DoD to Prospective Employees: Certification RequiredWant to work in information security within the Defense Department (DoD)? Then you either have the appropriate professional certification when you start the job, or you attain one within six months.
"Prospective candidates for DoD jobs cannot be denied a job if they don't hold the certification," says George Bieber of the Defense-wide Information Assurance Program (DIAP). "But certification is a condition for continued employment."
Since 2004, the DoD has implemented Directive 8570, which provides guidance and procedures for the training, certification and management of all government employees who conduct information assurance functions in assigned duty positions. These individuals are required to carry an approved certification for their particular job classification.
Currently, the DoD information assurance (IA) workforce is divided into two categories: Information Assurance Management (IAM) and Information Assurance Technical (IAT). Each of the two has three levels (I, II and III) depending on experience, knowledge and job scope. Specific certifications are Security+, CISSP, GIAC, CISM defined for each level. The certification vendors approved by the DoD currently include Sans Institute, ISACA, ISC2 and CompTIA.
So, who is affected by 8570? Any full- or part-time military service member, employee, contractor or local nationals with privileged access to a DoD information system performing information assurance (security) functions-regardless of job or occupational series.
"DoD Directive 8570 is a catalyst to change the security culture within the DoD," says MGySgt James Crawford , CISM, CISSP, the Information Assurance Chief of the Marine Corps. He has worked in the Defense department for over 25 years and is currently an Information Assurance Management (IAM) level III. He has secured CISM and GLSC certification. According to him, the directive has brought a more security consciousness environment to the DoD. He says that employees talk more about security and are better aware of insecure practices than before. Also, this initiative has helped in better understanding and identifying the baseline knowledge and skills of employees.
The entire time duration for the certification process depends on the individual. It can take anywhere from a couple of weeks to six months, says Crawford. However, it is mandatory for employees to be certified within six months of being assigned to an information assurance position. Crawford also says that the pass rate is approximately higher than 80% for employees. "Most DoD employees are thorough professionals who want to pass the test the first time." Employees are not dismissed immediately if they fail the test or do not try harder to get certified. They are given opportunities and resources to continue their effort in gaining certification, but are definitely more scrutinized in terms of their work performance and delivery.
The DoD funds the cost of training and certification of all its IA employees. Employees can attend training boot camps, engage in self study, etc in order to get certified.
In discussing the benefits of certification and how this helps in performing the job role and function. Crawford, points out that certification definitely adds a level of credibility in security discussions and meetings. "People pay more attention to what you are saying when you are certified," he says. Another benefit includes looking at security issues from a broader, more global perspective, which helps in balancing security with business objectives.
Currently, the directive is going through revision in order to expand the scope and coverage of the existing program in terms of adding new credentials and people. This only shows us that the program is not pushed aside, but actively being improved, adds Crawford.
As advice to job seekers looking to join the DoD, Crawford suggests prospective candidates:
- At a minimum level be certified at the Security Plus;
- Ensure that their resume is very clear about understanding the 8570 and the facets that surround the directive.