Transcription
Improving the Cyber WorkforceIA Training, Certification and Workforce Management in DoDGeorge BieberDefense-wide IA Program (DIAP)george.bieber@osd.mil8/5/20081
OutlineBackground Status of IA Workforce Improvement Program Awareness (ISS LOB) Training & Exercises Challenges 8/5/20082
Landscape circa 2005ASD/C3I & USD/P&R memo: IA Training & Certification (6/98) Unknown size/composition of the IA workforce––––People, positions not “tagged” for IANo military IA career path, skill indicatorsPersonnel, manpower databases lacked fields to trackUnknown number of personnel performing IA functions parttime as “additional duty”– Unknown number of personnel outside IT career fieldsperforming IA functions Wide variation in training content (Depth & Breadth) Inconsistent implementation across the Department Inconsistent implementation within Components(military, civilian, contractor, local nationals – globally deployed)Internal certification not recognized Department-wideSchools struggling to keep pace with the challengeNo visibility into spending on IA training & certificationMinimal exercise or evaluation of IT/IA training 8/5/2008Component “certification” -- largely undefined3
StrategyImpactObjectivesCertify theWorkforceImproved IA posture (“raise the floor” on baseline skills)Foundation of a professional IA workforceMechanism “raise the bar” on future skills Manage theWorkforce Sustain theWorkforceExtend theDisciplineAbility to assign trained/certified personnel to IA positionsAbility to conduct manpower studies; establish standardsElevates priority of IA for training dollarsEnables personnel to hone IA skills, keep current withtechnology, threats and vulnerabilities, tools,techniques Leaders at all levels understand impact of IA onmission accomplishmentA model Allies, coalition partners can emulateIA literacy for critical non-IT disciplines Evaluate theWorkforce8/5/2008 Leadership visibility into the IA workforceIA WIP “product improvement”Measure impact on IA posture4
Policy (DoD 8570.1 and DoD 8570.01-M)Assign position specialty code/skill identifiers Identify positions in manpower databases Record, track contractors certification status Require IA in all levels of professional military education Applies to civilian, military, local national, contractor; full time or “asassigned”; regardless of job series/ occupational specialty Defines IA workforce categories, levels, functions Mandates use of commercial certifications tovalidate DoD baseline knowledge and skills Requires certifications be accredited underISO/IEC 17024, General requirements for bodiesoperating certification of persons Specifies reporting requirements Provides for oversight, “product improvement”17024 defines “certification”. Focuses on processes,presence of job task analysis (link to jobs; defines the work and skills), validation58/5/2008 and construction of test, continuous learning/ periodic reteststudy (EEO), security
IA Workforce ImprovementProgram: Current Status andInitiatives8/5/20086
Current Status Met first year goal to certify 10% of the workforce; collectively,COCOMs have up to 40% of their workforce certified All mandated certifications have met or are well into the processof meeting ISO/IEC 17024 requirements to be ANSI accredited Renewed focus on personnel: e.g., AF cyber corps with IAcareer path; Army WO career path IA beginning to be taken to non-IT/IA leadership throughprofessional military education, IA “boot camps” etc. 8570 compliance validation plan in place; first on-site reviewconducted by OSD NDU/IRMC courses support learning for CISSP, CISMcertifications Certification corporate memberships, self-assessments, annualfees for individuals paid for by DoD Change 1 to the 8570 Manual published8/5/20087
Change 1 to 8570 Manual (15 May 2008)Computer Network Defense Service Providers (CND SP)CNDCNDInfrastructure rmation Assurance System Architects and Engineers (IASAE)IASAE ICISSP(or Associate)IASAE IICISSP(or Associate)IASAE IIIISSEPISSAPClarifies local operating system certificationincludes security related tools/devices Adds IRMC 4012 certificate courses & InformationSystem C&A course (Catalog #6209) for DAAs Changes report accounting from FY to CY Provides a year for implementation of Change 1 Adds “or Associate” to IAT and IAM CISSP 8/5/2008http://www.dtic.mil/whs/directives/8
Implementation/Process Improvement Initiatives (1)Workforce Management Support Systems DCPDS (Defense Civilian Personnel Data System) PCSS (Personnel Certification Support System) –http://www.dodpcss.com DoD Defense Workforce Certification Interface (DWCI)authoritative data source for individual’s certification status - allowsautomated transfer of select data on individual’s certification statushttps://www.dmdc.osd.mil/dwc Contractor certification verification database – Track contractorswith IA responsibilities category/level and certification status: underdevelopmentDFARS Clause Defense Federal Acquisition Regulation (DFAR) formally updatedto reflect 8570 certification requirement for contractors (FederalRegister (Vol. 73, No. 7 / Thursday, January 10, 2008)8/5/20089
Implementation/ Process Improvement Initiatives (2)FY08 Funding Provided for Certification Test VouchersDoD IA Skill Standards (IASS) Survey (Job Task Analysis) 56IA functions performed by DoD IA personnel Demographics of personnel performing IA functionsInterest by Civilian Departments and Agencies?Other Activities DoDon the ANSI Personnel Certification Accrediting Committee DoDSMEs participating on Certification Provider advisory boards,certification review committees and test writing working groups DIAPsupport to Performance Testing Council (PTC); bring moreperformance testing into certification Continueto examine commercial certifications against functionalrequirements in the DoD Manual 8570.01-M “Information AssuranceWorkforce Improvement Program” for applicability to DoD8/5/200810
Implementation/ Process Improvement Initiatives (3)Certification Self-Assessments Determinepersonnel “readiness to test” Identify knowledge gaps; areas to focus training CompTIA: Self-assessments are available for each DoD approvedCompTIA Certification including the CompTIA A , CompTIANetwork or CompTIA Security certifications through 28February 2009 GIAC: “short-assessments” for GISF, GSEC, GSLC and Security are available through 31 December 2008 (ISC)2: Self-assessments are available for the CISSP and SSCPcertifications through 31 December 2008 ISACA: has developed CISA and CISM self-assessment tools tohelp exam candidates assess their knowledge of the exam jobpractice areas and determine their strengths and weaknesses.8/5/200811
New and Revised Security ControlsExisting Controls PRTN – 1 Information Assurance TrainingDCSD – 1 IA DocumentationNew Controls PRWF -1 Workforce Management Policy positions required to perform Information Assurance (IA)functions are established in writing and identified in theappropriate manpower table of organization or manningdocument designated by IA category and level . People areidentified in personnel databases The manning documentidentifies all IA positions by specific IA category, level, andfunctions . PRCT – 1 Personnel Certification Policy allpersonnel are certified to perform their assignedInformation Assurance (IA) responsibilities, to includecertification of baseline security and Operating System (OS)skills .8/5/200812
Assessing ComplianceDoD CIO Compliance Program Verifycompliance w/securityregulations; DoD IA policy as itpertains to people. Review materials submitted byComponents in response to DoD& FISMA requirementsOn-site review at Componentlocation to verify documentation& determine compliance status IsDoD Information Awareness Site Review ChecklistCritical ElementPurposeCore ReviewAreasMethodHave IA and HR management personnel at the site level developed andimplemented IA Workforce Improvement Program (IA WIP)?To assess the capability, performance and compliance againstthe policies and requirements of DoDD 8570.1 and DoD8570.01-M.IA Workforce Management, IA Training, IA CertificationSite level review of IA WIP program plans, includingdocumentation and procedures review.policy implemented as intended Is compliance resulting in the intended outcome (Operations)8/5/2008 Whatis else is needed to achieve the desired end state (Programs)13
Annual Awareness8/5/200814
DoD Shared Service Center (SSC) for AwarenessAssistant Secretary ofDefense for Networks andInformation Integration,DoD Chief Information OfficerDeputy Assistant Secretary ofDefense (DASD) for I&!ADIAP, IA WorkforceImprovement Program DefenseInformationSystemsAgencyDoD-wide IA training tionAssuranceAssurance ProgramProgramOMB designated ISS LoB SSC for IA awareness trainingDeveloping baseline at no cost to Components“Customers” implement, track, & report; fund uniquerequirementsReducing duplicate effortsOct 2007: Components required to use “DoD IA Awareness”Meets FISMA and DoD 8570 requirementsDoD CIO management review item.8/5/200815
