AOH :: ISN-3281.HTM

Contractors should comply with DOD security training rules

Contractors should comply with DOD security training rules
Contractors should comply with DOD security training rules 

By Michael Hardy
Nov. 16, 2006

Contractors who are serious about getting Defense Department contracts 
should make sure now that their employees who have information assurance 
roles meet the standards set by DOD Directive 8570.1, according to 
panelists who spoke this morning at an Information Technology 
Association of America event.

"There's not a downside to contractors being certified," said Phyllis 
Scott, president of training firm TTSC. Contracts will require it, and 
contractors who are already certified will have an immediate advantage, 
she said.

DOD approved the directives proposal to train and certify at least 
80,000 department employees in four years in December 2005. The 
directive applies to every aspect of DOD -- military, agencies and 
contractors. It divides positions into technical or management, and 
applies different standards to each group, further subdivided by tiers.

Like DOD, contractors have to assess their organizations to identify the 
individuals and positions that should be working to meet the directive, 
Scott said. Assessing the positions is an important aspect, she added. 
Some positions are primarily concerned with information assurance and 
are obvious targets for training and certification. But others are more 
peripherally connected. They may also need to be given to certified 

In some cases, Scott said, managers may find such embedded positions 
that could easily be redefined. "Maybe we need to rethink how we're 
doing those positions," she said. "That's where we can really manage our 

Shelley Morris, a vice president at training firm New Horizons, told 
managers to look for what's already there. Some employees may already 
have certifications -- or be working toward them -- that fulfill the 
directive. When managers find a need for training, much of it is 
available commercially and need not be custom-designed.

The required certifications include common ones such as the Computing 
Technology Industry Association's Network+ and the International 
Information Systems Security Certification Consortium's Certified 
Information Systems Security Professional. The directive includes a 
matrix showing which certifications apply to each position. DOD 
components can choose one of the approved certifications to serve as 
their standard for each category and level.

In many cases, employees may have some but not all of the training they 
need to earn the certifications. "If your folks have pieces and parts of 
the knowledge needed for certification, you can put together something 
custom" to fill in the gaps, she said.

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods