Department of Defense Directive 8570--Frequently Asked Questions

General Questions

What is DoD Directive 8570.01?

DoD Directive 8570.01 provides the basis for an enterprise-wide solution to train, certify, and manage the DoD Information Assurance (IA) workforce. The policy requires Information Assurance technicians and managers to be trained and certified to a DoD baseline requirement. The Directive’s accompanying manual identifies the specific certifications mandated by the Directive's enterprise-wide certification program.
Much of the Directive addresses workforce management issues. Components must identify and document personnel positions in manpower databases. Correctly identified IA personnel and positions make certain that IA personnel meet training and certification requirements related to their job functions.
The ultimate vision of the Directive is a sustained, professional IA workforce with the knowledge and skills to effectively prevent and respond to attacks against DoD information, information systems, and information infrastructures. This effort will enable DoD to put the right people with the right skills in the right place.
Back to top

What is the status of the Manual (DoD 8570.01-M)?

The 8570 Manual has been approved by the Assistant Secretary of Defense for Networks and Information Integration (ASD NII)/DoD Chief Information Officer (CIO). It is now mandatory for all DoD organizations to comply with its requirements. A copy of the current Manual (Change 1) is available on the DoD Publications website, located at http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf.
An updated version, Change 2, of the manual has been drafted and is currently in the "formal" staffing process. Until Change 2 of the manual is approved (estimated late summer/early fall 2009), the policies and guidance of Change 1 (above) are considered the most up-to-date guidance regarding 8570.
Back to top

How can I get a copy of the Manual?

For a copy of the Manual, DoD 8570.01-M check the DoD Publications Web site at http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf.
Back to top

I have a version of the Manual with some words in red font or crossed out. Is this a draft?

No. It is WHS policy that any change to an existing DoD policy be designated by red strike through for deleted text and red italics for new text. Though it may have the appearance of a draft document or one written with "track changes", it is actually finalized and published policy.
Back to top

Do I need any special training on how to implement DoD 8570.01-M?

No. Neither you nor your organization needs special training regarding the implementation of DoD 8570.01-M. Furthermore, the DoD has not sponsored or required any commercial 8570.01-M implementation training or planning sessions. You should disregard any direct messages from vendors indicating a requirement to complete their course or information session as part of DoD 8570.01-M implementation.
Back to top

What do you mean by Computing Environment, Network Environment or Enclave?

Understanding these terms is essential to properly identifying your IA Workforce. These terms are based on basic system architecture not on base, station, or command structure. The DoD Appendix 1 of the 8570.01-M contains definitions for each of these environments. The key to the architecture is the location within the GIG and the purpose of the server the IAT or IAM supports directly.

Computing Environment. A CE has a server with multiple stations working from it. The stations can be standard computers, remote sensors, satellite feeds, etc.
Networks. Example: There are three networks--Operations Network, Logistics Network, and Human Resources network, all connecting to a Component Enclave. Each network consists of at least one Computing Environment.
Enclave. An enclave consists of at least two networks controlled by the enclave security policy and procedures.

What can my Component do to prepare for 8570.01-M requirements?

Components should identify IA workforce positions and personnel based on the categories, levels, and functions for IAT and IAM levels I – III and specialized functions such as CND-SP and IASAE as described in DoD 8570.01-M.
Back to top

How can I identify who is in the IA Workforce?

The IA WIP is a workforce management program. The key to workforce management is the position. All positions required to perform IA functions must be identified. Any person filling that position is automatically part of the IA workforce whether it is full time, part time, or an embedded duty, or whether it is their primary specialty, secondary specialty or just another duty as assigned (this approach may lead to minimizing/eliminating IATs as an embedded duty group).

Here are steps to identify IA positions: The DoD 8570.01-M establishes the basic requirements. The current version of the Manual has four categories: technical (IAT), management (IAM), system architecture and engineering (IASAE), and computer network defender (CND). Each category has levels based on where the position is located within the overall Information System architecture. Each level of architecture is specifically defined in the Manual. For example, the Computing Environment is IAT and IAM Level I, the Network Environment is IAT and IAM Level II, and the Enclave Environment is IAT and IAM Level III. Note that the "IA Level" is related to the system architecture, not to an individual’s grade or experience.

Chapters 3, 4, 5, 10 and 11 of the Manual list IA functions for each level within a category. Positions/personnel required to perform any of these functions are part of the IA workforce.
Back to top

How do I identify the IAT workforce?

Two basic questions to help identify IA Technical positions:

Does the position require privileged access to a DoD information system Computing, Network, or Enclave environment?
Does the position include any of the functional requirements listed in Chapter 3 of the Manual for that level of the information system Architecture?
- If the answer to both #1 and #2 is yes, the position is an IAT position.
- If the answer is no to both, then it is not an IAT Position.
- If the answer is yes to #1 and no to #2, it is not an IAM position.
- If the answer is no to #1 and yes to #2, it may be an IA Manager or other IA position.

How to identify the IAM Workforce?

Two basic questions to help identify IA Management positions:

Does the position have responsibility for managing information system security for a DoD Information System Computing, Network, or Enclave environment?
Does the position include any of the functions listed in Chapter 4 of the Manual for that level of the information system Architecture?
- If the answer to both #1 and #2 is yes, then the position is an IAM position.
- If the answer is no to both #1 and #2, it is not an IAM position.
- If the answer is yes to #1 and no to #2 it is not an IAM position.
- If the answer is no to #1 and yes to #2, it may be an IA position but not an IAM position as currently defined in the Manual.

How do I report personnel who are filling more than one IA position?

The answer to this question depends on the purpose of the report and the organizational relationships.

For IA Workforce Management Reporting at the Component and/or DoD CIO DIAP level: For this purpose, the DoD 8570.01-M reporting requirements are position-driven. To effectively "manage" the IA workforce, the DoD Components and local commands must identify any position (table of organization or manning document) required to perform IA functions by category and level. If specialized IA functions (such as Information Assurance System Architect and Engineer (IASAE), and Computer Network Defense Service Provider (CND SP)) duties are performed as a subset of the Information Assurance Technical (IAT) or Information Assurance Management (IAM) functions defined in DoD 8570.01-M, use those categories and levels.

For Component/DoD CIO DIAP reporting, the information must include the qualifications of the person filling that billet. Therefore, if a person is filling more than one IA position, that person and their qualifications must be reported against that position requirement. However, if the person is performing those functions due to under manning, then the position should be reported as not filled.

Paragraph C7.2.5. of the DoD 8570.01-M says Components must: "...track IA personnel training and certification against position requirements. Positions performing both management and technical functions must be identified individually in the appropriate manpower database. Personnel filling these positions must be aligned with both positions and maintain the appropriate certification/qualifications for each."

Example A: A person filling an IAT Level I position and also performing IAM Level I functions should have positions indicated in the manpower documents for each category. That person and their qualifications would be reported against each position. This is how Component/DoD CIO DIAP management can analyze the IA workforce requirements achievement both from a "positions filled" and "positions filled with qualified people" viewpoint.

Personnel performing IA functions as both Government Service (GS) civilian personnel and military reservists must be reported separately for each position.

Example B: A GS-12 IAT Level I performs full-time IA functions in a designated civilian IA position. This individual is also a Major (0-4) in the Army reserve and performs IAM Level II position functions in that role. Since these positions support completely separate manning and personnel requirements, both positions should be reported individually (reported from each respective organization). The person requirement would also be reported against each position, since the person is filling two completely separate personnel manning requirements.

For FISMA Reporting: FISMA reporting is based on Office of Management and Budget reporting requirements and is person-driven. Their basic requirement is to identify anyone performing IA functions and whether they have been trained to perform those functions. The 2006 FISMA Guidance notes that "if an individual is performing in multiple IA categories, only count them once based on the IA role in which they spend the highest percentage of their time/effort". Thus for FISMA, only report a person performing IA functions one time based on the position they spend the most time performing. If the person is "double hatted" (performs two roles) due to covering functions for an unfilled IA position, only count them in positions they spend the most time performing.

If specialized IA functions (such as Information Assurance System Architect and Engineer (IASAE), and Computer Network Defense Service Provider (CND SP)) duties are performed as a subset of the Information Assurance Technical (IAT) or Information Assurance Management (IAM) functions defined in DoD 8570.01-M, use those categories and levels.

Example A: An IAT Level I is assigned a primary duty (25 hours + per week) to support IA requirements for System A. There is another empty official "documented position" for System B which is co-located and the individual is required to cover the IA functions of that position (as an additional or embedded duty, 24 hours or less per week). Since FISMA is person-focused, you would only report the individual based on the position requiring the highest percentage of their time – System A in this case.

Example B: A GS-12 IAT Level I performs full-time IA functions in a designated civilian IA position. This individual is also a Major (0-4) in the Army reserve and performs IAM Level II position functions in that role. Since these positions support completely separate manning and personnel requirements, both positions should be included in the FISMA report (reported from each respective organization). The person requirement would also be reported against each position since the person is filling two completely separate personnel requirements.

