CISSP and DoD 8570/8140: What you need to know [Updated 2022]
Suppose your goal is to work as a government cybersecurity professional working with Information Assurance (IA), In that case, you will be required to earn a certification approved by the U.S. Department of Defense (DoD) Directive 8570.1. This directive applies to information security professionals that identify, tag, track, and manage cyber security/IA in the government workforce. DoD 8750 establishes three policies that strengthen cybersecurity readiness:
- Privileged users and IA managers shall be fully qualified, trained and certified to DoD baseline requirements to perform their IA duties.
- All IA personnel shall be identified, tracked and managed so that IA positions are staffed with personnel trained and certified by category, level and function.
- IA certification and training shall be monitored and reported as an element of mission readiness.
Earn your CISSP, guaranteed!
To comply with DoD 8750, you need to have earned one of the approved cybersecurity certifications or earn it within six months.
The directive establishes which commercial certifications satisfy the certification requirement, and of these certs, Certified Information Systems Security Professional, or CISSP, is one of these required certifications.
CISSP also has three specializations that fulfill different requirements of the directive. In other words, the different specializations allow you to work in different types of cybersecurity roles for the government.
Learn more about the relationship between CISSP and DoD8750, explore the DoD 8570 certification requirements, how the new 8140 will affect CISSP and how the IAT/IAM/IASAE levels relate to CISSP and the CISSP specializations.
What are DoD certification requirements?
DoD 8570 has two requirements for government cybersecurity/IA roles which are stated in DoD 8570.01-M. These requirements are:
- Earn at least one 8570 baseline certification
- Earn certification for the computing environment that the applicant will work with – this means certifications for security-related tools/devices and operating systems.
Before we delve into what baseline certifications satisfy the requirement, the directive refers to different types of IA roles – Information Assurance Technical (IAT), Information Assurance Management (IAM) and IA Workforce System Architecture and Engineering (IASAE). Each of these job role categories has three levels of roles that have their own functions.
Below are the different job categories and which certifications satisfy the requirement:
IAT Level I
- CCNA-Security
- SSCP
IAT Level II
- CCNA Security
- CSA+
- GICSP
- GSEC
- SSCP
IAT Level III
- CCNP Security
- CISA
- CISSP
- GSLC
IAM Level I
- CAP
- GSLC
IAM Level II
- CAP
- CISM
- CISSP
- GSLC
IAM Level III
- CISM
- CISSP
- GSLC
IASAE I
- CISSP
- CSSLP
IASAE II
- CISSP
- CSSLP
IASAE III
- CISSP-ISSAP
- CISSP-ISSEP
CSSP Manager
- CISM
- CISSP-ISSMP
How will the new 8140 affect my CISSP?
DoD 8140 has replaced DoD 8570 as a directive version update. One change that 8140 has for CISSP certification holders: CISSP-ISSMP no longer satisfies the baseline certification requirement for CSSP Manager roles. Currently, everyone is still following DoD 8750 until everything gets approved, which is estimated at being at least a year out from the time of this writing.
Is CISSP a DoD-approved baseline certification?
Yes, CISSP is a DoD-approved baseline certification. It satisfies several of the job levels — IAT Level III, IAM Levels II and III, and IASAE I, II, II and CSSP Manager. Remember that CISSP will not satisfy CSSP Manager once DOD8140 comes into effect.
IAT levels and the CISSP
Information Assurance Technical (IAT) is a category of cybersecurity roles that are more technical and focused on technical knowledge. The CISSP certification does not become required for IAT roles until level III. This is because CISSP is a more management-centered certification, so more technically focused job roles would not be able to apply the knowledge from the CISSP certification until they become near management level.
IAM and the CISSP
Information Assurance Management (IAM) is a category focused on management staff working with cybersecurity/IA. This category is more suited to CISSP since the cert is more management and decision-maker-focused. The CISSP certification satisfies both the IAM level II and III job roles. If your goal is to have a management role in government cybersecurity, CISSP is a good choice as it will satisfy the requirement for roles outside of IAM level I.
IASAE levels and the CISSP
IA Workforce System Architecture and Engineering (IASAE) is another category of cybersecurity job roles subject to DoD 8750. This category of job roles is architects and engineers that design and secure information system architectures. CISSP satisfies the baseline certification requirements for IASAE levels I and II. To satisfy the requirements of IASAE level III, you need to earn either the CISSP-ISSAP or CISSP-ISSEP certification specializations.
