Saturday, April 28, 2018

DoD 8570: How the Military Handles Data and Why It Matters

Learn about its History and Why Certification is Required for All Who Work with Government Data

 DoD 8570 helps ensure military personnel are trained and qualified

There are many standards in the world of technology. Much of those have to do with the way in which data is handled, including security and accessibility. Standards deliver a way in which all stakeholders take the same actions across an industry. Some, like the Department of Defense 8570, have an even higher level of security. DoD 8570 is the set of provisions and requirements which govern data handling for the organization. Several years ago, the DoD passed a regulation which stated that all Information Assurance (IA) personnel were required by law to be compliant. Certification is necessary to work with this data, whether that be DoD staff, contractors, or partners.  

Worry About National Security Prompts DoD 8570

The catalyst for 8570 relates to perceived vulnerabilities in national security. As defense has evolved, physical weapons aren’t the only threat. Hacks are as well. Information could be stolen, compromised or leaked, putting the military in danger. The hack could also trigger disablement of critical systems soldiers require on the battlefield. These concerns created the need for standardization leading to the introduction of 8570.

The History of DoD 8570

 The evolution of malware and increased attacks against DoD networks acted as a catalyst for DoD 8570

The DoD announced plans to create a new and comprehensive set of guidelines and requirements governing the security of information in the U.S. over 10 years ago. The document would be a response to the changing landscape of business and government in the US, and to several high-profile cyberattacks in the early part of the new millennium. These included the Code Red Worm of 2001 and the ILOVEYOU of the previous year.

The purpose of the new set of directives would not be to directly block such attacks but rather to increase public knowledge of how to prevent such attacks in the future. In addition, it also set best practices for how to be safe and responsible with data and information. The DoD recognized the shifting landscape ahead of time and moved to lay the bedrock for a secure, efficient strategy.

The document which would become DoD 8570 entered the drafting process in 2005 and was eventually published as the DoD 8570 Companion Manual on December 19, 2005.

Today, the DoD 8570 Manual continues to be in effect, but it is a part of the wider 8140 initiative. DoD 8140 pertains to the training and certification of all personnel involved in information assurance activity, whether directly employed by the government, or by third parties contracted to handle such duties. 

Creating a Framework: The DoD 8570 Manual

The DoD 8570 Manual, developed a decade ago, seeks to be the definitive guide for these data categories. The manual is designed to provide this consistency in the form of a framework which all can follow. In many ways, the DoD pre-empted a serious escalation in the risks associated with national cybersecurity and information assurance. This has become more obvious in the wake of some high-profile attacks and security breaches around the world.

For 8570 to be effective, it needed to be comprehensive with adoption on a strict basis. Now, with the 8570 document showing age, the framework has adapted to what the landscape of cyber defense now requires. All workers in IA roles, whether in a military or civilian role, must have the training related to the DoD's 8570 Workforce Improvement Program. Only when individuals do this is he or she compliant. If the role allows them to be privy to controlled information, training is necessary.  These provisions in the framework presented by the manual serve as the main focuses of DoD compliance certifications.

DoD 8570 covers certification across several different levels, with different requirements contained at each level. Certifications are selected by the DoD based upon the IA duties and responsibilities of each operative at each level. As the field of digital security is continually changing, these certifications are regularly appraised and may be updated as and when required.

For most baseline certification types, operatives must first undergo basic training. After this, they will be permitted to take the relevant certification level for their particular role.

The Importance of the Framework: Comprehensive Guidelines

The DoD 8570 was not the first document to outline requirements and guidelines for IA in the defense industry. It was, however, the first to offer full clarity and a comprehensive understanding of the roles and responsibilities of every party involved. By standardizing the practice and ensuring each individual who touches the data does it to these specifications, the risk of error is reduced. Human error can never be fully eradicated. As long as there are non-automated processes and roles which need to be fulfilled with human input and operatives, there will be the danger of human error. A framework creates a safety net for this possibility.

Eliminating Weak Spots in the IA Architecture

Not only human error represents a potential weak spot in the IA architecture. Data is collected in many different ways and is stored in many different locations, both physical and digital cloud-based structures. This translates to a complex and diverse system of different architectures working together.

This is further complicated by data collection and storage at different hierarchies, including different levels of security clearance and from third-party groups. Complexity is a natural by-product of such systems and is something that the DoD and its partners can handle with ease, given the resources they can draw upon. Yet, it still leaves the potential for exposure of weak spots.

By uniting all aspects of this architecture with an overarching code of practice, the DoD 8570 document makes significant steps towards eliminating these weak points with as close to a watertight structure as is physically possible.   

Laying the Groundwork for Efficient Third-Party Partnerships

Defense has been a dynamic and multi-layered concept. Due to budgeting constraints, resource distribution, and other factors, modern defense requires partnerships with third-party organizations. If effective defensive structures are to be built and implemented successfully, this hybrid environment must be able to continue into the future.

The DoD 8570 document plays a major role in supporting these partnerships on an ongoing basis. By providing a full, transparent set of IA requirements, the Manual leaves no room for ambiguity. This enables third-party bodies to integrate their services with those internal to the DoD. With the groundwork laid, this permits partnerships in the future, enabling the DoD to continue managing their resources, handling their budget, and exceeding their targets.

An Evolving Document to Meet Ongoing Defense Needs

The fact that the 8570 document was ever introduced in the first place demonstrates the nature of modern defense. Defense is not static, it is evolving and developing, and any set of guidelines which cover this field must be capable of doing the same. And yet, at the same time, the provisions must be robust enough to be fit for purpose.

The 8570 document and the requirements navigate this fine line, providing a strong and clear set of rules while also remaining flexible enough for future developments in the field.

A Structure for Personal Development

DoD 8570 covers all bodies and individuals who must handle information assurance tasks as part of their work, either in a military or civilian capacity. This includes all military departments, third-party workers, defense agencies and those affiliated.

All individuals included can refer to the Manual and the requirements outlined within. These provisions are structured in a way that offers a reliable and straightforward process of development for all concerned. Compliance is quick and easy, ensuring that all relevant parties understand at a glance who has the necessary training and clearance and who does not.

How the Military Implements DoD 8570

 Navy Instructor Afloat Program. Source: http://www.doncio.navy.mil/CHIPS/ArticleDetails.aspx?ID=8475

Navy Instructor Afloat Program. Source: http://www.doncio.navy.mil/CHIPS/ArticleDetails.aspx?ID=8475

The U.S. Navy implemented the DoD 8570 provisions alongside practical sea training. This combination demonstrates the adaptability of the requirements outlined in the document. To achieve this, the Navy rolled out their Instructor-Afloat Program. The program delivered a trained Navy instructor to one of the fleet's serving ships.

He then spent two months delivering expert instruction and training, in compliance with the 8570’s provisions. This meant that IA operatives and teams could receive full pre-certification training without leaving their posts. The instructor then applied practical, real-world scenarios to hone the skills delivered via the courses, ahead of final examinations held on land in the ship's home port. Of these IA operatives who took these exams, 81% received full certification on their first attempt.

An Air Force agency was required to bring all of its teams up to compliance with the DoD directive. To accomplish this, the agency used their existing IA systems to provide training and education to their more experienced operatives. An instructor-led program supplemented the program. The instruction was delivered across the U.S. and abroad, in other operative locations in Europe and Asia. The consistency of the document and the provisions contained within ensured a uniformly high level of tuition and instruction even across numerous different locales.

In total, 3,000 students underwent the training and completed the program. Of these, 71% achieved their certification, rendering the program an unqualified success. Before the beginning of the training program, assessed compliance within the agency was somewhere between 3 and 4% of the total number of IA operatives; well, well below the levels required by the DoD 8570 manual during its rollout period. This provided a platform from which the Air Force Agency could achieve further compliance growth going forward, continuing to meet and exceed the compliance targets on their way to 100% certification.

Moving Forward: DoD 8140 Now and Beyond

Now that DoD 8140 has absorbed 8570, there is a clear message that the 8140 will supersede 8570. This transference is already happening with the adoption of the DoD 8570 Approved Baseline Certifications. The decision to move toward 8140 is really an attempt to be more flexible. It also introduces the initiatives of the National Initiative of Cybersecurity Education (NICE) as it identifies critical Knowledge, Skills, and Abilities (KSAs). It also defines seven cybersecurity work categories.

  • Oversee and Govern
  • Operate and Maintain
  • Investigate
  • Collect and Operate
  • Analyze
  • Securely Provision
  • Protect and Defend

In total, there are 33 specialty areas. The one important caveat is that DoD 8570 is a Directive with a Manual defining it. DoD 8140 is just a Directive. You can read more about DoD 8140 vs. DoD 8570 here.

 NICE Cybersecurity Workforce Framework. Click to enlarge. Source: https://www.nist.gov/image/niceframeworkposterpng

NICE Cybersecurity Workforce Framework. Click to enlarge. Source: https://www.nist.gov/image/niceframeworkposterpng

Has DoD 8570 Made a Difference?

It has certainly been touted as an easy, valuable tool for consistent cybersecurity. Well, the landscape has changed a lot since its initial publication. The problem with 8570, as many critics say, is that it provided all DoD components four years to comply. That’s a very long adoption timetable, and the entire military system is not fully compliant much longer than four years later. This noncompliance wasn’t really audited so there was only selective enforcement. So, while DoD 8570 did set up a consistent framework, it lacked the teeth to enforce the concepts. With the evolution of 8570 rolling into to 8140, the game changes a bit, with the DoD accountable internally as well as to also now Congress. Federal organizations now must use the NICE framework for all cyber jobs.

Get DoD 8570 and 8140 Certified

If you have any desire to work with government data, then certification is the first step. There are lots of options for training, covering multiple areas. You’ll want to seek courses that have a real-world perspective. When looking at approved DoD 8570 and 8140 classes, look for flexibility so you can work it around your schedule. Topics from Alpine Security’s catalog of courses accepted for this requirement include IA Technician, IAM (Information Assurance Management), CSSP (Cybersecurity Service Provider) and IASAE (Information Assurance Systems Architecture and Engineering). 

Having these certifications not only grants you the ability to work in IA, it can make you a more attractive hire, increasing your earnings and opportunities. We invite you to learn more about the courses we offer, which are available in-person or online. You also receive an exam voucher and study materials. With our Exam Pass Guarantee, you have nothing to risk and much to gain. Find out more today about our DoD 8570 and 8140 approved curricula today.

No comments:

Post a Comment