Cybersecurity/Information Assurance Cybersecurity/Information Assurance Workforce Management, Oversight, Workforce Management, Oversight,

and Complianceand Compliance

Chris Kelsall DON CIO, Director, Cyber/IT Workforce

Ray LetteerHQMC C4, Senior Information Assurance Official

LCDR Brooke Zimmerman CNO N2/N6, Information Dominance Community Manager

Mike Knight NAVCYBERFOR, IA Workforce Program Manager

Pete GillisHQMC C4, Occupation Field Management

IA Workforce Improvement ProgramIA Workforce Improvement Program

22 September 201022 September 2010Briefed by Mary PurdyBriefed by Mary Purdy

Council Executive Board

2

DiscussionDiscussion

• Background• Policies and Direction for Cybersecurity/IA

Workforce (CS/IAWF) Management • DON IAWF Management 2010 Requirements• Management, Oversight and Compliance• Site Review Checklist• Tools to Assist in Compliance• Command alternatives to address individual non-

compliance of commercial certification requirements

Direction for IAWF Management :Direction for IAWF Management : Federal Information Security Management Act

DODD 8570.01 “Information Assurance Training, Certification, and Workforce Management”

DOD 8500 Series “Information Assurance”

DOD 8570.01-M “Information Assurance Workforce Improvement Program”

SECNAVINST M‑5239.3B “Information Assurance Policy”

SECNAVMAN 5239.2 “IAWF Management Manual to Support IA WIP”

DON CIO 021504Z FEB 10 MSG, Subj: “Cybersecurity/IA Workforce Improvement Program Implementation Status/CY 2010 Action Plan”

SECNAVINST 5239.20, “IA Workforce Management, Oversight, and Compliance (signed on 19 Jun 2010)

Service official messages

Applies to civilian, military, local national, contractor; full time or “as assigned”; regardless of job series/occupational specialty

4

Impact of the “Cyber” initiatives on IA WorkforceImpact of the “Cyber” initiatives on IA Workforce National Initiative for Cybersecurity Education (NICE) National Initiative for Cybersecurity Education (NICE)

• Cyberspace: (DoD) A global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.

• Cybersecurity: “Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communications, including information contained therein, to ensure its availability, integrity, authentication, confidentially and non-repudiation.” (NPSPD 54/HSPD 23)

1 IT Infrastructure, Operations, Maintenance, and

Information Assurance

2 Domestic Law Enforcement & Counterintelligence

3 Specialized Cybersecurity Operations

55

Cybersecurity Cybersecurity WorldWorld

USN

1,842 Officer

12,155 Enlisted

10,608 Civilian

6UNCLASSIFIEDUNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

GCIH

CAP CAP

CEH CEH CEH CEH

DoD 8570.01-M Baseline CertificationsDoD 8570.01-M Baseline Certifications

7

DRAFT Update to Chapter 10 of DoD 8570.01-M

DON CIO Msg 021504Z FEB 10DON CIO Msg 021504Z FEB 10 - 2010 ACTIONS. - 2010 ACTIONS.

• Ensure 100 % of personnel filling IAT and IAM billets certified by 31 Dec ‘10

• Develop plan to meet OS/CE certification requirements. Training may be accomplished in service schools and a certificate may be awarded.

• Commercially certify 70 % of the CND SP AND IASAE Specialties by 31 Dec ‘10.

•  Ensure 5 % of commands receive a CS/IAWF inspection/ compliance visit in 2010.

•  Provide 2010 year end report electronically.

• Ensure annual IS user awareness training is augmented with command guidance.

• Ensure continuous learning is a standard business practice.

• Integrate tenets of CS/IAWF improvement into military operational exercises, the DRRS, METLs, PQS/OJT, and the IG check list.

• Develop headquarters level, red and blue team IAWF compliance visit methodology.

• Consolidate IA tasks into fulltime positions and reduce collateral duty.

• Fund DON mandated requirements through the POM process.

8

9

DoDD 8570.1 – Compliance/Policy FactorsDoDD 8570.1 – Compliance/Policy Factors

4.1. All authorized users of DoD IS shall receive initial IA awareness orientation as a condition of access and thereafter must complete annual IA refresher awareness.

4.2. Privileged users and IA managers shall be fully qualified per reference (b), trained, and certified to DoD baseline requirements to perform their IA duties.

4.3. Personnel performing IA privileged user or management functions, regardless of job series or military specialty, shall be appropriately identified in the DoD Component personnel databases.

4.4. All IA personnel shall be identified, tracked, and managed so that IA positions are staffed with personnel trained and certified by category, level, and function.

