In today’s economy, we are all looking to save some money. This applies even to our security training budgets. The last three SANS certifications I obtained were made possible by the SANS Work Study Program. The program allows the volunteer to pay a fee of $700, which is applied towards tuition and certification costs. The volunteer works the selected event and in exchange they can attend the course and all other events at the conference (SANS@Night events, BoFs, Lunch & Learns, etc.). So it was with great interest that I read about the Community of Interest in Network Security (COINS) program. Stephen Northcutt wrote:
Please note that if you are a member of an OWASP chapter, ISSA, ISACA, InfraGard, HTCIA, ECTF or other local security organization, the COINS program offers you a 50% tuition discount for this or any other SANS @Home course.
Being very interested, I contacted Steve Peterson, director of mentor programs. Steve explained that COINS is a fairly new program at SANS. To quote Steve:
The goal of COINS is to work with local security organizations to strengthen the security community by offering SANS discounts to chapter members and free content to chapter meetings. COINS typically will run an event at our conferences as well. If you attend a conference, keep an eye out for the COINS event.
I used the COINS program to signed up for the SANS® +S™ Training Program for the CISSP® Certification Exam (Management 414). While I tend to prefer more technically focused courses, the DoD directive 8570 convinced me that having the Certified Information Systems Security Professional (CISSP) certification would be useful. To quote the 8570 FAQ:
DoD Directive 8570.1 provides the basis for an enterprise-wide solution to train, certify, and manage the DoD Information Assurance (IA) workforce. The policy requires Information Assurance technicians, managers, and members of IA specialties to be trained and certified to a DoD baseline requirement. The Directive’s accompanying Manual identifies the specific certifications mandated by the Directive’s enterprise-wide certification program.
Agencies covered by 8570 include:
- Office of the Secretary of Defense
- Military Departments
- Chairman of the Joint Chiefs of Staff
- Combatant Commands
- Office of the Inspector General of the DoD
- Defense Agencies
- DoD Field Activities
- All other organizational entities in the DoD
Any full or part time military service member, contractor, or local nationals with privileged access to a DoD information system performing information assurance functions — regardless of job or occupational series is affected by 8570. For fiscal year 2008, the goal was to fill a total of 70 percent of the Information Assurance positions with certified personnel.
The tables below describe the DoD Approved Baseline Certifications, according to DoD 8570.01-M. This includes requirements for Information Assurance Technical (IAT), IA Management (IAM), IA System Architect and Engineers (IASAE), and Computer Network Defense-Service Providers (CND-SP). All must be be fully trained and certified to baseline requirements to perform their IA duties.
IAT workforce members consists of anyone with privileged information system access performing IA functions. IAT Level certifications are cumulative. Higher level certifications qualify for lower level requirements. Certifications listed in Level II or III cells can be used to qualify for Level I. However, Level I certifications cannot be used for Level II or III unless the certification is also listed in the Level II or III cell.
| IAT Level I | IAT Level II | IAT Level III |
|---|---|---|
| A+ Network+ SSCP |
GSEC Security+ SCNP SSCP |
CISA CISSP GSE SCNA |
IAM personnel are responsible for secure implementation and operation of a DoD information system (IS). IAMs perform IS security management functions for DoD operational systems. Management certifications corresponding to the position level do not cascade down. Each position requires the individual to meet one of the specific certifications associated with that Management Level. An IAM I must obtain one of certifications shown in the IAM I box, such as the GISF. The IAM I should not take the CISSP unless already qualified in one of the certifications listed in the IAM I box (e.g., GISF).
| IAM Level I | IAM Level II | IAM Level III |
|---|---|---|
| GISF GSLC Security+ |
GSLC CISM CISSP |
GSLC CISM CISSP |
The CND-SP personnel are members of “Accredited” CND-SP teams performing the functions listed.
| CND Analyst | CND Infrastructure Support | CND Incident Responder | CND Auditor | CND-SP Manager |
|---|---|---|---|---|
| GCIA | SSCP | GCIH CSIH |
CISA GSNA |
CISSP-ISSMP CISM |
IASAE personnel perform system design functions, such as requirements gathering.
| IASAE I | IASAE II | IASAE III |
|---|---|---|
| CISSP | CISSP | ISSEP ISSAP |
In the above table, I put CISSP in bold, along with a few other certifications I currently possess, as an example of how a few certifications can help cover requirements for many of the DoD Information Assurance positions. With the CISSP certification, IAT Level I, II and II are covered along with IASAE I and II. It is easy enough to pick up one of the IAM Level I certification, depending on that you are managing, and the CISSP will cover you for IAM Level II and III.
Now if you are not directly affected by 8570, why should you care? There are a large number of military service member, contractor, and local nationals with privileged access to DoD information systems. These folks are performing information assurance functions and DoD 8570 will eventually require them to have various security certifications. At some point, there is a good chance that these certified individuals are going to be competing with you for a job. Management often does not know how to tell the difference between candidates. Obtaining these certifications will help level the playing field so you can get past human resources, obtain management approval, and have the opportunity to impress the security folks. Of course, obtaining training and taking certification exams can get expensive. Thankfully there are programs like the SANS Work Study and COINS program providing great options for those with financially disadvantaged training budgets.
Hi!! Well I appreciate the COINS Plug that you put here. That is awesome! I run this program; so if you have any other questions, please don’t hesitate to shoot me an email and I will help you the best I can.
FYI – SANS is coming to San Antonio TX in June and I can offer 10% discounts to individuals who are interested in attending our Computer Forensics, Investigation, and Response, taught by Dave Hull. If you want to help out with this class let me know-we may have an opening.
Thanks for your SANS support!!!