DoD Directive 8570.1 Changes Everything
Last night I attended my local ISSA-NoVA meeting. I listened to Steven Busch from the Defense-wide Information Assurance Program (DIAP). He is a "Change and Workforce Management Senior Managing Consultant" with IBM working on implementing DoD Directive 8570.1, "Information Assurance Training, Certification, and Workforce Management", which I mentioned yesterday. He's also a Marine. (Notice I said "Marine," not "ex-Marine." Even though Mr. Busch is no longer in uniform, I recognize there are no "former Marines.")
I will try to summarize what I heard, with the expectation that Mr. Busch's slides will be posted at the ISSA-NoVA Web site soon. I managed to get related material from this earlier briefing (.pdf, slow). There's also a summary at (ISC)2.
The vision for 8570.1 is the following:
A professional, efficiently managed IA workforce with knowledge and skills to securely configure information technology, effectively employ tools, techniques and strategies to defeat adversaries, and proactively identify and mitigate the full spectrum of rapidly evolving threats and vulnerabilities in order to protect the network.
After reading my comments, you may agree that the implementation of 8570.1 will not meet this vision.
8570.1 will apply to anyone with privileged access (e.g., system administration) to DoD systems, to include uniformed military personnel, civilians, and contractors. The following chart summarizes 8570.1 (incorrectly called "8570" below) and 8570.1-M, the Manual which was signed on 19 December 2005 and provides implementation guidance.
Essentially, to administer a DoD system, military, civilian, and contractor operators will have to attain these goals:
Before I discuss the approved certifications, let's look at the people affected by these requirements.
The slide shows two existing tracks. One is an IA Technical Category (for system and network administrators) and the other is an IA Management Category. Now let's see the certification list as displayed last night.
The Tech I and Management I categories are the bottom of the pyramids shown previously, while the IIIs are the top of the pyramids.
Let's break out those acronyms, since I didn't recognize all of them. First, the certifications for technical people:
Here are the certifications for managers, only listing those not covered above:
The list will not necessarily be used by everyone in DoD. The DoD components can choose the certs on this list that they will accept. They cannot independently add certs to the list, although the oversight board managing this program for DoD can add new certs in the future.
You are probably wondering about the vendor-specific certification requirements. Mr. Busch explained that if a person administers Microsoft systems, they will need Microsoft certification. If they are a Cisco network admin, they will need Cisco certification. He admitted they have "not done much" yet in this area.
Earlier I reported on this story which inaccurately states the following:
[DoD] requires frontline security professionals to have certifications from CompTIA and (ISC)2 but not from the SANS Institute or vendors.
That is patently not true. When I first read that statement, I thought I understood why Alan Paller was upset. Now that I see there are some SANS certifications accepted by DoD, I realize he is more upset by DoD's choice of certifications. I agree with him.
Essentially, if you have your CISSP, you have the "golden ticket" for technical or managerial work in DoD. While that might be appropriate for management, it is absolutely worthless for operators. This DoD program is not going to result in any better security if the emphasis is placed on certs that have little or no technical relevance.
There may be benefit to having vendor-specific certs. Someone responsible for administering Solaris, Red Hat, or Cisco products are probably going to benefit from those programs. Unfortunately, DoD seems to be treating these programs as an afterthought.
One audience member asked Mr. Busch what he should tell an admin he knows that works on Oracle, Microsoft SQL, Solaris, and slew of other applications and operating systems. Mr. Busch replied "Most DoD components don't have that many OS' in one environment." This will be a real shock to the people on the front lines!
DoD plans to collect "IA performance data" to "measure the effectiveness" of this program. I would like to see if the people they consider "certified" (and they want 10% of the force ready by 30 Dec 06) are any more capable than the uncertified crowd.
I also wonder why DoD didn't leverage the CERT®-Certified Computer Security Incident Handler (CSIH) certification program. It's practically DoD already, is vendor-neutral, has been around for a long time, and appears to cover the subjects I would want to see in DoD security people.
There are some aspects of this program that I think are beneficial, without reservations. Mr. Busch said DoD is trying to include IA training within Professional Military Education, such as that found at the war colleges. This is a great idea and I would be interested in helping with that program. People with IA certifications will also be tracked DoD-wide, and IA will be treated less as an "additional duty" and more of a professional obligation.
Crucially, Mr. Busch recognizes that receiving training helps retention. Someone during the ISSA meeting asked what DoD will do when it trains its people and then watches them separate from the service. That attitude absolutely infuriates me. The alternative means keeping untrained people in place, because they have no marketable skills? That is completely idiotic. I argued with a colonel at the Pentagon about this when I was a captain.
I would like to hear your thoughts on this program. Overall, I think the intentions are good, but the selection of certs is on the whole misguided. I also hope to hear more details from Alan Paller, who seems to have a good grasp on this issue.
I will try to summarize what I heard, with the expectation that Mr. Busch's slides will be posted at the ISSA-NoVA Web site soon. I managed to get related material from this earlier briefing (.pdf, slow). There's also a summary at (ISC)2.