Commodity Futures Trading CommissionDefense Nuclear Facilities Safety BoardDirector of National IntelligenceEducationEnergyEqual Employment Opportunity CommissionExport Import BankFederal Bureau of InvestigationFederal Communications CommissionFederal Reserve BankHealth and Human Services Merit Systems Protection BoardHousing and Urban Development National Aeronautics and SpaceLaborAdministration National Mediation Board Nuclear Regulatory Commission Nuclear Waste Technical ReviewBoard Office of Government Ethics Railroad Retirement Board Small Business Administration Transportation168/5/2008 TreasuryDoD IA Awareness Federal ISS AwarenessFederal Customers
INFOSEC Awareness TrainingUseful/relevant informationTeaches something newCourse is the right length8/5/2008Survey of 10,000 users17
FY09 Awareness Product Design8/5/200818
Training & Exercises8/5/200819
CyberOPs (DISA) Simple but powerful network layout presentationRealistic 3D models; accurate spatial representationsSave & reuse networks as plain XML text – no binary dataissues Interactive 3D network configuration environmentControllable discrete-event simulation engineAutomatic attack generation capabilityInstructor-driven, customizable, scoring andperformance measurement toolsCampaign play mode progressing from unsecured toMAC II, Sensitive networksCustomizable scenarios to target specific securityissuesPrintable performance reportsComplete tutorial and help modulesGenerates 10 different attack types in random sequences w/random levels ofeffectiveness: Data Modification – Jamming – Sniffer Programs – Data Theft– Malicious Code – Spoofing – Denial of Service – Peer-to-Peer –Social Engineering – Trusted Insider8/5/200820
Other ProductsCAC RequiredIntro to HBSS HBSS SCCVI 8/5/2008SCRI UNCLASSIFIEDhttp://iase.disa.mil21
FY 09 Planned InitiativesVirtual Training Environment (VTE) https://www.vte.cert.orgOn-demand technical training curriculum covering IA, DoD IA Tools,and DoD 8570 certifications Moveto .mil domain; reduce per seat cost; increase capacity to 100,000 Mirror on SIPRnet to support deployed and afloat forcesIA RangeA robust, “train as we fight” persistent virtual network operations environment: Exercise, test & measure personnel; rapidly build expertise Exercise, test & measure organizations Test & evaluate tools and techniques Access anytime, anywhere No risk to an operational network Service/agency autonomy/enterprise interoperability Build proficiency Proactive intrusion prevention Early detection of threat/attack Accurate assessment of threat/attack Rapid application of “best” defense NSDP-54/HSPD-23: Comprehensive National Cybersecurity Initiative8/5/2008 Needfor personnel toUNCLASSIFIEDget smarter faster to defeat all levels of threat22
(Enterprise)Tier 1Approach to an IA RangeEnterprise Infrastructure Backbone NIDS, Firewalls, Analyst Console, IAP MonitoringEnvironmental Generator Virtual Internet, Traffic Loading, Bandwidth Shaping SAST CEMAT (Consolidated Exercise Metrics Analysis Tool)Tier 2(Component)Tier 3(Sub-component)DREN / VPN / SASTDISA/Agencies Air TEXNETTDSIDMgt ConsolesFirewallsComponents model their Tier 2 structure & configurationREM/HerculesStep IA ToolsDREN /VPN /SASTDISAAir ForceArmyMarinesNavyHBSSRETINAComponents model their Tier 3 structure & configurationInsider ThreatESSG Tools8/5/200823
IA Range Future/Potential InterfacesInternationalFederalDoDTier 1Tier 2“ train proactive measures todetect and prevent intrusions fromwhatever source, as they happen,and before they can do significantdamage.” (Annual Threat Assessment ofthe IC for the House Armed ServicesCommittee, 13 Feb 08)Dept/AgenciesComponentsTier 3IndustryOther Ranges/Test-beds8/5/2008States24
Data Collection AnalysisConsolidated Exercise Metrics Analysis Tool(CEMAT)8/5/2008Trend Analysis Capability25
Challenges8/5/200826
Challenges Identifying the workforce Ability to tag and track the workforce (databases) Educating leadership Personnel turnover (leadership & key staff) Fear of tests Managing expectations (of DoD, of certification providers) Bureaucrats Organizational: in-garrison vs deployed Outreach: Getting the information to the IA workforce Funding (and retaining funding) for training Metrics and evaluation Compliance (Is the policy being implemented as intended) Assessment (Does it make a difference)8/5/200827
Parting Thoughts If I get my people certified they’ll quit and become contractors. I have a degree; I don’t need a certification. I’ve been doing the job for 15 years, I don’t need a certification. The certifications have no value; they don’t teach the DoD approach. I know people who passed the test but can’t do the job. I have money for training thru 2010 because of 8570 I’m studying for the CISM. Its hard. But don’t water down the policy;there are too many people out here calling themselves IAprofessionals, but they don’t have a clue about security. Finally, I’ll be able to get rid of the [less than knowledgeable people]they assign to protect my network. Where commands got their people certified, retention was 80% orhigher; commands that didn’t had retention rates of 10% and below.8/5/200828
