Contractors should comply with DOD security training rules

Contractors who are serious about getting Defense Department contracts should make sure now that their employees who have information assurance roles meet the standards set by DOD Directive 8570.1, according to panelists who spoke this morning at an Information Technology Association of America event.

"There's not a downside to contractors being certified," said Phyllis Scott, president of training firm TTSC. Contracts will require it, and contractors who are already certified will have an immediate advantage, she said.

DOD approved the directive’s proposal to train and certify at least 80,000 department employees in four years in December 2005. The directive applies to every aspect of DOD -- military, agencies and contractors. It divides positions into technical or management, and applies different standards to each group, further subdivided by tiers.

Like DOD, contractors have to assess their organizations to identify the individuals and positions that should be working to meet the directive, Scott said. Assessing the positions is an important aspect, she added. Some positions are primarily concerned with information assurance and are obvious targets for training and certification.

Others are more peripherally connected to information assurance. In some cases, companies might need to give those jobs to employees with the necessary certifications. But in other cases, managers may be able to redefine a position to remove the information assurance component so they can fill it without worrying about whether the job candidates are properly certified, Scott said.

"Maybe we need to rethink how we're doing those positions," she said. "That's where we can really manage our workforce."

Shelley Morris, a vice president at training firm New Horizons, told managers to look for what's already there. Some employees may already have certifications -- or be working toward them -- that fulfill the directive. When managers find a need for training, much of it is available commercially and need not be custom-designed.

The required certifications include common ones such as the Computing Technology Industry Association's Network+ and the International Information Systems Security Certification Consortium's Certified Information Systems Security Professional. The directive includes a matrix showing which certifications apply to each position. DOD components can choose one of the approved certifications to serve as their standard for each category and level.

In many cases, employees may have some but not all of the training they need to earn the certifications. "If your folks have pieces and parts of the knowledge needed for certification, you can put together something custom" to fill in the gaps, she said.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected