Friday, January 20, 2006

DoD Directive 8570.1 Changes Everything

Last night I attended my local ISSA-NoVA meeting. I listened to Steven Busch from the Defense-wide Information Assurance Program (DIAP). He is a "Change and Workforce Management Senior Managing Consultant" with IBM working on implementing DoD Directive 8570.1, "Information Assurance Training, Certification, and Workforce Management", which I mentioned yesterday. He's also a Marine. (Notice I said "Marine," not "ex-Marine." Even though Mr. Busch is no longer in uniform, I recognize there are no "former Marines.")

I will try to summarize what I heard, with the expectation that Mr. Busch's slides will be posted at the ISSA-NoVA Web site soon. I managed to get related material from this earlier briefing (.pdf, slow). There's also a summary at (ISC)2.

The vision for 8570.1 is the following:

A professional, efficiently managed IA workforce with knowledge and skills to securely configure information technology, effectively employ tools, techniques and strategies to defeat adversaries, and proactively identify and mitigate the full spectrum of rapidly evolving threats and vulnerabilities in order to protect the network.

After reading my comments, you may agree that the implementation of 8570.1 will not meet this vision.

8570.1 will apply to anyone with privileged access (e.g., system administration) to DoD systems, to include uniformed military personnel, civilians, and contractors. The following chart summarizes 8570.1 (incorrectly called "8570" below) and 8570.1-M, the Manual which was signed on 19 December 2005 and provides implementation guidance.

Essentially, to administer a DoD system, military, civilian, and contractor operators will have to attain these goals:

  1. Vendor-neutral security certification

  2. Vendor-specific platform certification

  3. On-the-job training

Before I discuss the approved certifications, let's look at the people affected by these requirements.

The slide shows two existing tracks. One is an IA Technical Category (for system and network administrators) and the other is an IA Management Category. Now let's see the certification list as displayed last night.

The Tech I and Management I categories are the bottom of the pyramids shown previously, while the IIIs are the top of the pyramids.

Let's break out those acronyms, since I didn't recognize all of them. First, the certifications for technical people:

  • A+: CompTIA's basic system administration cert

  • Network+: CompTIA's basic network administration cert

  • TICSA: TruSecure ICSA (formerly International Computer Security Association) Certified Security Associate; never encountered this before

  • SSCP: Systems Security Certified Practitioner, an (ISC)2 certification that just received ANSI accreditation -- a requirement for all of the vendor-neutral certifications

  • GSEC: GIAC (Global Information Assurance Certification, formerly Global Information Assurance Center) Security Essentials Certification, a SANS entry-level certification

  • Security+: basic security; why is Security+ here, and come to think of it, why is A+ and Network+ listed earlier for security certifications?

  • SCNP: Security Certified Network Professional, offered by the Security Certified Program; never even heard of them

  • CISSP: Certified Information Systems Security Professional from (ISC)2, which is also ISO/IEC 17024 certified. All of these certifications need to be ISO compliant, but I do not think they all presently are compliant.

  • SCNA: Security Certified Network Architect, another SCP cert I've never seen before

  • CISA: Certified Information System Auditor, offered by the Information Systems Audit and Control Association (ISACA); also ANSI-certified.

  • GSE: GIAC Security Expert; this is a SANS cert held by five people. It is absolutely ridiculous to put the tech-less CISSP in the same category as the GSE, which requires "five intermediate level GIAC certifications" and "3 days of testing!"

Here are the certifications for managers, only listing those not covered above:

  • GSLC: SANS GIAC Security Leadership Certification

  • GISO: SANS GIAC Information Security Officer; this is already obsolete, replaced by the GSLC or GISF

  • CISM: Certified Information Security Manager, another ISACA cert

The list will not necessarily be used by everyone in DoD. The DoD components can choose the certs on this list that they will accept. They cannot independently add certs to the list, although the oversight board managing this program for DoD can add new certs in the future.

You are probably wondering about the vendor-specific certification requirements. Mr. Busch explained that if a person administers Microsoft systems, they will need Microsoft certification. If they are a Cisco network admin, they will need Cisco certification. He admitted they have "not done much" yet in this area.

Earlier I reported on this story which inaccurately states the following:

[DoD] requires frontline security professionals to have certifications from CompTIA and (ISC)2 but not from the SANS Institute or vendors.

That is patently not true. When I first read that statement, I thought I understood why Alan Paller was upset. Now that I see there are some SANS certifications accepted by DoD, I realize he is more upset by DoD's choice of certifications. I agree with him.

Essentially, if you have your CISSP, you have the "golden ticket" for technical or managerial work in DoD. While that might be appropriate for management, it is absolutely worthless for operators. This DoD program is not going to result in any better security if the emphasis is placed on certs that have little or no technical relevance.

There may be benefit to having vendor-specific certs. Someone responsible for administering Solaris, Red Hat, or Cisco products are probably going to benefit from those programs. Unfortunately, DoD seems to be treating these programs as an afterthought.