The vision for 8570.1 is the following:
A professional, efficiently managed IA workforce with knowledge and skills to securely configure information technology, effectively employ tools, techniques and strategies to defeat adversaries, and proactively identify and mitigate the full spectrum of rapidly evolving threats and vulnerabilities in order to protect the network.
After reading my comments, you may agree that the implementation of 8570.1 will not meet this vision.
8570.1 will apply to anyone with privileged access (e.g., system administration) to DoD systems, to include uniformed military personnel, civilians, and contractors. The following chart summarizes 8570.1 (incorrectly called "8570" below) and 8570.1-M, the Manual which was signed on 19 December 2005 and provides implementation guidance.
Essentially, to administer a DoD system, military, civilian, and contractor operators will have to attain these goals:
- Vendor-neutral security certification
- Vendor-specific platform certification
- On-the-job training
Before I discuss the approved certifications, let's look at the people affected by these requirements.
The slide shows two existing tracks. One is an IA Technical Category (for system and network administrators) and the other is an IA Management Category. Now let's see the certification list as displayed last night.
The Tech I and Management I categories are the bottom of the pyramids shown previously, while the IIIs are the top of the pyramids.
Let's break out those acronyms, since I didn't recognize all of them. First, the certifications for technical people:
- A+: CompTIA's basic system administration cert
- Network+: CompTIA's basic network administration cert
- TICSA: TruSecure ICSA (formerly International Computer Security Association) Certified Security Associate; never encountered this before
- SSCP: Systems Security Certified Practitioner, an (ISC)2 certification that just received ANSI accreditation -- a requirement for all of the vendor-neutral certifications
- GSEC: GIAC (Global Information Assurance Certification, formerly Global Information Assurance Center) Security Essentials Certification, a SANS entry-level certification
- Security+: basic security; why is Security+ here, and come to think of it, why is A+ and Network+ listed earlier for security certifications?
- SCNP: Security Certified Network Professional, offered by the Security Certified Program; never even heard of them
- CISSP: Certified Information Systems Security Professional from (ISC)2, which is also ISO/IEC 17024 certified. All of these certifications need to be ISO compliant, but I do not think they all presently are compliant.
- SCNA: Security Certified Network Architect, another SCP cert I've never seen before
- CISA: Certified Information System Auditor, offered by the Information Systems Audit and Control Association (ISACA); also ANSI-certified.
- GSE: GIAC Security Expert; this is a SANS cert held by five people. It is absolutely ridiculous to put the tech-less CISSP in the same category as the GSE, which requires "five intermediate level GIAC certifications" and "3 days of testing!"
Here are the certifications for managers, only listing those not covered above:
- GSLC: SANS GIAC Security Leadership Certification
- GISO: SANS GIAC Information Security Officer; this is already obsolete, replaced by the GSLC or GISF
- CISM: Certified Information Security Manager, another ISACA cert
The list will not necessarily be used by everyone in DoD. The DoD components can choose the certs on this list that they will accept. They cannot independently add certs to the list, although the oversight board managing this program for DoD can add new certs in the future.
You are probably wondering about the vendor-specific certification requirements. Mr. Busch explained that if a person administers Microsoft systems, they will need Microsoft certification. If they are a Cisco network admin, they will need Cisco certification. He admitted they have "not done much" yet in this area.
Earlier I reported on this story which inaccurately states the following:
[DoD] requires frontline security professionals to have certifications from CompTIA and (ISC)2 but not from the SANS Institute or vendors.
That is patently not true. When I first read that statement, I thought I understood why Alan Paller was upset. Now that I see there are some SANS certifications accepted by DoD, I realize he is more upset by DoD's choice of certifications. I agree with him.
Essentially, if you have your CISSP, you have the "golden ticket" for technical or managerial work in DoD. While that might be appropriate for management, it is absolutely worthless for operators. This DoD program is not going to result in any better security if the emphasis is placed on certs that have little or no technical relevance.
There may be benefit to having vendor-specific certs. Someone responsible for administering Solaris, Red Hat, or Cisco products are probably going to benefit from those programs. Unfortunately, DoD seems to be treating these programs as an afterthought.
One audience member asked Mr. Busch what he should tell an admin he knows that works on Oracle, Microsoft SQL, Solaris, and slew of other applications and operating systems. Mr. Busch replied "Most DoD components don't have that many OS' in one environment." This will be a real shock to the people on the front lines!
DoD plans to collect "IA performance data" to "measure the effectiveness" of this program. I would like to see if the people they consider "certified" (and they want 10% of the force ready by 30 Dec 06) are any more capable than the uncertified crowd.
I also wonder why DoD didn't leverage the CERT®-Certified Computer Security Incident Handler (CSIH) certification program. It's practically DoD already, is vendor-neutral, has been around for a long time, and appears to cover the subjects I would want to see in DoD security people.
