ConvoCourses

Cyber Security Compliance and IT Jobs

dodd 8140

dodd 8140 cyberspace workforce management

by Leave a Comment

What is the DoD Directive 8140?
DoD 8140, Cyberspace workforce will supersede DoD 8570 as the guide for selecting the personnel with the correct certifications, skills and experience.

Where is the DoDD 8140.01, Cyberworkforce going?
8140 manual may mirror an ongoing initiative that has a lot more categories. Those high level categories would be under a National Initiative for Cybersecurity Education (NICE) framework:

Security Provision, Maintain and Operate, Protect & Defend, Analyze, operate & collect, Oversight & Development and Investigate.

These categories are broken down further into a sum total of 31 tasks. It was supposed to be released in 2013, but there is actually no telling when it will come out.

http://diarmfs.com
niccs.us-cert.gov

DoDD Cyberspace Workforce Management 11 Aug 2015

by Leave a Comment

The Department of Defense finally released the Directive for Cyberspace workforce management on 11 Aug 2015.  This means that the DODI (instruction) is not far behind.  The instruction will be more in the weeds.  It is where the “magic happens”.  Directives are very high level policy that gives instructions their power to exist.

Cyberspace Workforce Management – http://www.dtic.mil/whs/directives/corres/pdf/814001_2015_dodd.pdf

The Cyberspace Workforce Management directive does the following:

  • Reissues and renumbers DoD Directive (DoDD) 8570.01 (Reference (a)) to update and expand established policies and assigned responsibilities for managing the DoD cyberspace workforce.
  • Authorizes establishment of a DoD cyberspace workforce management council to ensure that the requirements of this directive are met.
  • Unifies the overall cyberspace workforce and establishes specific workforce elements (cyberspace effects, cybersecurity, and cyberspace information technology (IT)) to align, manage and standardize cyberspace work roles, baseline qualifications, and training requirements.

Cyberspace Workforce Applies to:

  • Office of the Secretary of Defense (OSD)
  • Military Departments (Army, Navy, Air Force, Marines)
  • Office of the Chairman of the Joint Chiefs of Staff (CJCS) and the Joint Staff
  • Combatant Commands
  • Office of the Inspector General of the Department of Defense (IG DoD)
  • Defense Agencies
  • Field Activities
  • DoD Components

It is DoD policy does the following:

  • Maintains a total force management perspective to provide qualified cyberspace government civilian and military personnel to identified and authorized positions, augmented where appropriate by contracted services support. These personnel function as an integrated workforce with complementary skill sets to provide an agile, flexible response to DoD requirements.
  • [Make sure] the appropriate mix of military and government civilian positions and contracted support designated to perform cyberspace work roles is determined in accordance with DoD Instruction (DoDI) 1100.22 (Reference (b))
  • Civilian, military, and contracted support personnel assigned to perform cyberspace work roles must meet qualification standards established in supporting issuances, in addition to other existing workforce qualification and training requirements assigned to billets and position requirements (e.g., acquisition, intelligence, communications).
  • DoD Component compliance with this directive is monitored via authoritative manpower and personnel systems as an element of mission readiness and as a management review item.
  • Nothing in this directive replaces or infringes the responsibilities, functions, or authorities of the DoD Component heads or other OSD officials as prescribed by law or Executive order, assigned in chartering DoDDs, or detailed in other DoD policy issuances or, as applicable, in Director of National Intelligence policy issuances.
  • All authorized users of DoD IT receive initial cybersecurity and information assurance awareness orientation as a condition of access, and thereafter must complete annual cybersecurity and information assurance refresher awareness.

8570_to_8140_01_2015_dodd

USCYBERCOM, National Initiative for Cyberspace Education (NICE)

by Leave a Comment

DoD is using National Initiative for Cyberspace Education (NICE) to point their cyber security professionals in the right direction for training resources.  I wonder if this might hint at a DoDD 8140, Cyberwork force being inline with National Initiative for Cyberspace Education (NICE) National Cybersecurity Workforce Framework.

DISA has gathered inputs from USCYBERCOM, National Initiative for Cyberspace Education (NICE) and other partners to provide a catalog of training resources that are categorized by Cybersecurity work roles. The identified training resources will help DoD employees fulfill their knowledge or skill gaps and move from entry to advanced levels of proficiency in their assigned work roles. To learn more, and to view the training resources, please visit the Cybersecurity Role-Based Training Portal.

https://disa.deps.mil/ext/cop/iase/specialty_courses/ (DoD PKI Cert Required)

USCYBERCOM_NICE_roles
USCYBERCOM_NICE_roles

DoDD 8140 Round Up

by Leave a Comment

I have been hunting for information on the abominable “DoDD 8140”.  Some say that it does not exist, but you can see its footprints all over the InterWebs:

The DoDD 8140 (DoDD 8570.1 replacement) is in staffing (administrative and format correction by the DoD then legal review then for signature by the SecDef or DepSecDef. Tentative completion and release date 1st Qtr. FY 15 . The workforce manuals will stem from the signed DoDD 8140 – Army CIO/G6, Cyber Security Directorate Training and Certification Newsletter 1 September 2014

DoD 8140 workforce requirements initiative – Operationally Focused CYBER Training Framework

DoDD 8140 – What We Know – Expands 8570 Concept from Information Assurance Personnel Only To Entire “Cyberspace Workforce” – Umbrella Program – Intent is For The 8570 Matrix to Remain The Same – Will Use NICE (National Initiative for Cybersecurity Education) Framework and “Other Plans and Policies” for job skills/functions/tasks – isc2chapter-middlega.org

Initial draft 8140 Directive in formal coord • Policies under the DoDD 8140 to cover the entire Cyberspace Workforce • IT/Cybersecurity • Cyberspace Operations (Engagement) • Intelligence Workforce (Cyberspace) • Leverage existing plans and policies: • NICE; DoD CWF; CW Strategy • JCT&CS • Total force manpower process (DoDI 1100.22) • Apply lessons learned from workforce studies and 8570 implementation – isc2chapter-middlega.org

Lack of Standard DoD CS/ITWF-Related Procedures. DON CIO personnel informed us that the Navy did not comprehensively define the overall CS/ITWF or develop a CS/ITWF personnel database because they were waiting for DoD to issue its guidance. We were told that DoD was drafting Directive 8140.aa, “Cyberspace Workforce Management,” reissuing and renumbering DoD Directive 8570.01, “Information Assurance Training, Certification, and Workforce Management,” updating and expanding policies, and assigning responsibilities for managing the DoD workforce performing cyberspace functions. – Cyberspace/Information Technology Skill Sets for Active Duty Military Personnel at Selected Navy Commands  

In reference to changes to the IP Officer course, the expected date of implementation is May 2016. For the more immediate mitigation efforts, N2/N6 responses are predicated on DON CIO’s update to Secretary of the Navy (SECNAV) Instruction 5239 along with the release of the DoDD 8140.aa. Once these documents have been promulgated (estimated date of completion in September 2014), OPNAV N2/N6 will release a Naval Administrative Message (NAVADMIN) that will direct the fleet to these changes and ensure implementation of all directives and instructions. Estimated release date for the NAVADMIN will be May 2015. – Cyberspace/Information Technology Skill Sets for Active Duty Military Personnel at Selected Navy Commands  

If you see the 8140 in the wild, shoot it, skin it and send it to me:

elamb(dot)security(at)gmail

Nothing on DoD 8140

by Leave a Comment

In typical government fashion, an important change was mentioned years ago and nothing has come of it.  DoD 8570 was supposed to be replaced by DoDD 8140 but it still has not been done yet.  The USAF just released Air Force Manual 33-285, CyberSecurity Workforce Improvement Program, 20 March 2015 and it is based on 8570 and not DoDD 8140.  Why?  Because 8140 does not exist.  Is it in draft?  Is it ever going to exist?  Someone out there knows.

