DoD Directive 8570 to change again :|

broli720broli720 Member Posts: 394 ■■■■□□□□□□
As stated in the subject, the 8570 will be renamed and refocus to include security for industrial controls systems (ICS). This is a major change in critical infrastructure protection for many organizations and customers of the DoD.

My my source is Michael Chipley who presented this information at the 9th Annual ICS Summit that I'm currently attending this week.

Also DIACAP will be replaced by the Risk Management Framework.


  • da_vatoda_vato Member Posts: 445
    I heard this was coming last year but that was all I could get out of the conversation. Do you have any other info?
  • zxbanezxbane Member Posts: 740 ■■■■□□□□□□
    I've been hearing about the RMF as well and how it will replace DIACAP.. I wonder how long it will actually take for the transition to happen though
  • broli720broli720 Member Posts: 394 ■■■■□□□□□□
    The only information I have is that they plan to make the change sometime this spring or early summer. The speaker was apparently on the advisory committee or board that's handling this for the 8570.

    The RMF transition is allegedly suppose to take 3 years.
  • da_vatoda_vato Member Posts: 445
    holy cow! thats quick for the gov.... where I work some of the base still has not fully caught up to 8570. This is going to be fun watch over here.
  • colemiccolemic Member Posts: 1,568 ■■■■■■■□□□
    Any word on what specific changes will be made to 8570, specifically? I am marginally aware of the RMF but haven't studied it to see if it has a cert requirement portion or if that will be bolted on. Personally I am glad to see they are seeing that the current 8570 didn't have the desired effect they envisioned it to, and are making (hopefully) positive changes to make it more relevant.
    Working on: CCSP, definitely, maybe. On the twitters: @mcole1008
  • JDMurrayJDMurray Admin Posts: 12,963 Admin
    DoDD 8570.01 was suppose to be replaced by the new DoDD 8140 in December 2013, but it didn't happen. I've been keeping an eye out for it at the DoD Directive Web site, but there's nothing published yet.
  • BlackBeretBlackBeret Member Posts: 683 ■■■■■□□□□□
    This was a topic on a recent SANS webcast that I missed. I'm not active on their site often but if someone else is you may be able to find the archive.
  • NovaHaxNovaHax Member Posts: 502 ■■■■□□□□□□
    I'm actually surprised we haven't seen this sooner. While we are on the topic...does anybody know of any decent Industrial Controller security training programs or certification tracks? I'd definitely be interested.
  • zxbanezxbane Member Posts: 740 ■■■■□□□□□□

    Thanks for the link, out of curiosity, are the Webcasts free to anyone who registers on the SANS website?
  • JDMurrayJDMurray Admin Posts: 12,963 Admin
    Yes, the SANS Webcasts are free to anyone registered on The Webcasts are sometimes native or overt advertising for some product or service, or house ads for SANS courses, but the learning value is usually top-notch regardless.
  • broli720broli720 Member Posts: 394 ■■■■□□□□□□
    NovaHax wrote: »
    I'm actually surprised we haven't seen this sooner. While we are on the topic...does anybody know of any decent Industrial Controller security training programs or certification tracks? I'd definitely be interested.

    While at the conference, SANS rolled out their GICSP which is geared for cyber security for industrial control systems. From what I gathered, it tries to bridge the gap between control systems engineers and IT security. Not something I'll be pursuing, but you may be interested.

    GIAC Forensics, Management, Information, IT Security Certifications
  • wikigetwikiget Member Posts: 75 ■■□□□□□□□□
    8140 is supposed to be the catalyst to switch DoD to NICE, but the government is still mapping certs to jobs for the NICE Program.
    "Once upon a time, disks were floppy, administrators were electricians and computers were louder then jets. Then it all got complicated." -Anon

    Life of a Network Security Manager:
  • daviddwsdaviddws Member Posts: 303 ■■■□□□□□□□
    Has anything changed in the last couple months? It would be nice to have a better idea of what requirements are needed for certain positions.
    Master of Information Systems Management
    M.B.A: Master of Business Administration
  • colemiccolemic Member Posts: 1,568 ■■■■■■■□□□
    I would think that from a certification perspective, you should keep on trying to get certs that are relevant for the tier you work for/want to work for. It will be changed up some, but there will almost certainly still be a cert requirement for most (if not all) positions. You will still be ahead from the knowledge you gain, even if the cert you are shooting for isn't on the list, and most likely one that is very similar will be.

    ...which makes me wonder, how mad would some people be, if the CISSP they had to get to keep their job, wasn't on the list anymore. Won't happen but funny to ponder. :)
    Working on: CCSP, definitely, maybe. On the twitters: @mcole1008
Sign In or Register to comment.