4.5. All positions involved in the performance of IA functions shall be identified in appropriate manpower databases by category and level.

4.6 The status of the DoD Component IA certification and training shall be monitored and reported as an element of mission readiness and as a management review item per reference (b).

Critical compliancerequirements &accountabilities

IAMs team with HR, Personnel, &

Training Officers to implement IA WIP.

SECNAVMAN 5239.2 SECNAVMAN 5239.2 IA WIP Site Review ChecklistIA WIP Site Review Checklist

Site level review of IA WIP program plans, including documentation and procedures review. Method

IA Workforce Management, IA Training, IA Certification Core Review Areas

To assess the capability, performance and compliance against policies and requirements of DoDD 8570.1 and DoD 8570.01-M.

Purpose

Have IA and HR management personnel at the site level developed and implemented IA Workforce Improvement Program (IA WIP)?

Critical Element

DON Information Awareness Site Review Checklist

•On-site review to verify implementation & determine compliance status

•Target: 5% of commands per year

Assessment & Gap analysis

11

Actions to Become CompliantActions to Become Compliant

• Ensure civilian PDs contain requirement • Ensure contracts contain contractor requirement• Ensure positions are identified/tracked in Navy TWMS• Use Carnegie Mellon Virtual Training Environment (

www.cert.vte.org) and/or NAVCYBER funded e-Learning (https://navyiacertprep.skillport.com)

• Ensure individual’s info is in Defense Workforce Certification Application (DWCA) and Total Workforce Management System (TWMS)

12

Tools to Assist in ComplianceTools to Assist in Compliance

• IA WIP Compliance/Assist Visits– DoD Defense IA Program– Naval Audit Service– DON Headquarters level – Service IA WIP Office of Primary Responsibility – Inspector General– DoD Command Cyber Readiness Inspection (CCRI)– Red and Blue Team assist.

• Request IAWF Management Oversight and Compliance Council (IAWF MOCC) Leadership briefing to your leadership

13

In the event an individual assigned to an IAWF position does not In the event an individual assigned to an IAWF position does not

meet the meet the C.C. C.C. compliance requirements:compliance requirements:

The Command has options:• Issue a letter requiring performance improvement;• Council/mentor/provide additional training• Transfer the employee to a non-IAWF position; or • DAA Grant waiver and additional time to meet

requirement • Terminate employment in accordance with

established OCHR guidelines.

14

Summary:Summary:Cyber/IT Career DevelopmentCyber/IT Career Development

Improving the Workforce throughImproving the Workforce through“Continuous Learning”“Continuous Learning”

15

Background InformationBackground Information

16

17

Per DoD 8570.01-M & SECNAV M-5239.2 the total force must obtain Per DoD 8570.01-M & SECNAV M-5239.2 the total force must obtain commercial certification to remain in the CS/IA workforce.commercial certification to remain in the CS/IA workforce.

Regarding IAWF civilians:• Civilian personnel managers and supervisors must ensure:• The position description (PD) and the HR hiring checklist contain the requirement

to obtain commercial certification (C.C. ) as a condition of employment;

• Commanding Officer’s appointment letter may also state a C.C. is required to meet DoD 8570.01-M.

• Those with “privileged access” acknowledge IA and CE C.C. requirements;

• The C.C. process is provided; direction given for the IAWF member to take a C.C. pre-test, e-Learning, or VTE, and/or classroom training;

• The command offers remedial training if testing is unsuccessful;

• The supervisor mentors throughout the C.C. process;

• The command offers an employee the opportunity to take C.C. test three times;

• The individual’s supervisor counsels the individual as appropriate;

• The supervisor/IA professional meetings are documented; and

• The employee maintains C.C. currency in accordance with standard procedure.

18

DoD DFARS 48 CFR Parts 239 and 252 RIN 0750-AF52 DoD DFARS 48 CFR Parts 239 and 252 RIN 0750-AF52

Regarding Contractors:

• Defense Federal Acquisition Regulation Supplement; Information Assurance Contractor Training and Certification (DFARS Case 2006-D023).

– According to DoD AT&L PoC any change to an existing contract will need to be negotiated with the contractor. The corresponding guidance is posted to their website at http://www.acq.osd.mil/dpap/dars/dfarspgi/current/index.html

– This document requires "The designated contracting officer's representative (COR) to document the current information assurance certification status of contractor personnel by category and level, in the Defense Eligibility Enrollment Reporting System" (DEERS). However, the Defense Manpower Data Center (DMDC) is still developing the database/process to support this requirement so CORs cannot provide that information to DEERS at this time. (Look for upcoming DON CIO official message to provide DON guidance when DoD tool is ready. In the mean time report per service direction.)