Example C: A Marine Corps Master Sergeant (MSgt.) performs full-time IAT Level II functions in a joint combatant command headquarters. Who should report his position and personnel qualifications to FISMA? The Combatant Command owning the "joint" billet should report the MSgt. as one of their positions in their FISMA Report to the J-6. Every joint billet is supported by one of the Components, so in this case, the Marine Corps is responsible to provide an appropriately certified Marine for the IA position. However, the Joint Staff or Combatant Command is responsible to fill that billet with a qualified person and report for FISMA. Note joint billets should be identified in the e-Joint Manpower and Personnel System (e-JMAMP).

Note that in all cases, the operational management of the IA workforce (the IAM) for all systems must know their IA positions and the qualifications of the people filling them.

For End Strength Reporting: Components must track their personnel against authorized end strength. They must also track each persons' IA qualifications (no mater what their current position assignment). End strength is people-driven. For end strength, only count a person one time. Each person's IA certification/qualification should be maintained whether or not they are currently in an IA position.
Back to top

What support can the Office of the DoD CIO offer to Components to plan for 8570 implementation?

For FY07-FY10, the DoD CIO has included funding in the PDM to support initial implementation requirements, including certifications exams and personnel database updates for DoD military and civilian IA Workforce members. (Note: Funding via the PDM does NOT include training; Components should already have IA training in their budgets and ensure appropriate training is provided for certification exam preparation.)

Starting in FY11, DoD Components must individually budget and pay for DoD military and civilian IA Workforce members’ required certifications as well as include IA WIP sustainment requirements in their budget plans.

Defense-wide Information Assurance Program (DIAP) personnel are available to provide briefs and to support regional or major command workshops for 8570 implementation planning. You are strongly encouraged to work within your Component Human Resources and IA operations leadership to establish a plan for meeting the requirements outlined in DoD 8570.01 and DoD 8570.01-M.
Back to top

Will the training and certification requirements specified in DoD Directive 8570.01 and 8570.01-M replace Component, Command or community-specific training and certification requirements?

No. The 8570 provides a DoD enterprise-wide IA knowledge and skills baseline. You are still required to comply with relevant Component, command, or community-specific requirements for IA training and/or certification.

Components may require personnel performing IA job functions to complete specific certifications in addition to those identified in the Manual. Confirm with your direct supervisor or IA leadership that you are categorized and certified at the right level and meet the appropriate Component-specific requirements.
Back to top

Have the National Unions agreed to support these requirements?

Yes. As part of the DoD’s formal staffing process, USD P&R conducted a "national consultation" (NCR) in which the unions had an opportunity to comment on the Manual. The National Unions either made no comment or were supportive of the IA WIP.
Back to top

What role can the local unions play in the IA WIP?

The National Consultation (NCR) does not absolve local parties from fulfilling their local bargaining obligations as appropriate prior to implementation of DoD policy. They can participate in the planning for meeting the IA WIP requirements for the Civilian IA Workforce. The local union cannot negotiate the actual implementation requirements.

For example:

Who needs to be certified is non-negotiable.
Order/priority to certify the local IA Workforce may be negotiated.
The number of retests the organization will fund may be negotiated.

What are the contractor certification implementation requirements?

Contractors performing IA functions on a DoD system must meet the certification requirements established in the DoD 8570.01-M for the category and level functions in which they are performing. As with the military and civilian IA workforce, contractors have till December 2010 to meet the requirements of the 8570.01-M. The requirement is for 10% to be certified in the first year and 30% each year following. Other specific requirements from the Manual include:

For new contracts, contractor personnel supporting IA functions outlined in Chapters 3, 4, 10 and 11 should be appropriately certified in accordance with the overall five-year implementation schedule. This means the contract should include the requirement for the contractor personnel to meet the overall 10%, 30%, 30%, 30% certification requirements, depending on which year the contract starts. Requirements by calendar year:
- Starting in CY07 – 10% in '07, 30% in '08, 30% in '09, and 30% in CY10.
- Starting in CY08 – 40% in '08, 30% in '09, and 30% in CY10.
- Starting in CY09 – 70% in '09, 30% in CY10.
- Starting in CY10 – 70% at contract award, 100% by the end of CY10.
The contracting officer will ensure that contracting personnel are appropriately certified. In the future, they will need to provide verification to the Defense Eligibility Enrollment System (DEERS).
Components should not pay for contractors to obtain/retain required certifications. However, Components may provide additional training on local or DoD-specific system procedures. (See "Has the DoD developed standard contract language for IA WIP requirements?" for additional guidance on contractor implementation requirements.)

