DoD Directive 8570.01-M

The United States Department of Defense (US DoD) Directive 8570.01-M is a set of guidelines and procedures for the training, certification, and management of the DoD Information Assurance (IA) workforce conducting Information Assurance (IA) functions. According to the DoD Directive 8570 IAT FAQ, the long-term goal of DoD 8570.01 is the creation of a sustained, professional Information Assurance workforce possessing the knowledge and skills to effectively prevent and respond to attacks against DoD information, information systems, and information infrastructures. All DoD organizations must comply the requirements of this directive in order to put the right people with the right skills in the right place. One way DoD 8570.01 prepares the IA workforce is by specifically requiring every full- and part-time military service member, defense contractor, civilian and foreign employee with privileged access to a DoD system–regardless of job series or occupational specialty–to obtain a commercial certification credential that has been accredited by the ISO/IEC.

So if you work for the DoD, or are looking for DoD work, what certifications should you have? And what does 8570.01 mean to people who are already certified? First of all, if you are already a member of the DoD IA workforce, or are employed by a DoD contractor, the actual steps you will follow to comply with 8570.01 can be found here. You will be provided guidance from your Information Assurance Manager (IAM) on the certification(s) you need for your current position and level. There should be no guesswork in this for you. If you are looking to make yourself a more attractive hiring prospects to a DoD entity, or you just like to collect highly-recognized certifications, you’ll need some additional information about the certification that the DoD has judged to be worthwhile and why. To start, DoD 8570.01 specifically defines certification as:

“Recognition given to individuals who have met predetermined qualifications set by an agency of government, industry, or profession.  Certification provides verification of individuals’ knowledge and experience through evaluation and approval based on a set of standards for specific profession or occupations’ functional job levels.  Each certification is designed to stand on its own, and represents a certified individual’s mastery of a particular set of knowledge and skills.” – DoD Directive 8570.01-M

So earning a certification is a way for an individual to prove that he or she has a certain mastery of a particular set of knowledge and skills. Sort of like passing one or two college classes in a particular subject. However, just any IT certification is not acceptable under DoD  8570.01. To be approved by the DoD, an IA workforce certification must be accredited under ISO/IEC Standard 17024:2003 or an equivalent accepted standard. ISO/IEC 17024 is an international standard that defines a criteria for organizations creating a certification program to certify individual people. Here are the accredited IT certifications currently recognized in DoD 8570.01-M:

Certification Provider Certification Name

CMSEI

Computer Security Incident Handler (CSIH)

CompTIA
  • A+
  • Network+
  • Security+

EC-Council

Certified Ethical Hacker(CEH)

(ISC)²
  • Certification and Accreditation Professional (CAP)
  • Certified Information Systems Security Professional (CISSP) (or CISSP Associate)
  • Information Systems Security Architecture Professional (CISSP-ISSAP)
  • Information Systems Security Engineering Professional (CISSP-ISSEP)
  • Information Systems Security Management Professional (CISSP-ISSMP)
  • System Security Certified Practitioner (SSCP)

ISACA
  • Certified Information Security Manager (CISM)
  • Certified Information Security Auditor (CISA)

Microsoft Corporation

Microsoft Certified System Administrator: Security (MCSA Security)

SCP
  • Security Certified Network Professional (SCNP)
  • Security Certified Network Architect (SCNA)

The SANS Institute
  • GIAC Certified Intrusion Analyst (GCIA)
  • GIAC Certified Incident Handler (GCIH)
  • GIAC Security Expert (GSE)
  • GIAC Security Essentials Certification (GSEC)
  • GIAC Security Leadership Certificate (GSLC)
  • GIAC Systems and Network Auditor (GSNA)
  • GIAC Information Security Fundamentals (GISF)

 

Certified Information Security provides proven and guaranteed exam preparation training for ISACA's CISA and CISM certifications described in the table above.
But What Certification(s) Should I Get?

Now, after all this, if you still want or need certification compliant with DoD 8570.01, which certification(s) should you get? That depends on your functional role within the IA workforce.

The IA workforce is split into two major categories: IA Technical and IA Management, with each category being divided into three levels: I, II, and III. Each category and level has a specific set of job requirements that define the role that a DoD employee performs and the personnel requirements for a position at a specific level.

The following chart shows which commercial, ISO-approved IT certifications may be used to meet baseline IA workforce requirements for certified personnel performing IA functions. Only one certification listed at each level and category need be attained to meet the certification requirement for that level:

IAT Level I

IAT Level II

IAT Level III
  • A+
  • Network+
  • SSCP
  • GSEC
  • Security+
  • SCNP
  • SSCP
  • CISA
  • GCIH
  • CISSP (or Associate)
  • GSE
  • SCNA

IAM Level I

IAM Level II

IAM Level III
  • CAP
  • GISF
  • GSLC
  • Security+
  • CAP
  • GSLC
  • CISM
  •  CISSP (or Associate)
  • GSLC
  • CISM
  • CISSP (or Associate)
CND Analyst CND Infrastructure Support CND Incident Responder CND Auditor CND-SP Manager
  • GCIA
  • CEH
  • SSCP
  • CEH
  • GCIH
  • CSIH
  • CEH

IASAE I

IASAE II

IASAE III
  • CISSP (or Associate)
  • CISSP (or Associate)
  • CISSP-ISSEP
  • CISSP-ISSAP

So pick your category and level and there are your cert choices. If you are looking to get the fewest number of certs that will cover the most bases on this chart, it looks like having the Security+, SSCP, and CISSP will do just that. And, as someone who has all of these certs, I can tell you they aren’t bad ones to have, regardless if you have a DoD job or not. But will already having several of these certifications help you get a job with the U.S. DoD or with a U.S. defense contractor? Probably so. Most hiring managers prefer to hire people who already have the necessary certifications rather than spend the money in my departmental training budget to get new people certified. Job candidates who already have certifications also likely come with more InfoSec work experience than non-certified candidates. But getting a few certifications isn’t all there is to it. To maintain certification status, a regular schedule of continuous learning by IA workforce personnel is also mandated of by 8570.01. Even if you plan on retaking your certification exam(s) every three years, on-going education is still required. And when it comes to protecting DoD information systems, there’s nothing bad about that. Most of the courses offered at Certified Information Security provide CPE credit and associated certificates of achievement that can be used to fulfill ongoing continuing education requirements.

How can Certified Information Security help me?

Certified Information Security provides proven and guaranteed exam preparation training for ISACA's CISA and CISM certifications described in the table above.

References

8570 Certification Training

CISA / CISM Preparation
Certified Information Security's Preparation Training for
ISACA's CISA® certification exam
Certified Information Security's Preparation Training for
ISACA's CISM® certification exam