DoD IA Workforce Improvement Program IA WIP

1
DoD IA Workforce Improvement Program (IA WIP)
Cathy Fillare Defense-wide IA Program
(DIAP) (703)-604-1480 x107 Catherine.fillare_at_osd.m
il
2
Overview

• Vision and Objectives
• IA Workforce Policy
• IA Skill Standards
• The Year Ahead
• Summary

Information Assurance Workforce Improvement
Program
19 December 2005 Assistant Secretary of Defense
for Networks and Information Integration/Departmen
t of Defense Chief Information Officer
3
Creating an IA Empowered Workforce
Vision
A professional, efficiently managed IA workforce
with knowledge and skills to securely configure
information technology, effectively employ tools,
techniques and strategies to defeat adversaries,
and proactively identify and mitigate the full
spectrum of rapidly evolving threats and
vulnerabilities in order to protect the network
"Operational controls are IT security methods
that are primarily implemented and executed by
people not systems. Naval Audit Service
4
IA Workforce Strategic Objectives
Objectives
Impact on DoD

• Improved IA posture (raise the floor on
  baseline skills)
• Foundation of a professional IA workforce
• Mechanism raise the bar on future skills

Certify the Workforce

• Ability to assign trained/certified personnel to
  IA positions
• Ability to conduct manpower studies establish
  standards

Manage the Workforce

• Elevates priority of IA for training dollars
• Enables personnel to hone IA skills, keep current
  with technology, threats and vulnerabilities,
  tools, techniques

Sustain the Workforce

• Leaders at all levels understand impact of IA on
  mission accomplishment
• A model Allies, coalition partners can emulate
• IA literacy for critical non-IT disciplines

Extend the Discipline
5
Need for IA Workforce Policy

• Military Communications/Electronics Board (MCEB)
  endorsed certification (8/97)

• ASD/C3I USD/PR memo IA Training
  Certification (6/98)
• Mandated certification of Sys Admins, maintainers
  users
• Provided interim guidelines

Until December 19th 2005

• Component defined certification
• Wide variation in training content (Depth
  Breadth)
• Inconsistent implementation across the Department
• Inconsistent implementation within Components
  (military, civilian, contractor, local
  nationals globally deployed)
• Certifications not recognized Department-wide
• Yet DoD fights jointly
• Components buying training for commercial
  certifications
• Corporately, dont know which certifications

• DoDD 8570.1 IA Training, Certification and
  Workforce Mgmt (15 Aug 04 )

• DoD 8570.1M IA Workforce Improvement
  Program (IA WIP) (19 Dec 05 )

1997
1998
1999
2000
2001
2002
2003
2005
6
8570 Policy A Funded Mandate
DoDD 8570.1 (signed 15 Aug 04)

• Identify, train and certify privileged users IA
  managers to DoD baseline requirement
• Assign position specialty code/skill identifiers
  to personnel with privileged access track key
  data in Component personnel/manpower databases
  of record
• Identify positions in manpower databases
• Record, track contractors IA certification status
  in DEERS
• Require IA in all levels of professional military
  education
• Applies to civilian, military, local national,
  contractor full time or as assigned
  regardless of job series/occupational specialty

7
IA Workforce Improvement Program
DoD 8570.1M (signed 19 Dec 05)

• Defines IA workforce categories, levels, and
  functions
• Mandates use of commercial certifications to
  validate DoD baseline knowledge and skills
• Requires certifications be accredited under
  ISO/IEC 17024, General requirements for bodies
  operating certification of persons
• Continuous learning or re-test required to
  maintain certification status
• Specifies reporting requirements
• Establishes oversight Advisory Council

8
IA Workforce Structure
Certified Information Assurance Professional Joe
Kelly Issued 01-04-06 Expires 01-03-09 IA
Workforce Improvement Program
DAA
Professional Level
Functional Levels
Certification
Enclave/ Advanced Network Computer IA
Enclave (Level III)
Enclave/
Network Environment (Level II)
Network Advanced Computer IA
Network
Computing Environment (Level I)
Computing IA
Computing Environment IA
IA Technical Category
IA Mgmt Category

• Each IAT Level may Include
• Entry level (apprentice)
• Intermediate (journeyman)
• Advanced (master)

9
Sources of Functional Requirements

• DoD 8570.1-M Functional Requirements

CNSS 4011
CNSS 4013

• Technical
• IAT-I
• IAT-II
• IAT-III

CNSS 4014
INFOSEC 2210
CJCSM

• Management
• IAM-I
• IAM-II
• IAM-III

Clinger-Cohen
DLA
DISA
Descriptions of IA functions from each standard
were combined to form a comprehensive list in DoD
8570.1-M
10
IA Training and Certification Requirements
11
Baseline Certifications
12
Governance and Oversight
NII/PR Charter co-chair

• Establish process to add/delete
  certifications
• Review/update levels functions
• Monitor program progress impact on IA
  posture
• Review Component programs plans to validate
  compliance
• Implementation sustaining plans
• Plans, methodologies to track, monitor, document
  personnel awareness and training completion
• Conduct assessments to ensure validity of
  functions, training certification
  requirements per 29CFR1607