One audience member asked Mr. Busch what he should tell an admin he knows that works on Oracle, Microsoft SQL, Solaris, and slew of other applications and operating systems. Mr. Busch replied "Most DoD components don't have that many OS' in one environment." This will be a real shock to the people on the front lines!

DoD plans to collect "IA performance data" to "measure the effectiveness" of this program. I would like to see if the people they consider "certified" (and they want 10% of the force ready by 30 Dec 06) are any more capable than the uncertified crowd.

I also wonder why DoD didn't leverage the CERT®-Certified Computer Security Incident Handler (CSIH) certification program. It's practically DoD already, is vendor-neutral, has been around for a long time, and appears to cover the subjects I would want to see in DoD security people.

There are some aspects of this program that I think are beneficial, without reservations. Mr. Busch said DoD is trying to include IA training within Professional Military Education, such as that found at the war colleges. This is a great idea and I would be interested in helping with that program. People with IA certifications will also be tracked DoD-wide, and IA will be treated less as an "additional duty" and more of a professional obligation.

Crucially, Mr. Busch recognizes that receiving training helps retention. Someone during the ISSA meeting asked what DoD will do when it trains its people and then watches them separate from the service. That attitude absolutely infuriates me. The alternative means keeping untrained people in place, because they have no marketable skills? That is completely idiotic. I argued with a colonel at the Pentagon about this when I was a captain.

I would like to hear your thoughts on this program. Overall, I think the intentions are good, but the selection of certs is on the whole misguided. I also hope to hear more details from Alan Paller, who seems to have a good grasp on this issue.


itrelated said...

Nice blog here. Keep up the good work.

Anonymous said...

If you’ve ever criticized a CISSP for not being technically competent you’ll know that to do so would inundate you with responses that the CISSP is not a technical certification. Where’s the outcry here? Why isn’t (ISC)2 standing up and saying that their certification should be used in the manner that it is? They sure would if people were blogging about the deficiencies of the certification.

What strikes me as ironic is that I feel that this is actually going to cheapen the certification. Any time you have a mass of people getting certified simply because “they have to” it doesn’t usually end well for the certification itself. You’ll have a lot of people going to bootcamps and going through the motions simply to get the initials after their name. (Actually, I think we have that with the CISSP now, but that’s another story). We all see how well this worked out for the MCSE certification and the respect it has earned in the community.

I don’t think a specific certification should be the answer. It inspires an attitude of “I made it, now I can relax”, and this is bad for everyone involved. Now for the grand, “it will never happen”, “is he out of his mind?” idea. Continuing education is the way to go, though it would have to be modified from the way that it stands now. Any program offering CPEs should need to get certified and then grade people on how the did when taking the course/session. It could be pass fail, for those where attendance was enough, or you could have exams to see how well you are picking up the material. All you need is an association of some sort to manage your transcripts so that potential employers could see your capabilities. “I see you failed every training session you attended that dealt with firewalls, maybe the firewall administrator position isn’t right for you.” But doing this would at least allow you to see how committed a person is, and that’s far more important that any specific knowledge he may have at the time. A committed person will learn whatever he/she has to, and keep doing so.

Now there are many things wrong with this. Privacy being one, especially if you have some clearinghouse association to manage all this. But it’s not the grand idea that’s at fault, it’s the notion of what we are trying to achieve. People want an opportunity to opt out of doing the kind of things that should be required when managing it people or resources. A capable IT manager can pretty easily tell when he is talking with someone that doesn’t quite "get it". If you sole reliance of someone’s ability is whether or not that person has a certification then maybe you aren’t the person who should be managing, perhaps it’s YOUR job that should be advertised. There is no magical thing that will tell you how good (or bad) someone may be. Technology changes so fast that you have to keep learning. You, Richard, are knowledgeable about NSM, but how long would it be before would be considered ignorant if you stopped researching, reading, learning. Not long, and yet this is the same kind of attitude that certifications create. Yes, I know the CISSP has a continuing education element, but how many people are simply going through the motions? How much do you think they are getting out of it when they are simply just trying to maintain the CISSP? Contrast this with someone who reads constantly, loves what he/she does, and learns. There’s no certification for commitment, but I’ll take the latter thank you.

John Collins said...

Richard I see your point about training military folks too. However, the person who asked about why train people if they will leave has a point too. This is a Catch-22 scenario. Of course you can't keep dummies at the controls, but managers also have concerns of spending thousands of dollars on training and cert cost to just watch people bail out to exchange a $30,000 E-5 paycheck for a $100,000 contractor paycheck. There is a small percentage of people who would stay because of commitment to our great nation, but those are few and far between. Sociology studies of military groups show a majority of enlisted personnel join the military to escape poverty. Flashing big dollar signs at the worker bees along with rejoining the democracy puts retention NCO's and commanders under big time pressure. I don't envy these gals and guys at all. Maybe DoD should implement a retention policy like corporations have with training. If my company pays for me to take a course, I have to commit to them for one year. If I leave before that year is up, the cost is pro-rated and I owe them the difference. Just start tacking on extensions to people who volunteer to go to training. If no one volunteers to go, just contract out the entire military! lol

Triple Canopy and Blackwater can be the mercenaries, oops I mean infantry.

