DIAP: Department of Defense’s Certified Guard
You don’t have to be a certified IT professional to get an information assurance (IA) job in the Department of Defense (DoD). But to keep your IA job, certification is a must.
According to Directive 8570.1 IA Training, Certification and Workforce Management, and its accompanying IA Workforce Improvement Program (IA WIP) manual — which outlines the organization’s IA workforce improvement program policy and procedures — any person charged with securing information must obtain an approved commercial certification from certification providers such as ISACA, CompTIA and (ISC)2.
The DoD falls under the Office of the Secretary of Defense, and personnel performing IA functions on DoD workstations and systems are the first line of defense against threats from hackers and cyberterrorists. Thus, IA awareness, technical training and education and workforce management are important not just for the operation and maintenance of the various IT systems within the DoD — IA is important for safety nationwide.
To help strengthen and build the military services and DoD components, the different service bodies collaborated and contributed subject-matter expertise to create a strategy that would address the training needs for the roughly 90,000 military, civilian and contract workers who deal with IA.
Certification played a key role in this process. But when the groups began to certify their people and explore the best way to extend certification across the DoD organization, they ran into a few problems. One was that there was no clear definition of what certification meant. To help solve this and other IA challenges, the organization created the Defense-wide Information Assurance Program (DIAP).
“We wanted to elevate the knowledge and skills of the people performing the job,” said George Bieber, DIAP deputy director. “From that, we drafted a policy. Part of the strategy was to train and certify the workforce, but we needed a base line. We have different services under Title 10, under the law, that have certain responsibilities, but when we go to war, we’re supposed to be fighting jointly. We had a wide variation in training content both in how deep they drilled down into different content and also the breadth of what they got.”
Further, certification standards were not consistently implemented across the DoD — each service had its own training schoolhouse to support uniformed personnel, and different organizations within the DoD didn’t always recognize certifications from one branch of service to the next.
To complicate the situation even more, in some cases, civilian and contractor workers might have received their training from multiple outside sources, and formal certifications were not always available to validate knowledge and skills.
DIAP concluded that if it wanted to certify its people so they could secure the different IA systems and move freely within the departments, existing commercial certifications were a viable solution.
“We talked to people who were doing the job, defined what the roles are and, since then, have done a job task analysis, which confirmed that what we put in the manual is what people are doing,” Bieber said. “We looked at just about every certification that existed, starting with more than 100 certifications that had some aspect of security in them.”
For people engaged in securing the different DoD information systems and infrastructure, job titles ranged from computer specialist to IT manager to system administrator to HR generalist. The IA WIP manual detailed what training and certifications were appropriate for each relevant job, whether a part-time or full-time position, according to the job’s location in the information system.
“The manual said the DoD would not use commercial certifications that did not meet ISO/IEC 17024,” Bieber explained. “That standard required security of the testing, that a certification expire, so you either have to get continuous learning credits, or you have to retest.”
Additionally, he said some of the certifications in the manual are not yet accredited by American National Standards Institute (ANSI), and those that are not are working toward that goal and expect to achieve it within the two-year time frame that is in the manual.
The DoD hopes certification will elevate performance and skills for its IA or security posture and professionalize the workforce. Bieber also said certifications could be a mechanism to raise the bar on future skills by enabling IA workers to react fairly rapidly to change.
“The certification is only one part — we want to be able to manage the workforce,” he said. “The department is also working to put databases in place so that we’ll know who’s doing the job and what their status is, and this information will allow us to plan for training and certification expenses over time. The other thing is by requiring certification, because of that ISO standard, there’s a requirement embedded in that for continuous training. This is a mechanism to help elevate information assurance training in the competition for training dollars.”
Directive 8570.1 was signed in 2004, and its accompanying manual was approved in December 2005. The DoD established a four-year implementation period to set up program mechanisms, and Bieber said this began early in 2006. The organization is engaged in compliance and evaluation activities to determine whether the program is working effectively.
“The goal is to have the databases in place the workforce identified and to get 10 percent of the people certified this year,” he said. “We’re trying for 30 percent additional next year. We’ve had some evidence in our training exercises that where organizations have a larger percentage of people who are certified, they seem to be able to do better, but there could be other factors involved. There hasn’t been rigorous analysis to make that determination. But the very idea that now you have to study and be tested — it’s like education. There are very few people who say that education won’t make a difference. This is just an extension of education.”
To help the different DoD components meet the requirements Directive 8570.1 set forth, the DIAP offers many educational outlets, outside its own IA training course assessments, where personnel can receive training.
These outlets include Web-based training from the Defense Information Systems Agency and classes held by the National Defense University’s Information Resources Management College. The college offers some advanced management courses, as well as courses to help people prepare for ISACA, (ISC)2 and other certifications.
Students don’t have to pay to attend service schools, nor are they required to pay for expenses related to commercial certification education and testing or external education providers.
“Every individual in DoD is supposed to have an individual development plan, which lays out the training they think they need, and their bosses sign off on it,” Bieber said. “If it’s approved, they go to the training, and if they have to pay, they get reimbursed, or the government pays for it after the fact.”
The DoD also has an IA scholarship program, which is part of its scholarship-for-service program and acts as a recruiting and retention aid for qualified IA and IT personnel. The program is restricted to certain universities that have been approved or designated as centers of academic excellence by the National Security Agency and the Department of Homeland Security. To meet the scholarship program requirements, newly recruited students must participate in a summer internship and pay back each funded year of school with a year of service.
Although certification has been tapped as a way to manage and educate the DoD’s IA workforce, Bieber said standards development body ASTM International (formerly the American Society for Testing and Materials) is working to come up with a standard definition for certification.
While ASTM works on that, DIAP will pursue other enterprisewide solutions, training tools and exercises to quickly build IA personnel experience and capability. Two additional, specialized chapters to the DIAP manual are in the works. One will address the needs of information system architecture and engineering, and the other will outline computer network defense service providers or computer emergency response teams.
“We’re trying to make sure that everybody who’s doing an IA job sees themselves someplace in the manual,” Bieber said. “It may not require a new certification or anything, but we’re trying to define the workforce, and we’re looking at additional chapters to cover certification and accreditation and other areas. I still have some concerns with certifications. I’d like them to pay more attention to what they accept as continuous learning. I’d also like to see more performance-based testing and more hands-on technical versus lecture in the training, but I think, over time, that will come.”
– Kellye Whitney, firstname.lastname@example.org