If it is not going to be created, then why are so many official sites, documents and policies in the government still mentioning it?

“The DoDD 8140 (DoDD 8570.1 replacement) is in staffing (administrative and format correction by the DoD then legal review then for signature by the SecDef or DepSecDef. Tentative completion and release date 1st Qtr. FY 15 . The workforce manuals will stem from the signed DoDD 8140” – US Army CIO/G6 Cyber Security Directorate

“DoD Directive 8570.1 provides the basis for an enterprise-wide solution to train, certify, and manage the DoD Information Assurance (IA) workforce.
– Will be replaced by DoD Directive 8140, Cyberspace
Workforce Management in 2-4 months.” – IA Workforce Improvement Program Update (USAF) med.navy.mil

“Ensuring initial IA orientation and annual awareness training are available to all authorized users to ensure they know, understand, and can apply the IA requirements of their system(s) in accordance with reference (d) and will eventually be updated with the publishing of the Department of Defense Directive (DoDD) 8140 in May 2014.” – US Marine Corps Enterprise Cyber Security Directive – CyberSecurity Workforce Improvement Program

“Lack of Standard DoD CS/ITWF-Related Procedures. DON CIO personnel informed us that the Navy did not comprehensively define the overall CS/ITWF or develop a CS/ITWF personnel database because they were waiting for DoD to issue its guidance. We were told that DoD was drafting Directive 8140.aa, “Cyberspace Workforce Management,” reissuing and renumbering DoD Directive 8570.01, “Information Assurance Training, Certification, and Workforce Management,” updating and expanding policies, and assigning responsibilities for managing the DoD workforce performing cyberspace functions” – Cyberspace/Information
Technology Skill Sets for Active Duty Military Personnel at Selected Navy Commands, 19 May 2014

dod information assurance awareness training

by 1 Comment

Conduct DoD Information Assurance Awareness Training: http://iase.disa.mil/eta/cyberchallenge/launchPage.htm

DoD Information assurance awareness training is an interpretation of the federal law, Federal Information Security Management Act (FISMA).  As each unity, agency and branch of the DoD takes on the responsibility of FISMA compliance, they sometimes come up with their own flavor of DoD information assurance awareness.

DoD Information Assurance Awareness is a requirement in accordance with the FISMA of 2002:

“security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of— ‘‘(A) information security risks associated with their activities; and ‘‘(B) their responsibilities in complying with agency policies and procedures designed to reduce these risks”

FISMA 2012

FISMA 2012 expands the scope if DoD information assurance awareness training and the department of homeland security with a The National Initiative for Cybersecurity Education (NICE).  NICE also includes National Initiative for Cybersecurity Careers and Studies (NICCS) portal25, an online resource for cybersecurity awareness, education, training, and career information open to the public.

“The vision of NICCS portal is to provide a national resource to
elevate cybersecurity awareness and affect the change in the American public; to adopt a culture of cyberspace security and to build a competent cybersecurity workforce. “

DOD Information Assurance Awareness & Security Training
According to FISMA, all Government personnel and contractors must complete annual security awareness training.

DoD 8570/DoD 8140 are directives that spawned as a result of FISMA also requirements to have specialized training for personnel and contractors with significant security responsibilities.

Progress of DoD Information Assurance Awareness Training is tracked and taken VERY seriously.  So much so that if you don’t complete the annual training, you can lose your ability to access systems.

DoD Information Assurance Awareness Training Security Controls

Information Assurance awareness is addressed as an actual security control in NIST SP 800-53 as AT – Awareness & Training and the NIST SP 800-50 is for Building an Information Technology Security Awareness and Training Program.

Awareness and Training
AT-1 Security Awareness and Training Policy and Procedures
AT-2 Security Awareness
AT-3 Security Training
AT-4 Security Training Records
AT-5 Contacts with Security Groups and Associations