The NetLockSmith said...

I'm a security professional with 4 of the certifications on that list, and I've researched security certifications extensively in the past. I agree wholeheartedly with your comments. I thought it was well-known that the CISSP is not technical, it's management level. It's my understanding that the SSCP (also from ISC^2) is just a lesser version of the CISSP, requiring less experience and less subject matter knowledge, so it shouldn't be considered a technical cert either.

Listing the CISA (Certified Information Systems Auditor) cert as technical is just nuts. I've earned both the CISSP and CISA, and the CISA actually covers *less* technical subject matter. It's about auditing processes, procedural controls, staff roles, etc. -- all management-level stuff -- and not even the basic cryptography or networking info that the CISSP covers.

Conversely, the A+ is purely low-level technical info for PC repair and help desk folk. It barely mentions security, and only in the sense of file permissions. The Network+ is a bit more relevant, but it too barely mentions security. I've earned both, and while they have value in other contexts, they aren't worth mentioning for security. That's what the Security+ was designed for.

Some more appropriate certs that are notably missing are those sponsored by the National Security Agency (NSA) in "INFOSEC Assessment Methodology (IAM)" and "INFOSEC Evaluation Methodology (IEM)". (See and They're not only recognized by the feds, but created by them, so why not include them?

Anonymous said...

I don't that they chose to use a list of certifications for the training baselines. It makes it easier on those responsible for maintain these baselines by just adding or subtracting certifications but makes it more expensive for the services. The DOD would be better served by establishing a true set of training requirement and revisiting them annually to insure that they are still relevant. The training and experience are more important than the piece of paper. The good thing is that training is required and those trained will be tracked to ensure their training will be utilized. The Marine Corps already has a head start on the other services in that it has already established an IA MOS with specialized training and IA assignments. In order to get into this MOS an individual has to be at least a SGT with two years left on contract a the completion of the school ensuring that those that are trained are more likely to stay in and will be around for awhile.

Anonymous said...

Just a note. The TICSA is a redicilous "security" certification made up by TruSecure. It's a huge joke. It's even a running joke within the ranks at TruSecure (sorry, Cybertrust) about how lame it is.

Pregnancy tests are harder to pass than the TICSA.

Anonymous said...

I dare say that for at least half the population a pregnancy test would be impossible to pass under any circumstances.

Anonymous said...

Practicing for a pregnancy test is also more fun!

BTW, the INFOSEC questio is really good. Why wouldn't the DoD follow NSA guidelines? I think that it could boil down to suspicions and the will to create "their own" system at the DoD. The DoD doesn't perceive it as "we are just building on their prior work," it is instead seen as a loss of control over their procedures. That's unfortunate, but I also think that if you had a resume with a few NSA approved certifications I think that would not hinder your application. For those walready working for DoD they may have been jumping the gun and getting some of the NSA certs, but now they will need to focus on the DoD list.

Ray Aragon

Anonymous said...

>I dare say that for at least half the >population a pregnancy test would be >impossible to pass under any >circumstances.

That depends on how you define pass/fail!! It probably depends on perspective. :D

Anonymous said...

Some folks mentioned NSA developing certs and guidelines. They also questioned why DOD doesn't follow or except those. Isn't NSA part of DOD and must comply with the 8570? and should have been part of the development?

Anonymous said...

NSA is not part of DOD. NSA is however the best place to recieve guidelines on securing goverment networks. I'm surprised ISSEP (the extension of CISSP) is not on the list.

Richard Bejtlich said...

Then why did exist, and why did the Secretary of Defense control NSA's budget? Has that changed with the DNI? I noticed is gone.

Anonymous said...

Perhaps you are on to something. Agencies that don't follow their own advice; security experts without advanced degrees or any demonstratable proof of knowledge for that which they profess to practice? Poor infosec practice after practice, one network after another run un a slipshod manner? Ask yourself why. There is always a reason, just not the one you would think at first consideration. Start there. RacerX

Anonymous said...

p.s. Also, don't just assign it to gladhanders and wannabees following the money, glamming on to whatever pays at the moment, who would be in advertising if it paid more at the moment. They are just marketing their badges, and are no more effective to infosec than potted plants. It's much deeper than that, although it does play a factor. X

security certifications said...

Good stuff Rich. Here is a great complement to this post.
Includes comparisons between: GSEC, CISSP, CISA

Anonymous said...

For those who seem ignorant, the military DOES require that you stay in a certain amount of time if they pay for certain things (college, etc). The big thing is that you CAN'T escape your time owed, either... it's required. Certs aren't worth much compared to a college degree, particularly since many aren't general (e.g., CCNA, MCSE, etc). A degree means that you will be better able to work on anything in that field rather than a CCNA who may or may not be able to adapt to a Juniper system. CISSP has already turned into one of those certs that people get just because they have to and is already being watered down in value. I'd say try something that's hard but not required, rather than CISSP.

Rob Floodeen said...

CSIH will/is covered by 8570 Chapter 11, Incident Responder.

Those are a copy of the slides, George keeps them updated.

Rob Floodeen