AFCEA Solutions Conference: InformationAssurance Awarenessand Literacy for Government in the Cyber Age: ExtendingCyber awareness and literacy to other disciplines beyond IT GrowingCyber Security Professionals for Tomorrow’s FederalWorkforce: Strengthening the cyber security workforce pipeline for the future? BuildingCyber Security Professionals for Today: Improving the currentUSG Cyber security workforce to effectively defend our nation in cyberspace?9-10 September 2008Ronald Reagan International Trade CenterActive Government/Military and Academia 75Industry (AFCEA Member) 295Industry (Non-Member) 3958/5/2008http://www.afcea.org/events/solutions29
Detail8/5/200830
Baseline IA CertificationsTech IA Network SSCPMgmt IGSLCSecurity GISFTech IIGSECSecurity SCNPSSCPMgmt IICISSPGSLCCISMTech IIICISSPSCNACISAGSEMgmt IIICISSPGSLCCISM“Technical certifications are part of our personnel development andare considered investment in our employees”(private sector best practice)8/5/200831
IA Training and Certification RequirementsTraining nt CategoryLevelI - IIILevelI - IIIDAA(US Gov’tEmployee only)Initial TrainingYesYesYesIA CertificationYes(within 6 months)Yes(within 6Months)Yes(DISA WBT orIRMC 4012)Yes(for initial position)NoNoYesNoNoRefresher Training/Continuing EdYes(as required byCertification)Yes(as required byCertification)NoRe-certificationYes(as requiredby Certification)Yes(as requiredby Certification)Yes(every 3 years)(From approved list)OJT/FamiliarizationLocal OS Cert;security tools/devices8/5/200832
Workforce Education, Training & Certification: A Snapshot(Based on 482 respondents during one joint ov’tCiviliansFor the exercise most sites had the “A” team on double shifts, Margin of Error is likely in the negative8/5/200833
IA Range Drivers DoD IA Strategy (Goal 5): An IA workforce able to effectively employ IAtools, techniques and strategies to defeat adversaries, and proactivelyidentify and mitigate the full spectrum of rapidly evolving threats to defendthe Net National Military Strategy for Cyberspace Operations: more robust exercisingw/increased realism in a combined cyberspace operations range NSDP-54/HSPD-23: Comprehensive National Cybersecurity Initiative Need for personnel to get smarter faster to defeat all levels of threat (1G, 2G,3G) T&E of enterprise tool effectiveness individually and in combination withother tools and devices in a realistic operational environment, includingimpact of, and on, the human factor (training; workload) Automated T&E data collection and reduction, analysis capability to replaceman-power intensive methods/reduce cost Rigorous, timely, standardized reporting across all exercises to address IAand workforce metrics and trends over time; impact real-world operations(e.g., rapid detection of intrusions vs accuracy of assessment)8/5/200834
User Requested Capabilities Availability 24/7/365Flexible / ScaleableSupport Service/Component specific CND Exercises as well as Joint eventsUnclassified but closed network; w/ability to connect to higher classificationnetworksSupports Service/Component specific equipment (HW/SW; simulators)Capable of repeat/replay/refresh scenariosNavigation and targeting down to the host level – Red Team ExploitLinked pre- post event training (e.g., via CBT/Web)Current architecture; but evolves as Enterprise evolves Full suite of services – voip/im/mail/p2p HBSS, PKI/CAC Ipv6 (by FY10)Sufficient robustness to allow for JTF-GNO directives to be implementedSupports Wireless/Mobile devicesFake internet thousands of sites; some with malicious content Includes .com/ .org/ .gov/ .edu etc.Provides capability for Red Team attacks from fake internet (including“cover fire” to mask the attacks for range of threats8/5/200835
Anatomy of an AttackRed Team Time (start, duration) # of Hops Attack Vector (AV)AV/AVAnalysis AV vs. AV ContinuingDamageTraining AudienceWhydidn’t wesee ithere? Time of Detection # of Hops AV/Weakness Category(WC) How/Where 0836
IA Training, Certification and Workforce Management in DoD George Bieber Defense-wide IA Program (DIAP) george.bieber@osd.mil. 8/5/2008 2 Outline Background Status of IA Workforce Improvement Program Awareness (ISS LOB) Training & Exercises .