MAJCOMS
COCOMS
IA Workforce Improvement Program Advisory Council
(WIPAC)
DUSD ATL
TAG
NSA IA

• Provide feedback to certification providers
• Prioritize requirements for development of
  DoD-wide IA training content
• Engage IA training community to identify cross-
  Component IA training issues solutions

Certification Providers
PR Defense Human Resources Activity TAG
Training Action Group
13
Schedule
Implement
Maintain
Startup
FY11
FY10
FY09
FY08
FY07
FY06
FY12
FY05
FY13
DIMHRS

• Databases
• People
• Dollars

Upgrade
Identify, code
Populate databases to track cert status
PDM III (20 Dec 06) FY07-11
QDR
POM 08
PB08 FY08-13 (Components POM)
?
8,000
24,500
10
Certification
25,500
30
27,000
30
30
Estimated number of personnel to certify based
on 05 FISMA reporting
14
Making it Work
Align
Position Requirements (position focused)
Personnel Requirements (people focused)
Personnel training and certification metrics
with operational performance metrics for
impact on posture
IA Workforce Goal Attainment (integration point)
Correlate
Align
IA Operations (Performance Data)
Budget Requirements
ROI
15
IA Skill Standards Development

• Purpose
• Define a common language of IA-related work and
  worker requirements applicable to the DoD and
  other organizations
• To enable
• Consistent description of scope of certifications
• Mapping of certifications against job functions
• A common basis for accreditation
• Process
• Collect and integrate existing JTAs to use as
  seed information Use thought leaders in
  iterative interviews
• Refine common language and link work to worker
  requirements Use subject matter experts (SMEs)
  in focus groups
• Draft definition of IA roles and verify linking
  of work/worker requirements Use additional SMEs
  in focus groups
• Collect data to determine occurrence of IA
  functions in different populations Conduct
  web-based survey

16
IA Skill Standards Survey

• 56 Critical Work Functions
• Network Devices and Infrastructure
• System Lifecycle
• Program Management
• Findings to support
• Improving content and quality of certifications
  offered by commercial certification providers
• Offering training providers targeted information
  to develop effective learning offerings
• Refining the functions listed in the 8570 manual
  as needed
• Enhancing IA across the Federal government and
  the nation through a Department of Homeland
  Security led initiative

17
The Year Ahead

• Planning future areas for IA concentration. New
  chapters to policy
• CND/SP (CERT) team members
• IA architects, engineers (ISSEs)
• Certification Accreditation
• IDS analysts
• Forensic examiners
• Auditors
• Trainers
• Certification and Accreditation Public Forum
  www.dni.gov
• vendor specific certifications (e.g., Microsoft,
  CISCO)
• Publish language in DFARS for contractors to meet
  requirements

We had bad luck with one CISSP classand only 10
past the exam . That was a function of poor
exam prep by the students, not a bad class or
instructor. It took a while to get everyone over
their fear of the exam, but as some passed, they
started training the rest and it all fell in
place.
18
The Year Ahead

• Integrate DoD school curriculum, CNSS
  certificates, training exercises, conferences and
  other knowledge sharing into program as
• Source of training for certifications (A,
  Security, CISSP etc.)
• DoD/Component layer of a comprehensive
  certification/professional program address
  policy, processes procedures tactics
  techniques
• Satisfy continuous learning requirement imposed
  by ISO/IEC 17024
• Promote rigor and use of DoD best practices in
  commercial certifications to enhance DoD IA
  readiness
• ISO 17024 accreditation is basic requirement
  imposed on IA certifications
• Add performance-based element to testing (vice
  multiple choice)
• Add continuing learning/re-test requirement to
  maintain certification status
• Better define what is accepted for continuing
  learning credit
• Incorporate DoD IA best practices (DISA STIGS,
  NSA Guidelines)

Withinour companys IT Security Office,
credentials such as the CISSP are valued,
acknowledged and celebrated. (private sector
best practice)
19
The Year Ahead

• Consider other factors/actions to improve IA
  workforce
• IT posture personnel workload (e.g., reduce
  of personnel with IA as an assigned or
  embedded duty)
• Who we assign (and train) (e.g., aptitude,
  skill) and who instructs
• What we train (e.g., content, currency,
  relevance)
• How we train (e.g., traditional classroom, web,
  simulation, study time)

On certification Itforced me to finally buckle
down and do a bit of studying and focus on some
areas where I was a bit lacking. (Devin, US
Army, Kwajalein)
20
Summary Objectives and Impact
Objectives
Impact on DoD

• Improved IA posture (raise the floor on
  baseline skills)
• Foundation of a professional IA workforce
• Mechanism raise the bar on future skills

Certify the Workforce

• Ability to assign trained/certified personnel to
  IA positions
• Ability to conduct manpower studies establish
  standards

Manage the Workforce

• Elevates priority of IA for training dollars
• Enables personnel to hone IA skills, keep current
  with technology, threats and vulnerabilities,
  tools, techniques

Sustain the Workforce

• Leaders at all levels understand impact of IA on
  mission accomplishment
• A model Allies, coalition partners can emulate
• IA literacy for critical non-IT disciplines

Extend the Discipline
21
Questions?