Has the DoD developed standard contract language for IA WIP requirements?

The DoD Chief Information Officer (CIO) has coordinated with the Undersecretary of Defense for Acquisition, Technology, and Logistics (AT&L), Defense Acquisition Regulations (DARs) Council to include language in the Defense Acquisition Regulations (DFARS).
Back to top

How can Components address the requirements for contractors to be certified under the DoD 8570?

In general, Components must ensure that 10% of contractors are certified in CY07 and 30% of contractors are certified each subsequent year attaining 100% certification status by the end of CY10.
There are a variety of ways Components can operationalize this requirement. After reviewing and assessing current IA support contracts and considering new requirements, renewal/expiration dates, the contractor implementation requirements described above, and length of current contracts, Component should plan on one of the following:

Incrementally comply based on expiration/renewal dates for existing contracts
Modify existing contracts to comply with the implementation requirements
Include IA WIP requirements in requests for proposals (RFPs) for new contracts based on the percent of the IA workforce impacted by the contract. (See response to "Has the DoD developed standard contract language for IA WIP requirements?")

Certification Questions

Who needs to be certified?

Information Assurance Technical (IAT) and IA Management (IAM) personnel must be fully trained and certified to baseline requirements to perform their IA duties. The policy defines IAT workforce members as anyone with privileged information system access performing IA functions. IAM personnel perform management functions for DoD operational systems described in the Manual.

The training, certification, and workforce management requirements of 8570.01-M apply to all members of the DoD IA workforce, including military, civilians, local nationals, Non-appropriated fund (NAF) personnel, and contractors. The requirements apply whether the duties are performed full-time, part-time, or as an embedded duty. (See "How do I identify the IA Workforce?" for more information.)
Certification requirements also exist for members of the workforce who perform system design functions such as System Architecture and Engineering (IASAE) and Computer Network Defense (CND) Service Providers. See Chapters 10 and 11 of the Manual for more information on these positions and their requirements.
Back to top

Who pays for the certifications?

For FY07-FY10, the DoD CIO has included funding in the PDM to support initial implementation requirements, including certification exams and personnel database updates for DoD military and civilian IA Workforce members. (Note: Funding via the PDM does NOT include training; Components should already have IA training in their budgets and ensure appropriate training is provided for certification exam preparation.)

The Government cannot pay for contractor certifications or certification preparation training.
Back to top

How long do I have to become certified?

Components are required to have all identified IA personnel certified to the baseline requirement within five years of the Manual's publication, which was in December of 2005. Calendar year (CY) 2006 is the planning year to develop Component and local IA Workforce Improvement Program (IA WIP) implementation plans. The Manual requires 10 percent of the IA workforce to become certified in CY07 and an additional 30 percent each year following. By the end of CY 2010, all personnel performing IAT and IAM functions as described in the DoD 8570.01-M should be certified. By the end of CY 2011, all personnel performing CND-SP and IASAE roles as described in the DoD 8570.01-M should be certified.
Back to top

What can I do now to prepare for certification requirements?

Information Assurance Technical (IAT) and IA Management (IAM) personnel are strongly encouraged to complete DoD training available internally (e.g., Service Schoolhouse IA courses, DISA Web-based training) or external training currently supported by your Component for courses with learning objectives directly aligned to baseline certifications outlined in the Manual. Contact your Components IA Workforce OPR POC for more information.
Back to top

Do I have to take the training associated with a certification, or can I just take the test?

Under DoD Directive 8570.01 and as specified in DoD 8570.01-M, you are not required to take specific training to prepare for the certification test. However, you should be able to demonstrate the ability to pass the test (e.g., take and pass a "pre-test" or assessment exam). Your IAM should verify that you are prepared to take the certification exam before authorizing you to request an exam voucher.
Back to top

What is the DWCA?

DWCA stands for Defense Workforce Certification Application. This is the authoritative database of DoD Military, Civilian and Contractor personnel who hold active 8570 certifications used by the DoD CIO office to validate, monitor and report on the certification status of certified IA workforce members.

IA members who currently hold an 8570.01-M approved certification should access the DWCA Web site and register their certification by entering their name and certification information, and authorizing its release to the certification provider of their certification for verification. Once the information has been submitted by a certified individual, an email will be sent to the certification provider asking them to verify certification status. Once the certification provider verifies the certification status with their company, the certified individual will show up as "validated" in the DWCA system and to the DoD CIO office.

For military and civilian personnel, registering your certification(s) in the DWCA will also ensure that any maintenance fees associated with the certification can be paid for by the DoD (until 2011). Because the DWCA is the only authoritative database for the certification status of IA professionals, only those individuals who are correctly registered in it will have their annual maintenance fees paid for.
Back to top

Once I become certified, what do I do?

Register and release all your certifications in the Defense Workforce Certification Application (DWCA): https://www.dmdc.osd.mil/appj/dwc/index.jsp. This is the authoritative database for all DoD Military, Civilian and Contractor personnel who hold active 8570 certifications. By releasing your certification(s) in the DWCA, you ensure that the DoD is aware of your certification status and that the information can be validated by the certification providers (e.g. ISC2, SANS, ISACA, CompTIA). For military and civilian personnel, registering your certification(s) in the DWCA will also ensure that any maintenance fees associated with your certification can be paid for by the DoD (until 2011).

In addition to registering your certification in the DWCA, you should also notify your Component's IA Workforce personnel point of contact to make certain that your certification status is properly documented in all your Component's personnel databases of record. The Manual also requires IATs to obtain a local operating system certification in addition to the baseline requirements. Your Component POC should be able to assist you in identifying and meeting any additional requirements of your Component.

You will need to maintain your certification status by completing continuous learning requirements as defined by your respective certification provider (e.g., ISC2, ISACA, CompTIA, etc.). You are encouraged to monitor current certification provider activity to see if they have imposed additional continuous learning requirements.
Back to top

I already hold a certification listed in DoD 8570.01-M; what more will I need to do?

Register and release your certifications in the Defense Workforce Certification Application (DWCA): https://www.dmdc.osd.mil/appj/dwc/index.jsp. This is the authoritative database of all DoD Military, Civilian and Contractor personnel who hold active 8570 certifications. By releasing your certification(s) in the DWCA, you ensure that the DoD is aware of your certification status and that the information can be validated by the certification providers (e.g. ISC2, SANS, ISACA, CompTIA). For military and civilian personnel, registering your certification(s) in the DWCA will also ensure that any maintenance fees associated with your certification can be paid for by the DoD (until 2011).

How do my annual maintenance fees get paid?

For military and civilian personnel, registering your certification(s) in the Defense Workforce Certification Application (DWCA) is the only way to ensure that any maintenance fees associated with the certification can be paid for by the DoD (until 2011). Because the DWCA is the only authoritative database for the certification status of IA professionals, only those individuals who are correctly registered in it will have their annual maintenance fees paid for.
Back to top

If I fail a certification, can I retake the exam?

Yes. The 8570.01 and 8570.01-M do not set a limit on the number of times a person may attempt to qualify for certification. Components must support at least one retest attempt but may enforce a limit on the number of additional retests they will fund. If the individual's Component has set a limit on the number of retest attempts, an individual may take a subsequent test at their own expense. If they qualify for certification, then they would qualify to fill an IAT or IAM position (assuming they meet the other requirements such as background investigation, OJT, etc.). Remember, after CY 2010, a DoD military or civilian employee that has not completed the requirements and certifications outlined in the 8570.01 Manual is not authorized to fill an IAT or IAM billet.
Back to top

Can DoD use appropriated funds for military or civilian personnel to take commercial certification exams?

Yes. Chapter 101 of Title 10, United States Code has been amended to permit Services to use appropriated funds to pay for commercial certifications (tests) for uniformed personnel. The FY06 DoD Appropriations Bill gives uniformed personnel parity with civilians.
Back to top

What qualifies as continuous learning?

Continuing education requirements and acceptable continuous learning activities vary based on certification provider. Certification providers determine the specific training and other activities that qualify for continuous learning credit. The minimum continuous learning requirement for certifications included in DoD 8570.01-M is 40 hours annually or 120 hours over a three-year period. Contact your certification provider to find out more.
Back to top

Other Information

I want more information; who can I talk to?

For more information about DoD Directive 8570.01, the 8570.01-Manual, or the enterprise-wide training and certification initiative, contact the IASE Helpdesk.
Back to top

How do I submit suggestions or new ideas for inclusion in the IA WIP?

DoD 8570.01 Directive and DoD 8570.01-M established the DoD IA Workforce Improvement Program Advisory Council as well as sub-committees focused on training, workforce management and certification. The Council and three committees work to keep the requirements of the IA WIP current by making appropriate updates and improvements. Each major DoD Component is represented by at least one voting member to the Council and the three committees. Each representative has the role of gathering input from their Component's IA WF to submit to the Committees and Council. Contact your Component's Office of Primary Responsibility Point of Contact to provide direct feedback.
Back to top