There are some aspects of this program that I think are beneficial, without reservations. Mr. Busch said DoD is trying to include IA training within Professional Military Education, such as that found at the war colleges. This is a great idea and I would be interested in helping with that program. People with IA certifications will also be tracked DoD-wide, and IA will be treated less as an "additional duty" and more of a professional obligation.
Crucially, Mr. Busch recognizes that receiving training helps retention. Someone during the ISSA meeting asked what DoD will do when it trains its people and then watches them separate from the service. That attitude absolutely infuriates me. The alternative means keeping untrained people in place, because they have no marketable skills? That is completely idiotic. I argued with a colonel at the Pentagon about this when I was a captain.
I would like to hear your thoughts on this program. Overall, I think the intentions are good, but the selection of certs is on the whole misguided. I also hope to hear more details from Alan Paller, who seems to have a good grasp on this issue.
Comments
What strikes me as ironic is that I feel that this is actually going to cheapen the certification. Any time you have a mass of people getting certified simply because “they have to” it doesn’t usually end well for the certification itself. You’ll have a lot of people going to bootcamps and going through the motions simply to get the initials after their name. (Actually, I think we have that with the CISSP now, but that’s another story). We all see how well this worked out for the MCSE certification and the respect it has earned in the community.
I don’t think a specific certification should be the answer. It inspires an attitude of “I made it, now I can relax”, and this is bad for everyone involved. Now for the grand, “it will never happen”, “is he out of his mind?” idea. Continuing education is the way to go, though it would have to be modified from the way that it stands now. Any program offering CPEs should need to get certified and then grade people on how the did when taking the course/session. It could be pass fail, for those where attendance was enough, or you could have exams to see how well you are picking up the material. All you need is an association of some sort to manage your transcripts so that potential employers could see your capabilities. “I see you failed every training session you attended that dealt with firewalls, maybe the firewall administrator position isn’t right for you.” But doing this would at least allow you to see how committed a person is, and that’s far more important that any specific knowledge he may have at the time. A committed person will learn whatever he/she has to, and keep doing so.
Now there are many things wrong with this. Privacy being one, especially if you have some clearinghouse association to manage all this. But it’s not the grand idea that’s at fault, it’s the notion of what we are trying to achieve. People want an opportunity to opt out of doing the kind of things that should be required when managing it people or resources. A capable IT manager can pretty easily tell when he is talking with someone that doesn’t quite "get it". If you sole reliance of someone’s ability is whether or not that person has a certification then maybe you aren’t the person who should be managing, perhaps it’s YOUR job that should be advertised. There is no magical thing that will tell you how good (or bad) someone may be. Technology changes so fast that you have to keep learning. You, Richard, are knowledgeable about NSM, but how long would it be before would be considered ignorant if you stopped researching, reading, learning. Not long, and yet this is the same kind of attitude that certifications create. Yes, I know the CISSP has a continuing education element, but how many people are simply going through the motions? How much do you think they are getting out of it when they are simply just trying to maintain the CISSP? Contrast this with someone who reads constantly, loves what he/she does, and learns. There’s no certification for commitment, but I’ll take the latter thank you.
Triple Canopy and Blackwater can be the mercenaries, oops I mean infantry.
Listing the CISA (Certified Information Systems Auditor) cert as technical is just nuts. I've earned both the CISSP and CISA, and the CISA actually covers *less* technical subject matter. It's about auditing processes, procedural controls, staff roles, etc. -- all management-level stuff -- and not even the basic cryptography or networking info that the CISSP covers.
Conversely, the A+ is purely low-level technical info for PC repair and help desk folk. It barely mentions security, and only in the sense of file permissions. The Network+ is a bit more relevant, but it too barely mentions security. I've earned both, and while they have value in other contexts, they aren't worth mentioning for security. That's what the Security+ was designed for.
Some more appropriate certs that are notably missing are those sponsored by the National Security Agency (NSA) in "INFOSEC Assessment Methodology (IAM)" and "INFOSEC Evaluation Methodology (IEM)". (See http://www.nsa.gov/releases/relea00038.cfm and http://www.iatrp.com). They're not only recognized by the feds, but created by them, so why not include them?
Pregnancy tests are harder to pass than the TICSA.
BTW, the INFOSEC questio is really good. Why wouldn't the DoD follow NSA guidelines? I think that it could boil down to suspicions and the will to create "their own" system at the DoD. The DoD doesn't perceive it as "we are just building on their prior work," it is instead seen as a loss of control over their procedures. That's unfortunate, but I also think that if you had a resume with a few NSA approved certifications I think that would not hinder your application. For those walready working for DoD they may have been jumping the gun and getting some of the NSA certs, but now they will need to focus on the DoD list.
Ray Aragon
INFOSEC
That depends on how you define pass/fail!! It probably depends on perspective. :D
Includes comparisons between: GSEC, CISSP, CISA
http://www.isaca-washdc.org/presentations/jan2007-monthly_slides_pm.ppt
Those are a copy of the slides, George keeps them updated.
Rob Floodeen