• Cathy Fillare, catherine.fillare_at_osd.mil
• George Bieber, george.bieber_at_osd.mil

22
Back Up
23
CNSS Crosswalk Analysis

• DoD 8570.1-M Functional Requirements

• Functions
• Capabilities
• KPIs

• Functions
• Capabilities
• KPIs

• Functions
• Capabilities
• KPIs

CNSS 4011
CNSS 4013
CNSS 4014

• Technical
• IAT-I
• IAT-II
• IAT-III

• Management
• IAM-I
• IAM-II
• IAM-III

DoD 8570.1M functional requirements are general
so that they will remain relevant as other
standards change
24
ISO 17024 Standard

• Conformity Assessment
• A "demonstration that specified requirements
  relating to a product, process, system,
  person or body are fulfilled.
• ISO/IEC 17024 standard provides the requirement
• Focus is processes/procedures for organizations
  that certify people
• Job task analysis (define the work and skills)
• Validation study (EEO)
• Link to actual jobs
• Continuous learning/periodic retest
• Advantages to DoD
• Proof is in the test few certification
  providers vice many training providers
• DoD doesnt have to create processes
• DoD doesnt have to maintain the currency and
  relevance of certifications
• Standard can be met by allies and coalition
  partners

25
Benefits of Accreditation

• Publicly recognized badge signifying excellence
  and commitment to highest standards
• Helps develop confidence by attesting in an
  independent, measured, and documented manner that
  an institution meets or exceeds current
  professional standards based upon a periodic
  thorough review and site inspection conducted
  byexperts
• Guides agencies that need expert opinion as a
  basis for qualitative judgment in connection with
  grants, contracts, etc.
• Could cut red tape (exemption from certain
  government requirements)
• Provides impartial evaluation on a periodic basis
  by professional colleagues
• Promotes professional recognition that industry
  standards are being met
• Promotes excellence withinby causingan
  industry to continuously evaluate itself in
  light of ever-risingindustry standards
• Helps distinguish institutions from road side
  stands

26
Conformity Assessments

• Accreditation
• Procedure by which an authoritative body (e.g.,
  ANSI) gives formal recognition that a body is
  competent to carry out specific tasks e.g.,
  certification
• Authoritative Body American National Standards
  Institute (ANSI)
• Conducts the conformity assessment
• Accredits certification bodies to meet the
  requirements of the standard (ISO/IEC 17024)
• Advantages to DoD
• Independent 3rd party review of processes and
  procedures
• No direct cost pay on pro-rated basis for use of
  certifications
• Eliminates need to conduct validation studies
  (EEO) (OGC issue)
• Eliminates need to address testing issues
• Eliminates need to address protection of
  individual privacy issues

27
Why its Important
Certification is meaningless if it doesnt relate
to actual work (functions/skills)

• ISO/IEC 17024 General requirements for bodies
  operating certification schemes for persons
  (April 2003) requires certifications to map to
  jobs (functions/skills)
• Currently
• No common position standards
• No common standard of position levels
• No common standard of position categories
• Certification providers (e.g., ISC2) base
  certifications on their own Job Task Analysis
  (JTA) data/common body of knowledgeor in some
  cases, on no JTA
• National/international standards will
• Promote the National Cybersecurity vision
• Promote rigor in commercial certifications

28
Certification Program Criteria

• Meaningful -- Recognized by a broad audience
  outside DoD government
  Career enhancing
• Verifiable -- Validated, standard test
• Periodic renewal -- Continuous learning/retest to
  maintain certification
• High security content -- Linked to nationally
  recognized best practices e.g., NSA
  guidelines/DISA STIGS/Center for Internet
  Security benchmarks
• Multiple training sources nation/world-wide
  multiple delivery media
• --traditional classroom, web, CD, blended,
  other)
• Multiple Certification Levels e.g.,
  Entry/Intermediate/advanced
• Test out feature but rigorous test to reflect
  experience factor
• Pre-test/self assessment feature -- tailor
  training to gaps in knowledge
• DoD participation in process -- initial security
  guidelines exercise certifying test(s)
  conduct follow-up evaluations of learning
  outcomes provide feedback
• Reduced cost -- Enterprise-wide costing
• No more than 2 weeks in class If longer, look
  at blended solution

29
Benefits of Certifications

• For Organizations
• Provide the common test(s) to validate a minimal
  level of knowledge in the functions required for
  a specific IA level (within each category)
• Increased confidence that workforce can do the
  job
• Create a critical mass of expertise to make a
  difference in IA posture
• Attract and retain the best and brightest
• Motivated
• Knowledgeable

30
Benefits of Skill Standards

• Serves as a common language for defining roles
  and competencies
• Provides a framework for
• mapping the certification landscape, and
• identifying skills and performance gaps
• Provides information for use in HR applications
• Provides a foundation for strengthening
  education and training
• Provides a platform for developing Return on
  Investment measures
• Facilitates establishment of legal defensibility
  of certification use