DoD Directive 8570 to change again :|

broli720

As stated in the subject, the 8570 will be renamed and refocus to include security for industrial controls systems (ICS). This is a major change in critical infrastructure protection for many organizations and customers of the DoD.

My my source is Michael Chipley who presented this information at the 9th Annual ICS Summit that I'm currently attending this week.

Also DIACAP will be replaced by the Risk Management Framework.

http://www.govinfosecurity.com/dod-switching-to-new-risk-framework-a-6647

da_vato

I heard this was coming last year but that was all I could get out of the conversation. Do you have any other info?

zxbane

I've been hearing about the RMF as well and how it will replace DIACAP.. I wonder how long it will actually take for the transition to happen though

broli720

The only information I have is that they plan to make the change sometime this spring or early summer. The speaker was apparently on the advisory committee or board that's handling this for the 8570.

The RMF transition is allegedly suppose to take 3 years.

da_vato

holy cow! thats quick for the gov.... where I work some of the base still has not fully caught up to 8570. This is going to be fun watch over here.

colemic

Any word on what specific changes will be made to 8570, specifically? I am marginally aware of the RMF but haven't studied it to see if it has a cert requirement portion or if that will be bolted on. Personally I am glad to see they are seeing that the current 8570 didn't have the desired effect they envisioned it to, and are making (hopefully) positive changes to make it more relevant.

JDMurray

DoDD 8570.01 was suppose to be replaced by the new DoDD 8140 in December 2013, but it didn't happen. I've been keeping an eye out for it at the DoD Directive Web site, but there's nothing published yet.

BlackBeret

This was a topic on a recent SANS webcast that I missed. I'm not active on their site often but if someone else is you may be able to find the archive.

NovaHax

I'm actually surprised we haven't seen this sooner. While we are on the topic...does anybody know of any decent Industrial Controller security training programs or certification tracks? I'd definitely be interested.

JDMurray

SANS Webcast Archive

zxbane

JD,

Thanks for the link, out of curiosity, are the Webcasts free to anyone who registers on the SANS website?

JDMurray

Yes, the SANS Webcasts are free to anyone registered on sans.org. The Webcasts are sometimes native or overt advertising for some product or service, or house ads for SANS courses, but the learning value is usually top-notch regardless.

broli720

NovaHax wrote: »

I'm actually surprised we haven't seen this sooner. While we are on the topic...does anybody know of any decent Industrial Controller security training programs or certification tracks? I'd definitely be interested.

While at the conference, SANS rolled out their GICSP which is geared for cyber security for industrial control systems. From what I gathered, it tries to bridge the gap between control systems engineers and IT security. Not something I'll be pursuing, but you may be interested.

GIAC Forensics, Management, Information, IT Security Certifications

wikiget

8140 is supposed to be the catalyst to switch DoD to NICE, but the government is still mapping certs to jobs for the NICE Program.

daviddws

Has anything changed in the last couple months? It would be nice to have a better idea of what requirements are needed for certain positions.

colemic

I would think that from a certification perspective, you should keep on trying to get certs that are relevant for the tier you work for/want to work for. It will be changed up some, but there will almost certainly still be a cert requirement for most (if not all) positions. You will still be ahead from the knowledge you gain, even if the cert you are shooting for isn't on the list, and most likely one that is very similar will be.

...which makes me wonder, how mad would some people be, if the CISSP they had to get to keep their job, wasn't on the list anymore. Won't happen but funny to ponder.