Q1: Given the signing of the DoD Directive 8140.01 on August 11, 2015, what is the impact on the DoD 8570.01-M?
A1: The DoD Directive 8140.01, "Cyberspace Workforce Management," reissues, renumbers, and cancels DoD Directive (DoDD) 8570.01 to update and expand established policies and assigned responsibilities for managing the DoD cyberspace workforce. The DoD 8570.01-M governing the IA workforce certification program is still in effect. See Change 4 to DoD 8570.01-M dated November 10, 2015. (Reviewed October 17, 2017)
Q2: Is the DoD 8570.01-M titled Information Assurance Workforce Improvement Program still in effect?
A2: Yes, DoD 8570.01-M will remain in effect until it is cancelled formally. The DoD Directive (DoDD) 8140.01, "Cyberspace Workforce Management," dated August 11, 2015, is now the overarching governance document. DoDD 8140.01 reissued, renumbered, and canceled DoDD 8570.01 to update and expand established policies and assigned responsibilities for managing the DoD cyberspace workforce.
The DoD Chief Information Officer (CIO) and other stakeholders are developing and will publish instructions and manuals to implement the policies in DoDD 8140.01. Until those policies are vetted and published, the DoD 8570.01-M policies and guidance are considered the most current. A copy of the current Manual is available on the DoD Publications website located at: http://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/857001m.pdf (Reviewed October 17, 2017)
Q3: When will the DoD 8570.01-M go away?
A3: DoD 8570.01-M should still be in effect until DoD implements new requirements through future qualification manuals developed for the cyber workforce. We anticipate there will be a transition period from the requirements of DoD 8570.01-M to the new requirements of future qualification manuals. (Reviewed October 17, 2017)
Q4: Why did the Information Assurance (IA) Workforce change to the Cybersecurity Workforce?
A4: As the cyberspace domain continues to mature, DoD, the rest of the Federal Government, as well as the private sector have recognized that cybersecurity encompasses a much broader range of activities and responsibilities. Specifically DoD Instruction (DoDI) 8500.01 paragraph 1d states DoD adopts the term “cybersecurity” as it is defined in the National Security Presidential Directive-54, Homeland Security Presidential Directive-23. Cybersecurity incorporates the functions previously included under the IA umbrella. Thus, DoD is transitioning from the IA workforce to the Cybersecurity Workforce, which is a subset of the overall “Cyber Workforce” (also called the Cyberspace Workforce). In the interim, DoD 8570.01-M requirements are still identified as IA Workforce requirements. (Reviewed October 17, 2017)
Q5: What is the DoD Directive 8140.01?
A5: The DoD Directive (DoDD) 8140.01 was officially signed August 11, 2015. It unifies the overall cyber workforce and establishes specific workforce elements (cyber effects, cybersecurity, cyber information technology (IT), and intelligence (cyber)) to align, manage and standardize cyberspace work roles, baseline qualifications, and training requirements. It authorizes establishment of a DoD Cyberspace Workforce Management Council with representation from the Offices of the DoD CIO, Under Secretary of Defense for Personnel and Readiness (USD(P&R)), Under Secretary of Defense for Policy (USD(P)), Under Secretary of Defense for Intelligence (USD(I)), the Joint Staff, the Director, National Security Agency/Chief, Central Security Service (DIRNSA/CHCSS), and other DoD Components
The DoDD 8140.01 does NOT address operational employment of the work roles. Operational employment of the cyberspace workforce will be determined by the Joint Staff, Combatant Commands, and other DoD Components to address mission requirements. (Reviewed October 17, 2017)
Q6: How does the DoD Directive 8140.01 affect me as an IA professional? Does my job change?
A6: There are no changes to the IA job descriptions within the DoD 8570.01-Manual, which is still in effect. (Reviewed October 17, 2017)
Q7: Do I still have to be certified in accordance with the DoD 8570.01-M?
Q9: I have a version of the DoD 8570.01-M, with some words in red font or crossed out. Is this a draft?
A9: No. It is Washington Headquarters Services (WHS) policy that any change to an existing DoD policy be designated by red strike through for deleted text and red italics for new text. Though the DoD 8570.01-M may have the appearance of a draft document or one written with its changes tracked, it is actually finalized and published policy.
Q10: Do I need any special training on how to implement DoD 8570.01-M?
A10: No. Neither you, nor your organization, need special training regarding the implementation of DoD 8570.01-M. Furthermore, the DoD has not sponsored or required any commercial DoD 8570.01-M implementation training or planning sessions. You should disregard any direct messages from vendors indicating a requirement to complete their course or information session as part of DoD 8570.01-M implementation.
Q11: What do you mean by Computing Environment, Network Environment, or Enclave?
A11: Computing Environment, Network Enclave and Enclave essential to understand in order to use the DoD 8570.01-M to code and qualify your cyber workforce. These terms are based on basic system architecture not on base, station, or command structure.
Appendix 1 of the DoD 8570.01-M contains definitions for each of these environments. Specifically:
- Computing Environment (CE). A CE has a server with multiple stations working from it. The stations can be standard computers, remote sensors, satellite feeds, etc.
- Network Environment (NE). Examples of possible networks in the basic enclave include Operations Networks, Logistics Networks, and Human Resources networks connecting to a Component Enclave. Each network consists of at least one Computing Environment.
- Enclave. An enclave consists of at least two networks controlled by the enclave security policy and procedures. (Reviewed October 17, 2017)
Q12: How can I identify who is in the IA Workforce?
