How DOD's certification program works

Directive 8570 requires all personnel be qualified for their job

Defense Department Directive 8570 requires military, civilian and contract personnel who handle information assurance for department systems to have certifications appropriate for the job they perform. DOD published a manual describing various job categories, including technical and management positions, and the different certifications that meet the training requirement. DOD foots the bill for any training and certification required for its employees.

Here are examples of some job types and commercial certifications approved by DOD. Cost information does not always reflect government volume discounts.

Job category: Information Assurance Technical Level I (there are three IAT levels)
Example certification: A+
Provider: CompTIA
Training time and cost: One provider offers a five-day course for $1,800. Exam costs $132 for CompTIA members and $168 for nonmembers. No minimum work experience or education is required, but six months of job experience is recommended.

Job category: Information Assurance Management Level III (there are three IAM levels)
Example certification: GIAC Security Leadership Certification
Provider: Global Information Assurance Certification, affiliated with SANS Institute
Training time and cost: The SANS Institute offers an annual nine-day training conference for $5,250. The exam costs $899, or $499 if you take the SANS seminar. You must renew certification every four years for $325. No work experience or education is required to take the test.

Job category: Incident Responder
Example certification: CERT-Certified Computer Security Incident Handler
Provider: Carnegie Mellon Software Engineering Institute
Training time and cost: The Software Engineering Institute and its licensees offer a three-course training sequence. Each course lasts five days. Course costs vary. Exam is $200. You must have at least three years of experience in incident handling in a technical and/or management role within seven years of submission of your application.

Job category: Computer Network Defense Auditor
Example certification: Certified Information Systems Auditor
Provider: Information Systems Audit and Control Association
Training time and cost: One local ISACA chapter offers a training course of 2.5-hour weekly sessions for 14 weeks. The course cost is $300 for members and $325 for nonmembers, plus course and study materials. Other organizations also offer courses. The exam costs $400 for DOD employees. You must have five years of work experience in the fields of information systems auditing, control, assurance or security within 10 years of applying.

Job category: Information Assurance System Architect and Engineer Specialty I (there are three IASAE levels)
Example certification: Certified Information Systems Security Professional
Provider: (ISC)2
Training time and cost: (ISC)2 offers a five-day seminar for $2,695. Exam is $449. Five cumulative years of relevant experience are required.

About the Author

Ben Bain is a reporter for Federal Computer Week.

2014 Rising Star Awards

Help us find the next generation of leaders in federal IT.

Reader comments

Wed, Sep 16, 2009

Certifications should only be ONE aspect and NOT the deciding factor to retaining a position. You are taking the decision of the employees worth out of the hands of the manager. Lets face it, people want a job and to keep a job. If it takes a certification to do that then they will naturally only focus on the knowledge requirement for the certifications. All other knowledge is out the window. Once you loose diversification then security suffers. There are some people who are good at passing cert tests, they can spout off all sorts trivial knowledge. Then there are those who do bad on cert tests but can stop an exploit dead in its tracks. Its like a brain surgeon not remembering general practice protocol. It does not make him any less of a brain surgeon, it just means his knowledge is more focused. Thats why hospitals diversify by having general practioners in the mix. A good IT shop will have a mix of certified, formally educated, and self educated technicians. You just cannot predict what new concept of exploit will come along and you need diversity to react to it. The DOD requirement just may become an Achilles heel.

Thu, Jul 30, 2009 Ray N Baghdad, Iraq

Mark, this may help summarize the gist of 8570 for some: http://www.giac.org/8570/ Good links for the remainder of its requirements and FAQs http://www.isaca.org/Template.cfm?Section=home&Template=/ContentManagement/ContentDisplay.cfm&ContentID=26514 I concur. I know too many guys who are operating in IA slots solely based on the fact they were in an IA shop in the Navy or Air Force but with little training documentation to show their experience is commensurate with duties at their position. The golden key is simply that they have a TS/SCI and they are willing to come out to the sandbox for a year. BTW...IT Geek, I'd proof such a short post (that doesn't contribute anything) before calling anyone else a dummy...

Thu, Jul 23, 2009 Daniel California

What if we already have experience as Contractor's and we need assistance on the application process for "Information Assurance Technical Level I (there are three IAT levels)? I need a link if possible to apply for the position. Also what is the requirement for the Clearance needed for this job? I have one but I'm not positive if its high enough to apply. My last Contract was a military and civilian site in downtown Portland, Oregon. I have been unemployed for nearly 6 months and I came across this site from an email. If anyone can help me in the right direction I would really appreciate your help. Go blue and green!

Thu, Jul 23, 2009 Mark Crowley Baghdad, Iraq

Brian, et al, It would have been extremely helpful if the link to the above mentioned DoD published manual had been added within the article. As we all know, it is somewhat difficult to locate the correct info if the exact title, or location, is not known. As for the 8570 requirement. When is it going to be enforced by the DoD? It has been in place for some time now and sadly, there are still many contractor employees functioning in and being hired as Information Assurance positions (both here in Iraq and Afghanistan) who are not properly certified or even working toward those certifications required of them. Thank you for your putting this information out there once again. Hopefully it will not continue to fall on deaf ears. Respectfully, Mark, CISSP 78461

Mon, Jul 20, 2009 IT Geek everywhere

Certifications are not effect as now you have a certified dummy that lacks experience and common sense to apply security.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above