DoD 8570.01-M Revision some updates

Just an FYI for the field.

Highlights -

CASP approved IAT II, III & IASE I,II

GSE & GSIF are no longer part of approved baseline. But will be gradfathered.

GCFA & CSSLP are under review for addition to the baseline.

The CompTIA Advanced Security Professional (CASP) certification (ISO 17024 accredited) was approved to be added to the DoD baseline list for IAT level III, IAM II, and IASAE level I and II during the 24 January 2013 Defense Information Assurance Program (DIAP) Certification Committee meeting. CASP targets the IT security professional with a minimum of 10 years' experience in IT administration and at least 5 years of hands-on technical security experience. Once the certification is added to the DISA Information Assurance Support Environment baseline certification table, (at: DoD 8570 Information Assurance Workforce Improvement Program), it will be official. Meanwhile, personnel may commence studying for this certification. Go to CompTIA Advanced Security Practitioner certification, CASP certification for more information.

Baseline certifications: GIAC Security Expert (GSE) and GIAC Information Security Fundaments (GISF) were reviewed and neither certification is American National Standards Institute (ANSI) accredited there-fore both will be removed from the DoD approved baseline list. DoD will develop and implement a grandfather clause that will be put into place for anyone who currently holds either certification.

Certifications currently under review by the Institute for Defense Analysis for possible additions to 8570.01-M are the ISC2 "Certified Secure Software Lifecycle Professional" (CSSLP) and "GIAC Certified Forensic Analyst" (GCFA).

DoD 8570.01-M Revision meeting: At the 24 Jan 2013, DoD 8570.01-M Revision meeting, the DIAP re-ported that they are still in the process of adjudicating comments for DoDD 8140.aa. The DoD policy will align as close as possible to the National Initiative for Cybersecurity Education (NICE) workforce frame-work of categories and specialty areas workforce roles.

DoD Risk Management Framework (RMF) Training Advisory Group (TAG): The DoD TAG has recently held four meetings to discuss how DIACAP is moving to the Risk Management Framework (RMF), the new roles in the draft DoDI 8510, and how these roles should be integrated into the 8570.01-M. The team is working closely with the DIAP 8570.01-M Revision Working Group to ensure knowledge, skills, abilities, and competencies are consistent.

Find more posts tagged with

Comments

coty24

Good read man, I see CompTIA is making their move with the CASP....

broli720

I knew it was only a matter of time but I still want my CISSP though. Should know by next weekend.

JDMurray

DISA will publicly announce the changes here: DoD 8570 Information Assurance Workforce Improvement Program

mog27

Worth getting a CASP now even if already have CISSP?

JDMurray

It looks like CISSP covers all of the categories that CASP does except for IAT II, which is covered by Security+. So it still looks like having both the CISSP and Security+ still covers most of the bases. Throw in A+ or N+ and CEH and you've just about got the Full Monty 8570.01-wise.

spiderjericho

The CASP was such an easy exam but if they want to make that IAT 3, great. But CISSP seems to be the one that covers all the bases, despite its dubiousness.

I don't go flaunting I have it (I think it's overrated). But I'll never forget this civilian waving it around like a badge to this IAM as if it added credibility to some points he was making.

JDMurray

spiderjericho wrote: »

The CASP was such an easy exam but if they want to make that IAT 3, great.

For 8570.01, I would regard CASP and SSCP as equivalents, making them both IAT II, and also take Sec+ out of IAT II. I would then require A+ or N+ AND Sec+ for IAT I. That seems to be a better distribution of cert levels to me.

Humbe

spiderjericho wrote: »

But I'll never forget this civilian waving it around like a badge to this IAM as if it added credibility to some points he was making.

I haven't been lucky enough to have an encounter with one of those individuals. Only had one once saying he had the certification when in reality he knew nothing about security. Quite funny the bust.

docrice

I once interviewed an individual who had the CISSP logo branded onto his resume (the same one you're using as your avatar at the present, Humbe). I thought that was special. He didn't quite meet up to our expectations, but he had interest in the field and wasn't totally clueless.

colemic

Experts say DoD cyber workers undertrained | Federal Times | federaltimes.com appears that they are finally realizing the mess they've created by allowing paper tigers to literally flood their workplace and run and secure their networks. I hope to see a total revampment in the future regarding 8570.

AnthonyF

Well all those paper tigers are vested in the GOV so the changes will probably take over a decade maybe two or longer. The only way around is to create new slots, I think they are using that method to meet the goals.

It still does not address the fact that we do not produce enough baseline cyber trained individuals annually. A great deal, if not all the instruction and training is outsourced to SANS to accomplish the baseline (I can only speak for the Army). Example - https://www.sans.org/cyber-guardian/

Do not look for too much out of 8570. The same people who are writing it are building/maintaining empires, political clout, funding streams and rely too much on the existing system to change it quickly.

I have seen this game before. Everyone is after "CYBER" dollars and will do anything to get them. The more things change the more they stay the same...

Just my two cents...

docrice

If I had a nickel for every time "cyber" is mentioned in the article...

"We're rewriting essentially all of the cyber workforce policy, so we are going to have an overarching cyber workforce policy that will include all of the cyber skills including cyber defenders, cyber attackers, malware analysts, all that stuff," Hale said. "Then we will rewrite specific manuals underneath each."

JDMurray

Hey, Cyber is sexier than Non-kinetic Force Application.

It's amusing to ponder that the term "cyber" was originally coined to describe man-machine control interfaces, such as keyboards and gimbles. A very kinetic origin for the term "cyber" indeed.

the_Grinch

This build up is really no different then the Air Marshal build up after 9/11. They were taking just about anyone, arming them, and putting them on a plane. Swarms of issues that at this point appear to finally be worked out...sadly took almost a decade to fix.

MrHoward

JDMurray wrote: »

For 8570.01, I would regard CASP and SSCP as equivalents, making them both IAT II, and also take Sec+ out of IAT II. I would then require A+ or N+ AND Sec+ for IAT I. That seems to be a better distribution of cert levels to me.

As I read it the higher IAT and IAM certs cover the lower levels.

Higher level IAT and IAM certifications satisfy lower level requirements. Certifications listed in Level II or III cells can be used to qualify for Level I. However, Level I certifications cannot be used for Level II or III unless the certification is also listed in the Level II or III cell. For example:
The A+ or Network+ certification qualify only for Technical Level I and cannot be used for Technical Level II positions.

The System Security Certified Practitioner (SSCP) certification qualifies for both Technical Level I and Technical Level II. If the individual holding this certification moved from an IAT Level I to an IAT Level II position, he or she would not have to take a new certification.

source: DoD 8570 Information Assurance Workforce Improvement Program

JDMurray

Sure, but the Level I certs should be easier to study for than the Level II and III certs. Someone at Level I would likely be quicker to certify going for Security+ rather than the SSCP or CASP, although the current Security+ exam is not an easy study for people new to InfoSec.

dknight2112

As I understand this, most of the certification tests still warrant classroom and/or robust e-learning. However, I wonder how it will effect on-the-job training when preparing for certification.

@ Anthony: What would be enough to produce enough baseline cyber-trained individuals annually?