200 likes | 498 Vues
Cybersecurity/Information Assurance Workforce Management, Oversight, and Compliance. Chris Kelsall DON CIO, Director, Cyber/IT Workforce Ray Letteer HQMC C4, Senior Information Assurance Official LCDR Brooke Zimmerman CNO N2/N6, Information Dominance Community Manager Mike Knight
E N D
Cybersecurity/Information Assurance Workforce Management, Oversight, and Compliance Chris Kelsall DON CIO, Director, Cyber/IT Workforce Ray Letteer HQMC C4, Senior Information Assurance Official LCDR Brooke Zimmerman CNO N2/N6, Information Dominance Community Manager Mike Knight NAVCYBERFOR, IA Workforce Program Manager Pete Gillis HQMC C4, Occupation Field Management Council ExecutiveBoard IA Workforce Improvement Program 22 September 2010 Briefed by Mary Purdy
Discussion • Background • Policies and Direction for Cybersecurity/IA Workforce (CS/IAWF) Management • DON IAWF Management 2010 Requirements • Management, Oversight and Compliance • Site Review Checklist • Tools to Assist in Compliance • Command alternatives to address individual non-compliance of commercial certification requirements
Direction for IAWF Management : • Federal Information Security Management Act • DODD 8570.01 “Information Assurance Training, Certification, and Workforce Management” • DOD 8500 Series “Information Assurance” • DOD 8570.01-M “Information Assurance Workforce Improvement Program” • SECNAVINST M‑5239.3B “Information Assurance Policy” • SECNAVMAN 5239.2 “IAWF Management Manual to Support IA WIP” • DON CIO 021504Z FEB 10MSG, Subj: “Cybersecurity/IA Workforce Improvement Program Implementation Status/CY 2010 Action Plan” • SECNAVINST 5239.20, “IA Workforce Management, Oversight, and Compliance (signed on 19 Jun 2010) • Service official messages Applies to civilian, military, local national, contractor; full time or “as assigned”; regardless of job series/occupational specialty
Impact of the “Cyber” initiatives on IA Workforce National Initiative for Cybersecurity Education (NICE) Cyberspace: (DoD) A global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. Cybersecurity: “Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communications, including information contained therein, to ensure its availability, integrity, authentication, confidentially and non-repudiation.” (NPSPD 54/HSPD 23) 1 IT Infrastructure, Operations, Maintenance, and Information Assurance 2 Domestic Law Enforcement & Counterintelligence 3 Specialized Cybersecurity Operations
Cybersecurity World 5
UNCLASSIFIED DoD 8570.01-M Baseline Certifications GCIH CAP CAP CEH CEH CEH CEH UNCLASSIFIED
DON CIO Msg 021504Z FEB 10 - 2010 ACTIONS. • Ensure 100 % of personnel filling IAT and IAM billets certified by 31 Dec ‘10 • Develop plan to meet OS/CE certification requirements. Training may be accomplished in service schools and a certificate may be awarded. • Commercially certify 70 % of the CND SP AND IASAE Specialties by 31 Dec ‘10. • Ensure 5 % of commands receive a CS/IAWF inspection/ compliance visit in 2010. • Provide 2010 year end report electronically. • Ensure annual IS user awareness training is augmented with command guidance. • Ensure continuous learning is a standard business practice. • Integrate tenets of CS/IAWF improvement into military operational exercises, the DRRS, METLs, PQS/OJT, and the IG check list. • Develop headquarters level, red and blue team IAWF compliance visit methodology. • Consolidate IA tasks into fulltime positions and reduce collateral duty. • Fund DON mandated requirements through the POM process.
DoDD 8570.1 – Compliance/Policy Factors Critical compliance requirements & accountabilities IAMs team with HR, Personnel, & Training Officers to implement IA WIP.
DON Information Awareness Site Review Checklist Critical Element Have IA and HR management personnel at the site level developed and implemented IA Workforce Improvement Program (IA WIP)? Purpose To assess the capability, performance and compliance against policies and requirements of DoDD 8570.1 and DoD 8570.01-M. Core Review Areas IA Workforce Management, IA Training, IA Certification Method Site level review of IA WIP program plans, including documentation and procedures review. Assessment & Gap analysis SECNAVMAN 5239.2 IA WIP Site Review Checklist • On-site review to verify implementation & determine compliance status • Target: 5% of commands per year
Actions to Become Compliant • Ensure civilian PDs contain requirement • Ensure contracts contain contractor requirement • Ensure positions are identified/tracked in Navy TWMS • Use Carnegie Mellon Virtual Training Environment (www.cert.vte.org) and/or NAVCYBER funded e-Learning (https://navyiacertprep.skillport.com) • Ensure individual’s info is in Defense Workforce Certification Application (DWCA) and Total Workforce Management System (TWMS)
Tools to Assist in Compliance • IA WIP Compliance/Assist Visits • DoD Defense IA Program • Naval Audit Service • DON Headquarters level • Service IA WIP Office of Primary Responsibility • Inspector General • DoD Command Cyber Readiness Inspection (CCRI) • Red and Blue Team assist. • Request IAWF Management Oversight and Compliance Council (IAWF MOCC) Leadership briefing to your leadership
In the event an individual assigned to an IAWF position does not meet the C.C. compliance requirements: • The Command has options: • Issue a letter requiring performance improvement; • Council/mentor/provide additional training • Transfer the employee to a non-IAWF position; or • DAA Grant waiver and additional time to meet requirement • Terminate employment in accordance with established OCHR guidelines.
Summary:Cyber/IT Career DevelopmentImproving the Workforce through“Continuous Learning”
Per DoD 8570.01-M & SECNAV M-5239.2 the total force must obtain commercial certification to remain in the CS/IA workforce. Regarding IAWF civilians: • Civilian personnel managers and supervisors must ensure: • The position description (PD) and the HR hiring checklist contain the requirement to obtain commercial certification (C.C. ) as a condition of employment; • Commanding Officer’s appointment letter may also state a C.C. is required to meet DoD 8570.01-M. • Those with “privileged access” acknowledge IA and CE C.C. requirements; • The C.C. process is provided; direction given for the IAWF member to take a C.C. pre-test, e-Learning, or VTE, and/or classroom training; • The command offers remedial training if testing is unsuccessful; • The supervisor mentors throughout the C.C. process; • The command offers an employee the opportunity to take C.C. test three times; • The individual’s supervisor counsels the individual as appropriate; • The supervisor/IA professional meetings are documented; and • The employee maintains C.C. currency in accordance with standard procedure.
DoD DFARS 48 CFR Parts 239 and 252 RIN 0750-AF52 Regarding Contractors: • Defense Federal Acquisition Regulation Supplement; Information Assurance Contractor Training and Certification (DFARS Case 2006-D023). • According to DoD AT&L PoC any change to an existing contract will need to be negotiated with the contractor. The corresponding guidance is posted to their website at http://www.acq.osd.mil/dpap/dars/dfarspgi/current/index.html • This document requires "The designated contracting officer's representative (COR) to document the current information assurance certification status of contractor personnel by category and level, in the Defense Eligibility Enrollment Reporting System" (DEERS). However, the Defense Manpower Data Center (DMDC) is still developing the database/process to support this requirement so CORs cannot provide that information to DEERS at this time. (Look for upcoming DON CIO official message to provide DON guidance when DoD tool is ready. In the mean time report per service direction.)