IA Workforce Improvement Program Cybersecurity/Information Assurance Workforce Management, Oversight, and Compliance Chris Kelsall DON CIO, Director, Cyber/IT Workforce Ray Letteer HQMC C4, Senior Information Assurance Official LCDR Brooke Zimmerman CNO N2/N6, Information Dominance Community Manager Mike Knight NAVCYBERFOR, IA Workforce Program Manager Pete Gillis HQMC C4, Occupation Field Management Council Executive Board IA Workforce Improvement Program 22 September 2010 Briefed by Mary Purdy

Discussion Background Policies and Direction for Cybersecurity/IA Workforce (CS/IAWF) Management DON IAWF Management 2010 Requirements Management, Oversight and Compliance Site Review Checklist Tools to Assist in Compliance Command alternatives to address individual non-compliance of commercial certification requirements

Direction for IAWF Management : Federal Information Security Management Act DODD 8570.01 “Information Assurance Training, Certification, and Workforce Management” DOD 8500 Series “Information Assurance” DOD 8570.01-M “Information Assurance Workforce Improvement Program” SECNAVINST M‑5239.3B “Information Assurance Policy” SECNAVMAN 5239.2 “IAWF Management Manual to Support IA WIP” DON CIO 021504Z FEB 10 MSG, Subj: “Cybersecurity/IA Workforce Improvement Program Implementation Status/CY 2010 Action Plan” SECNAVINST 5239.20, “IA Workforce Management, Oversight, and Compliance (signed on 19 Jun 2010) Service official messages Applies to civilian, military, local national, contractor; full time or “as assigned”; regardless of job series/occupational specialty

Impact of the “Cyber” initiatives on IA Workforce National Initiative for Cybersecurity Education (NICE) Cyberspace: (DoD) A global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. Cybersecurity: “Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communications, including information contained therein, to ensure its availability, integrity, authentication, confidentially and non-repudiation.” (NPSPD 54/HSPD 23) 1 IT Infrastructure, Operations, Maintenance, and Information Assurance 2 Domestic Law Enforcement & Counterintelligence 3 Specialized Cybersecurity Operations

Cybersecurity World Officer Enlisted Civilian 1,842 12,155 10,608 USN

DoD 8570.01-M Baseline Certifications UNCLASSIFIED DoD 8570.01-M Baseline Certifications GCIH CAP CAP CEH CEH CEH CEH UNCLASSIFIED

DRAFT Update to Chapter 10 of DoD 8570.01-M

DON CIO Msg 021504Z FEB 10 - 2010 ACTIONS. Ensure 100 % of personnel filling IAT and IAM billets certified by 31 Dec ‘10 Develop plan to meet OS/CE certification requirements. Training may be accomplished in service schools and a certificate may be awarded. Commercially certify 70 % of the CND SP AND IASAE Specialties by 31 Dec ‘10.  Ensure 5 % of commands receive a CS/IAWF inspection/ compliance visit in 2010.  Provide 2010 year end report electronically. Ensure annual IS user awareness training is augmented with command guidance. Ensure continuous learning is a standard business practice. Integrate tenets of CS/IAWF improvement into military operational exercises, the DRRS, METLs, PQS/OJT, and the IG check list. Develop headquarters level, red and blue team IAWF compliance visit methodology. Consolidate IA tasks into fulltime positions and reduce collateral duty. Fund DON mandated requirements through the POM process.

DoDD 8570.1 – Compliance/Policy Factors Critical compliance requirements & accountabilities 4.1. All authorized users of DoD IS shall receive initial IA awareness orientation as a condition of access and thereafter must complete annual IA refresher awareness. 4.2. Privileged users and IA managers shall be fully qualified per reference (b), trained, and certified to DoD baseline requirements to perform their IA duties. 4.3. Personnel performing IA privileged user or management functions, regardless of job series or military specialty, shall be appropriately identified in the DoD Component personnel databases. 4.4. All IA personnel shall be identified, tracked, and managed so that IA positions are staffed with personnel trained and certified by category, level, and function. 4.5. All positions involved in the performance of IA functions shall be identified in appropriate manpower databases by category and level. 4.6 The status of the DoD Component IA certification and training shall be monitored and reported as an element of mission readiness and as a management review item per reference (b). IAMs team with HR, Personnel, & Training Officers to implement IA WIP.

SECNAVMAN 5239.2 IA WIP Site Review Checklist Assessment & Gap analysis Site level review of IA WIP program plans, including documentation and procedures review. Method IA Workforce Management, IA Training, IA Certification Core Review Areas To assess the capability, performance and compliance against policies and requirements of DoDD 8570.1 and DoD 8570.01-M. Purpose Have IA and HR management personnel at the site level developed and implemented IA Workforce Improvement Program (IA WIP)? Critical Element DON Information Awareness Site Review Checklist On-site review to verify implementation & determine compliance status Target: 5% of commands per year

Actions to Become Compliant Ensure civilian PDs contain requirement Ensure contracts contain contractor requirement Ensure positions are identified/tracked in Navy TWMS Use Carnegie Mellon Virtual Training Environment (www.cert.vte.org) and/or NAVCYBER funded e-Learning (https://navyiacertprep.skillport.com) Ensure individual’s info is in Defense Workforce Certification Application (DWCA) and Total Workforce Management System (TWMS)

Tools to Assist in Compliance IA WIP Compliance/Assist Visits DoD Defense IA Program Naval Audit Service DON Headquarters level Service IA WIP Office of Primary Responsibility Inspector General DoD Command Cyber Readiness Inspection (CCRI) Red and Blue Team assist. Request IAWF Management Oversight and Compliance Council (IAWF MOCC) Leadership briefing to your leadership

The Command has options: In the event an individual assigned to an IAWF position does not meet the C.C. compliance requirements: The Command has options: Issue a letter requiring performance improvement; Council/mentor/provide additional training Transfer the employee to a non-IAWF position; or DAA Grant waiver and additional time to meet requirement Terminate employment in accordance with established OCHR guidelines.

Summary: Cyber/IT Career Development Improving the Workforce through “Continuous Learning”

Background Information

Regarding IAWF civilians: Per DoD 8570.01-M & SECNAV M-5239.2 the total force must obtain commercial certification to remain in the CS/IA workforce. Regarding IAWF civilians: Civilian personnel managers and supervisors must ensure: The position description (PD) and the HR hiring checklist contain the requirement to obtain commercial certification (C.C. ) as a condition of employment; Commanding Officer’s appointment letter may also state a C.C. is required to meet DoD 8570.01-M. Those with “privileged access” acknowledge IA and CE C.C. requirements; The C.C. process is provided; direction given for the IAWF member to take a C.C. pre-test, e-Learning, or VTE, and/or classroom training; The command offers remedial training if testing is unsuccessful; The supervisor mentors throughout the C.C. process; The command offers an employee the opportunity to take C.C. test three times; The individual’s supervisor counsels the individual as appropriate; The supervisor/IA professional meetings are documented; and The employee maintains C.C. currency in accordance with standard procedure.

DoD DFARS 48 CFR Parts 239 and 252 RIN 0750-AF52 Regarding Contractors: Defense Federal Acquisition Regulation Supplement; Information Assurance Contractor Training and Certification (DFARS Case 2006-D023). According to DoD AT&L PoC any change to an existing contract will need to be negotiated with the contractor. The corresponding guidance is posted to their website at http://www.acq.osd.mil/dpap/dars/dfarspgi/current/index.html This document requires "The designated contracting officer's representative (COR) to document the current information assurance certification status of contractor personnel by category and level, in the Defense Eligibility Enrollment Reporting System" (DEERS). However, the Defense Manpower Data Center (DMDC) is still developing the database/process to support this requirement so CORs cannot provide that information to DEERS at this time. (Look for upcoming DON CIO official message to provide DON guidance when DoD tool is ready. In the mean time report per service direction.)