CSSP specializations and the CISSP
You have the option to earn specializations after you have become a CISSP certification holder. These specializations allow you to go beyond the CISSP and stand out with a specialization in one of three different areas. The CISSP Information Systems Security Architecture Professional, or CISSP-ISSAP, applies to chief security architects and analysts. The CISSP Information Systems Security Engineering Professional or CISSP-ISSEP is meant for more engineering-focused job roles. CISSP Information Systems Security Management Professional isintended for management focused job roles.
As you can expect, these specializations apply to a narrower set of roles — ones that require the specialized knowledge that they verify. CISSP-ISSAP and CISSP-ISSEP satisfy the baseline certification requirement for IASAE level III. As long as DoD 8140 has not taken effect, CISSP-ISSMP satisfies the requirement for CSSP Manager.
Earn your CISSP, guaranteed!
Earning the CISSP certification
DoD 8750 is a Department of Defense directive covering information assurance, otherwise known as cybersecurity and the requirements that must be satisfied to work as government cybersecurity professional. One of the requirements is to earn a baseline certification. CISSP satisfies several requirements, and the specializations can help you go beyond CISSP and earn a higher-level job.
For more on the CISSP certification, view our CISSP hub.
Sources
- Exam Pass Guarantee
- Live expert CISSP instruction
- CISSP exam voucher
In this Series
- CISSP and DoD 8570/8140: What you need to know [Updated 2022]
- CISSP certification - The ultimate guide [updated 2021]
- The CISSP domains and CBK: An overview
- CISSP certification salary: A comprehensive 2024 salary guide
- Definition & types of access control models & methods (updated 2023)
- CISSP domain 4: Communications and network security — What you need to know for the exam [2022 update]
- CISSP domain 5: Identity and access management — What you need to know for the exam [Updated 2022]
- CISSP domain 7: Security operations — What you need to know for the exam [Updated 2022]
- CISSP domain 6: Security assessment and testing — What you need to know for the exam [Updated 2022]
- CISSP domain 8 overview: Software development security — What you need to know for the exam [Updated 2022]
- Top 10 CISSP interview questions [Updated 2022]
- CISSP domain 1: Security and risk management — What you need to know for the exam
- The ISC2 code of ethics: A binding requirement for certification
- The CISSP experience waiver [updated 2022]
- Earning CPE credits to maintain the CISSP
- Renewal requirements for the CISSP [updated 2022]
- CISSP computerized adaptive testing (CAT): 25 of your questions answered
- CISSP job outlook [updated 2022]
- CISSP resources: Books, practice exams and other study tools [updated 2022]
- CISSP exam questions: 5 drag & drop and hotspot questions
- Risk management concepts and the CISSP (Part 2) [Updated 2022]
- What is the CISSP-ISSAP? Information Systems Security Architecture Professional [updated 2021]
- Average ISSEP Salary in 2021
- Average ISSMP Salary [updated 2021]
- CISSP domain 3: Security engineering CISSP - What you need to know for the exam [2022 update]
- Understanding the CISSP exam schedule: Duration, format, scheduling and scoring [updated 2021]
- What is the CISSP-ISSEP? Information Systems Security Engineering Professional [updated 2021]
- Information and asset classification in the CISSP exam
- CISSP domain 2: Asset security - What you need to know for the Exam [updated 2021]
- 8 tips for CISSP exam success [updated 2021]
- Risk management concepts and the CISSP (part 1) [updated 2021]
- Average ISSAP Salary in 2021
- What is the CISSP-ISSMP? Information Security System Management Professional [updated 2021]
- CISSP concentrations (ISSAP, ISSMP & ISSEP) [updated 2021]
- Due care vs. due diligence and the CISSP
- CISSP prep: Security policies, standards, procedures and guidelines
- Vulnerability and patch management in the CISSP exam
- Data security controls and the CISSP exam
- Logging and monitoring: What you need to know for the CISSP
- Data and system ownership in the CISSP exam
- CISSP Prep: Mitigating access control attacks
- CISSP Domain 5 Refresh: Identity and Access Management
- Identity Governance and Administration (IGA) in IT Infrastructure of Today
- CISSP CAT Exam Deep Dive: Study Tips from InfoSec Institute Alum Joe Wauson
- CISSP: Incident management
- CISSP: Business continuity planning and exercises
- CISSP: Perimeter defenses
- CISSP: Secure communication channels
- Environmental controls and the CISSP
- CISSP: Disaster recovery processes and plans
- Change management and the CISSP
