The United States Federal Government’s Department of Defense has many security requirements and regulations that you need to follow before you can do work for them. The data that belongs to the DoD is highly valuable. But also, it’s highly sensitive and confidential, which means the contractor cannot share this data with just anyone. However, these requirements and regulations are easy to understand since it’s in the Defense Federal Acquisition Supplement. When it comes to DoD IT compliance regulations as a contractor or supplier, there are different viewpoints to consider.
DoD Directive 8570
In 2005, DoD Directive 8570 was issued to identify, tag, track and manage the cybersecurity workforce. Included in this directive is a manual that features a standard IT certification requirement to validate the knowledge, skills and abilities of the people who work in cybersecurity roles. Having the title of “Information Assurance Workforce Improvement Program,” or IA WIP for short, this directive describes the terms of what IT workers need to do to become certified. Personnel affected by this directive must be trained according to DoD guidelines so they can protect vital information that is in the nation’s interests.
Within the IA WIP there are two separate categories– Information Assurance Technical (IAT) and Information Assurance Management (IAM). If personnel work in the IAT category, they will progress through three levels. The first level addresses information assurance and the computing environment. The second level addresses information assurance at the network environment. Lastly, the third level addresses enclave, advanced network and computer Information Assurance. Within each of these levels are sublevels of defined personnel types. These sublevels are known as Entry Level, Intermediate, and Advanced.
The certification a worker has for an IA position must reflect the required functions for that position. Six months are usually given to an employee starting from the first assignment of a position or the date for new employees to achieve the required DoD 8570 certification. Certifications that are available for an IAT position include, but are not limited to, the following:
CCNA-Security: A Level 1 certification, Cisco Certified Network Associate Security demonstrates that you are capable of developing a secure infrastructure and can mitigate any cyberthreats.
Certified Network Defender: With this certification, you demonstrate knowledge in defensive cyber operations, which is also called Blue-Teaming. A Level 2 certification, this course teaches IT professionals how to manage defensive mechanisms when protecting IT systems against cyberattacks.
GCIH: A Level 3 certification, passing this exam demonstrates your understanding of handling security incidents and how to process vectors and vulnerabilities in IT systems.
DoD Directive 8140
In 2015 DoD Directive 8570 was replaced by Directive 8140. This directive expands on the covered work roles. There are key differences in this directive in comparison to Directive 8570. Directive 8140 reissues and renumbers Directive 8570 for the sake of updating. The establishment of a DoD cyberspace workforce management council has been authorized by Directive 8140. This is to ensure a contractor meets all security requirements. Most importantly, the work roles of the cyberspace workforce are better aligned, managed and standardized because of the unifying language of this directive.
Directive 8140 leverages the Defense Cybersecurity Workforce Framework (DCWF), which defines seven job categories. 33 specialty areas and 54 work roles are also in these categories.
Security Provision is a category that can include jobs such as architecture, engineering and operations. These involve Information Assurance functions in compliance, research, software, system development and security engineering.
Jobs such as customer service, tech support, data administration, security analysis, network service and knowledge management are under the category of Operate and Maintain. Protect and Defend is a category that involves defense against cyberattacks, defense analysis, vulnerability assessment, and incident reporting.
Different types of network analysis, exploitation analysis, threat analysis, and resource intelligence are all in the Analyze category. Operate and Collect is a category applying to cyber operations and planning, as well as collection operations, planning and implementation.
Oversight and Development is a category pertaining to the various legal consequences of conducting digital operations, with the emphasis being on planning, education and awareness. The last category is Investigate, which relates to investigations and forensics work with online security issues.
DoD Cyber Exchange: How to Achieve DoD IT Compliance
Most DoD organizations must be in compliance with Directive 8140. The DoD Cyber Exchange explains the four steps an IT company needs to take to obtain baseline certification.
1. A worker must identify his or her position, level and IT certification requirements within the IA workforce.
2. It is a requirement for sufficient training for IT certification, while properly following your organization’s protocols.
