CISSP and DoD 8570/8140: What you need to know [Updated 2022]

March 17, 2022 by Greg Belding

Suppose your goal is to work as a government cybersecurity professional working with Information Assurance (IA), In that case, you will be required to earn a certification approved by the U.S. Department of Defense (DoD) Directive 8570.1. This directive applies to information security professionals that identify, tag, track, and manage cyber security/IA in the government workforce. DoD 8750 establishes three policies that strengthen cybersecurity readiness:

  1. Privileged users and IA managers shall be fully qualified, trained and certified to DoD baseline requirements to perform their IA duties.
  2. All IA personnel shall be identified, tracked and managed so that IA positions are staffed with personnel trained and certified by category, level and function.
  3. IA certification and training shall be monitored and reported as an element of mission readiness.

To comply with DoD 8750, you need to have earned one of the approved cybersecurity certifications or earn it within six months.

The directive establishes which commercial certifications satisfy the certification requirement, and of these certs, Certified Information Systems Security Professional, or CISSP, is one of these required certifications. 

CISSP also has three specializations that fulfill different requirements of the directive. In other words, the different specializations allow you to work in different types of cybersecurity roles for the government.

Learn more about the relationship between CISSP and DoD8750, explore the DoD 8570 certification requirements, how the new 8140 will affect CISSP and how the IAT/IAM/IASAE levels relate to CISSP and the CISSP specializations.

What are DoD certification requirements?

DoD 8570 has two requirements for government cybersecurity/IA roles which are stated in DoD 8570.01-M. These requirements are:

  1. Earn at least one 8570 baseline certification
  2.  Earn certification for the computing environment that the applicant will work with – this means certifications for security-related tools/devices and operating systems.

Before we delve into what baseline certifications satisfy the requirement, the directive refers to different types of IA roles – Information Assurance Technical (IAT), Information Assurance Management (IAM) and IA Workforce System Architecture and Engineering (IASAE).  Each of these job role categories has three levels of roles that have their own functions. 

Below are the different job categories and which certifications satisfy the requirement:

IAT Level I

  •       CCNA-Security
  •       SSCP

IAT Level II

  •       CCNA Security
  •       CSA+
  •       GICSP
  •       GSEC
  •       SSCP


  •       CCNP Security
  •       CISA
  •       CISSP
  •       GSLC

IAM Level I

  •       CAP
  •       GSLC

 IAM Level II

  •       CAP
  •       CISM
  •       CISSP
  •       GSLC


  •       CISM
  •       CISSP
  •       GSLC


  •       CISSP
  •       CSSLP


  •       CISSP
  •       CSSLP


  •       CISSP-ISSAP
  •       CISSP-ISSEP

CSSP Manager

  •       CISM
  •       CISSP-ISSMP

How will the new 8140 affect my CISSP?

DoD 8140 has replaced DoD 8570 as a directive version update. One change that 8140 has for CISSP certification holders: CISSP-ISSMP no longer satisfies the baseline certification requirement for CSSP Manager roles. Currently, everyone is still following DoD 8750 until everything gets approved, which is estimated at being at least a year out from the time of this writing. 

Is CISSP a DoD-approved baseline certification?

Yes, CISSP is a DoD-approved baseline certification. It satisfies several of the job levels — IAT Level III, IAM Levels II and III, and IASAE I, II, II and CSSP Manager. Remember that CISSP will not satisfy CSSP Manager once DOD8140 comes into effect.

IAT levels and the CISSP

Information Assurance Technical (IAT) is a category of cybersecurity roles that are more technical and focused on technical knowledge. The CISSP certification does not become required for IAT roles until level III. This is because CISSP is a more management-centered certification, so more technically focused job roles would not be able to apply the knowledge from the CISSP certification until they become near management level.

IAM and the CISSP

Information Assurance Management (IAM) is a category focused on management staff working with cybersecurity/IA. This category is more suited to CISSP since the cert is more management and decision-maker-focused. The CISSP certification satisfies both the IAM level II and III job roles. If your goal is to have a management role in government cybersecurity, CISSP is a good choice as it will satisfy the requirement for roles outside of IAM level I.

IASAE levels and the CISSP

IA Workforce System Architecture and Engineering (IASAE) is another category of cybersecurity job roles subject to DoD 8750. This category of job roles is architects and engineers that design and secure information system architectures. CISSP satisfies the baseline certification requirements for IASAE levels I and II. To satisfy the requirements of IASAE level III, you need to earn either the CISSP-ISSAP or CISSP-ISSEP certification specializations. 

CSSP specializations and the CISSP

You have the option to earn specializations after you have become a CISSP certification holder. These specializations allow you to go beyond the CISSP and stand out with a specialization in one of three different areas. The CISSP Information Systems Security Architecture Professional, or CISSP-ISSAP, applies to chief security architects and analysts. The CISSP Information Systems Security Engineering Professional or CISSP-ISSEP is meant for more engineering-focused job roles. CISSP Information Systems Security Management Professional isintended for management focused job roles. 

As you can expect, these specializations apply to a narrower set of roles — ones that require the specialized knowledge that they verify. CISSP-ISSAP and CISSP-ISSEP satisfy the baseline certification requirement for IASAE level III. As long as DoD 8140 has not taken effect, CISSP-ISSMP satisfies the requirement for CSSP Manager.    

Earning the CISSP certification 

DoD 8750 is a Department of Defense directive covering information assurance, otherwise known as cybersecurity and the requirements that must be satisfied to work as government cybersecurity professional. One of the requirements is to earn a baseline certification. CISSP satisfies several requirements, and the specializations can help you go beyond CISSP and earn a higher-level job.

For more on the CISSP certification, view our CISSP hub.


Posted: March 17, 2022
Greg Belding
View Profile

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.