A12: The Information Assurance Workforce, Workforce Improvement Program (IA WIP) is a workforce management program. The key to workforce management is the position. All positions required to perform IA functions must be identified. Any person filling that position is automatically part of the Cyber or IA Workforce whether it is full-time, part-time, or an embedded duty, whether it is their primary specialty, secondary specialty, or just another duty as assigned.
The DoD 8570.01-M establishes the basic identification requirements. The current version of the Manual has two categories, IA Technical (IAT), and IA Management (IAM). The Manual also has two specialties, Cyber Security Service Provider (CSSP) and IA System Architects and Engineers (IASAEs). These categories and specialties are subdivided into levels, each based on functional skill requirements and/or system environment focus (see DoD 8570.01-M Chapters 3, 4, 5, 10, and 11).
The IAT and IAM categories have levels I, II, and III, based on where the position is located within the overall information system architecture (see Diagram below). Each level of architecture is specifically defined in the Manual. For example, the Computing Environment is IAT and IAM Level I, the Network Environment is IAT and IAM Level II, and the Enclave Environment is IAT and IAM Level III. Note that the “IA Level” is related to the system architecture, not to an individual’s grade or experience. Also see the Diagram under “What do you mean by Computing Environment, Network Environment or Enclave?” FAQ.
Chapters 3, 4, 5, 10 and 11 of DoD 8570.01-M list IA functions for each level within a category. Positions/personnel required to perform any of these functions are part of the IA workforce.
The IASAE specialty has levels I, II, and III, also based on where the position is located within the overall information system architecture. The CSSP specialty levels are tied to functional positions, i.e., Analyst, Infrastructure Support, Incident Responder, Auditor, and Manager.
(Reviewed October 17, 2017)
Q13: How do I identify the IAT workforce?
A13: Two basic questions can help identify IA Technical (IAT) positions:
- Does the position require privileged access to a DoD Information System Computing, Network, or Enclave environment?
- Does the position include any of the functional requirements listed in Chapter 3 of DoD 8570.01-M for that level of the information system architecture?
- If the answer to both #1 and #2 is yes, the position is an IAT position.
- If the answer is no to both, then it is not an IAT Position.
- If the answer is yes to #1 and no to #2, it is not an IAT position.
- If the answer is no to #1 and yes to #2, it may be an IAM or other IA position
Q14: How do I identify the IAM workforce?
A14: Two basic questions can help identify IA Management (IAM) positions:
- Does the position have responsibility for managing information system security for a DoD Information System Computing, Network, or Enclave environment?
- Does the position include any of the functionslisted in Chapter 4 of DoD 8570.01-M for that level of the information system architecture?
- If the answer to both #1 and #2 is yes, then the position is an IAM position.
- If the answer is no to both #1 and #2, it is not an IAM position.
- If the answer is yes to #1 and no to #2, it is not an IAM position.
- If the answer is no to #1 and yes to #2, it may be an IA position but not an IAM position as currently defined in the Manual.
Q15: Under DoD’s Risk Management Framework, there is no longer a Designated Approval Authority (DAA). How do we account for the Authorizing Official (AO) in the former DAA role?
A15: Under the DoDI 8510.01 Risk Management Framework for DoD Information Technology, the DAA is now referred to as the AO. The AO is appointed, usually a senior leadership position within the business or mission owner organization. Specifically, the AO is the senior official who has responsibility for operating and ensuring that the information systems and platform information technology, or PIT, systems and IT services and products under their authority operate securely.
Whenever possible, refer to the former DAA position as the AO position and the person filling the position as the AO. Please see the Information Assurance Support Environment (IASE) website for AO specific information and training. (Reviewed October 17, 2017) https://powhatan.iiie.disa.mil/eta/disa_ao_fy14/launchPage.htm
Q16: How do I report personnel who are filling one or more IA positions?
A16: Under Construction.
The answer to this question depends on the purpose of the report and the organizational relationships. Whereas there were multiple reporting requirements in different systems in the past to satisfy the annual reporting requirement of the DoD 8570.01-M, there has been consolidation over the past few years using FISMA reporting. Please note there are further changes under discussion which aim to clarify Cyber Workforce reporting requirements and comply with DoD 8570.01-M. Thus, Cyber workforce reporting requirements will be promulgated separately. (Reviewed October 17, 2017)
Q17: Do the training and certification requirements specified in DoD 8570.01-M replace Component, command or community-specific training and certification requirements?
A17: No. The DoD 8570.01-M provides a DoD enterprise-wide IA knowledge and skills baseline. You are still required to comply with relevant Component, command, or community specific requirements for IA training and/or certification.
Components may require personnel performing IA job functions to complete specific certificates or certifications in addition to those identified in the Manual. Confirm with your direct supervisor or IA leadership that you are categorized and certified at the right level and meet the appropriate Component-specific requirements.
Q18: Do the National Unions support these requirements?
A18: Yes. As part of the DoD’s formal staffing process, USD P&R conducted a “national consultation” (NCR) in which the unions had an opportunity to comment on the Manual. The National Unions either made no comment or were supportive of the IA WIP.
Q19: What role can the local unions play in the IA WIP?
A19: The National Consultation Rights (NCR) does not absolve local parties from fulfilling their local bargaining obligations as appropriate prior to implementation of DoD policy. They can participate in the planning for meeting the IA WIP requirements for the DoD civilian IA Workforce. The local union cannot negotiate the actual implementation requirements.
- Who needs to be certified is non-negotiable.
- Order/priority to certify the local IA Workforce may be negotiated.
- The number of retests the organization will fund may be negotiated.