3. You then make a request for a certification voucher from your IA Manager.
4. The IA Manager is then notified when you have finished your training and when you have officially earned your certification.
The Economic Aspect of Compliance
Organizations bidding on government contracts carry significant weight. In 2017, the DoD spent $294 Billion on goods and services. Organizations that specialize in a wide variety of industries are capable of supplying the Federal Government with the goods and services they need. If these organizations are to act as suppliers, they must follow specific standards. The DoD sets these standards in order to receive economic support in return. There are multiple systems that organizations must use for bidding, invoicing, asset tracking, and other related economic functions. Because there is a risk of human error in every part of this process, the responsibility of a supplier may be too intimidating for some organizations.
If your organization is to work for the DoD, it is critical to operate and maintain a legitimate auditing system. Having this system in place ensures the minimization of any vulnerabilities or errors. Running an auditing system can detect if the contractor misplaces parts of data in any way. So, it helps your organization better identify any problems that you need to address.
Corrective Action Request
The inability to follow DoD commerce requirements can result in delayed payments and other related cash flow issues. A lack of compliance can also lead to rejections for shipments, future penalties, and the potential of the DoD not renewing your contract.
Any compliance errors can lead to a formal Corrective Action Request (CAR). This is a notification to suppliers asking they address all errors. CAR procedures will vary depending on the government organization you work for. CARs come in the form of four levels, ranging from a minor infraction to a major violation.
A contractor will receive a Level 1 CAR for a nonconformity that they can correct right away. This nonconformity doesn’t require continuous correction. So, it isn’t systemic, significant and recurring.
A contractor will receive a Level 2 CAR when they cannot resolve any contractual nonconformity immediately. Whenever Critical Program Impact items, Safety of Flight or critical safety items have mistakes, it will take significant time to address these mistakes.
A Level 3 CAR is issued to the top management personnel of the supplier, calling attention to more severe contractual nonconformity. The supplier must acknowledge the receipt and understanding of this CAR with an official due date. A contractor can still reach contractual remedies on this level. These can involve reductions of progress payments, cost disallowances, or business management systems disapprovals.
If a Level 3 CAR seems to be ineffective, then they will issue a Level 4 CAR. This is where contractual nonconformity is serious enough to warrant severe contractual remedies, including suspension of progress payments or product acceptance activities.
Assessing Potential Risks
The DoD Cloud Computing Security Requirements Guide (SRG) is an extensive document. This walks organizations through the authorization process regarding cloud computing services. Understanding this document and complete compliance to its guidelines allows organizations to serve DoD customers. The Risk Assessment chapter of this document mentions that Cloud Service Offering (CSO) and the supported mission (the Mission Owner’s system or application) must be under the umbrella of risk management. But, there are key differences between what the Cloud Service Offering provides and addresses and what the Mission Owner addresses, as the SRG goes on to define.
There are two separate authorization boundaries for cloud computing. Jointly, the Cloud Service Provider (CSP) and the Mission Owner determine these boundaries. One boundary is the CSP organization, what their operating and security policies and procedures are, their networks, applications, server platforms, and their physical facilities. In its evaluation process, the DoD will assess the potential risk to the DoD of allowing CSPs to connect to networks supported by the DoD.
Defense Commerce Industry Experience
It is a unique experience supplying goods to the DoD. It is important to partner with companies that have experience in defense commerce. This is because they can help you maintain control of the process. The standards of government compliance always change throughout time. So, keeping in contact with a partnering company will help your organization stay up to date. Quickly implementing necessary changes to the way your organization performs commerce is vital.
At Datech, we help customers understand the process of achieving DoD IT compliance. Based in Northwest Florida, many of our clients have at one time worked with nearby military bases. Whether your organization needs help in improving personnel security, setting up a plan for protecting systems and communication, or simply performing regularly scheduled maintenance, our team is ready to help.