certification is only one piece” of the goals intended by the 8570 and that attention is being turned towards the other aspects, in particular skills improvement affecting performance of IA tasks relevant to actual systems.
The DoD has conducted internal studies, determining the value of the current regimen of training and certification under the mandate, looking at results and finding that focus needs to be driven to the following areas:
- CE (Computing Environment) training and certification: Hardening infrastructures and Systems requires baseline competencies on those systems as well as specific knowledge relevant to these systems security controls and configurations. While present training and certification activies under current DoD 8570 requirements speak to this to some degree, expect more guidance from the DIAP and the DoD CIO on this. I expect to see more focus on Desktop, server and Infrastructure training, particularly on the MS and Cisco side.
- Red Team / Blue Team Skills: While some of the skills required to perform these IA tasks are covered by existing DoD 8570 Certifications on the matrix (CEH, for one) training on the actual methodology and tools deployed in these exercises will be focused on.
- Application Security: an area that is evermore becoming the frontline of security incidents will become more a part of the mandate. software developers and software testers (QA and security) will start to fall within the scope of 8570 potentially.
While training and certification for these 3 exist in multiple providers, I expect that there is need and opportunity for new approaches that align with the DoD mission more precisely.
Barry Kaufman, CISSP, CEH, MCSE, ITILv3
Worldwide Line of Business Executive, InfoSec and Boot Camps
Fast Lane US