The U.S. government has put significant emphasis on certification and training for system users to ensure they can meet the ever-changing cyber threats and to reinforce their skillsets to mitigate adversary attacks with existing or new security tools. Comprehensive annual security awareness has been made mandatory for all users, and several opportunities to increase competence are available for employees who need more advanced IT skills and knowledge.
This effort is summarized by DoD Directive 8140.01, “Cyberspace Workforce Management,” August 11, 2015 that “unifies the overall cyberspace workforce and establishes specific workforce elements (cyberspace effects, cybersecurity, and cyberspace information technology (IT)) to align, manage and standardize cyberspace work roles, baseline qualifications, and training requirements.” This directive expands and updates the scope of DoD Directive (DoDD) 8570.01, Information Assurance Workforce Improvement Program. However, the DoD 8570.01-M governing the IA workforce certification program is still in effect until new guidelines are issued. DoD 8570 serves, in fact, as both a “Directive” and a “Manual,” whereas, the DoD 8140 is currently just a “Directive” pending a manual to be developed. The current 8570 manual with a number of edits done in August 2015 in response to Directive 8140.01 still serve as a guide that establishes the category and level functions in which personnel are performing their IA duties and applies to all members of the DoD IA workforce including military, civilians, foreign nationals, local nationals, non-appropriated fund (NAF), and contractors.
How Does the DoD Directive 8140.01 Affect an IA Professional?
All professionals with privileged access to US Department of Defense information systems ought to obtain industry certification credentials that have been accredited by the American National Standards Institute (ANSI). The regulations identify the specific individual qualifications mandated by the Directive’s enterprise-wide IA workforce management program, so it is important that even professionals applying for Defense jobs with Information Assurance Management (IAM) and Information Assurance Technical (IAT) roles become very familiar with what is required of them to be compliant. Ensuring to have the right certifications but also the required knowledge and skills to progress in the career is important to avoid disappointments in the future.
Training is required for all personnel that have access to any information system and perform any security function. IT employees who are part of the Cyber or IA Workforce, whether it is full-time or part-time or even as an embedded duty, will be required to be trained and certified to an IA baseline requirement, as indicated for their position category or specialty and level in the DISA IA Support Environment (IASE) website. The directives authorize units to request funds to get the personnel trained to the level needed to perform their IA duty functions by acquiring an approved certification for their particular job classification.
Training requirements are broken down by different categories of InfoSec personnel: IA Technical and IA Management and then further divided into three functional levels (I, II, and III), based on where the position is located within the overall information system architecture, such as to a DoD Information System Computing, Network, or Enclave environment, and not to an individual’s grade or experience. In most instances the basic rule still stands, a position is identified as IAT if it requires privileged access to a DoD Information System Computing, Network, or Enclave environment and includes any of the functional requirements listed in Chapter 3 of DoD 8570.01-M for that level of the information system architecture; whereas, a position is part of the IAM workforce if it has responsibility for managing information system security for a DoD Information System Computing, Network, or Enclave environment and includes any of the functions listed in Chapter 4 of DoD 8570.01-M for that level of the information system architecture.
The manual also has two specialties: The Computer Network Defense-Service Provider (CND-SP) specialty levels that are tied to functional positions (i.e., Analyst, Infrastructure Support, Incident Responder, Auditor, and Manager); and there’s the IA System Architects and Engineers (IASAEs) specialty that has levels I, II, and III, just like IAT and IAM.
Below are the approved baseline certifications for personnel in IAM and IAT roles:
|IAT Level I||IAT Level II||IAT Level III|
CISSP (or Associate)
|IAM Level I||IAM Level II||IAM Level III|
CISSP (or Associate)
CISSP (or Associate)
Personnel is required to obtain only one of the certifications listed for their category; however, many hold more than one credential. In addition, a certification listed under a level 2 or 3 is valid also as a qualification for level 1. Certification providers include Cisco, CompTIA, (ISC)2, ISACA and GIAC.
DoD 8140 and Training
In addition to the DoD internally available training (e.g., Service Schoolhouse IA courses, DISA web-based training), external training providers like InfoSec Institute offer certification-type courses for those in the IA level I, II, or III or who will be performing specialized functions for the Computing, Network, or Enclave environments. This training can help personnel satisfy the certification and knowledge requirements for their function and level in the IA workforce.
InfoSec offers courses in support of most IT certifications and provides valuable training for all requirements listed in directive 8140 and 8570.1. A foundation option that can set a professional on a good course towards compliance is 8570 Mandate Compliance Training. In addition, students can find more specific selections that can set them well on the road to certification in their preferred field.
InfoSec Institute offers, in fact, an interesting and currently very popular option: the boot camp. This is an intensive training course that is normally offered in a 5-day-class seminar version, but that also has online options; these are some of the most popular courses also thanks to the students’ passing rates that are between the highest in the industry. Boot camps are also great options for group training on-site for companies looking to train all or part of their personnel. All courses provide knowledge relevant to the latest version of the exam for which they prepare professionals.
Professional interested in DOD 8140 and 8570.1 compliance can find the following options in InfoSec Institute catalog:
- CompTIA A+: for a beginners’ approach to the comprehensive CompTIA exam
- Security+: with theory and hands-on exercises
- Network+: to apply basic networking skills like installing and configuring networks on multiple platforms
- CASP: prepares for the CompTIA Advanced Security Practitioner exam, a vendor-neutral credential
- ISACA CISA: a review course that covers the core sections and a series of sample exam questions for the Certified Information Systems Auditor exam and covers the skills needed to get a workforce up to speed with a security solution to defend against unauthorized access to information
- Ethical Hacking/CEH: an in-depth review of black-hat hackers’ techniques, penetration testing, and defensive techniques through lectures and hands-on exercises
- Incident Response and Network Forensics: covers how to detect and defend from security incidents including learning how systems are compromised and how to look for traces left behind by attackers on the systems
- CAP: a 3-day course made of drills and mentoring for Certified Authorization Professional
- CCNA Security: one of the most popular boot camps on information security and hacking training
- CCNA Training: allows students to earn 4 Cisco certifications in 7 Days: ICND1, ICND2, IINS, and CCDA
- CISM: with a passing rate of 94%, this popular course help’s students master the ISACA Official CISM Review Manual and apply knowledge to real-world scenarios
- CSSLP: prepares students for the Certified Secure Software Lifecycle Professional exam by (ISC)2 and covers the knowledge needed to incorporate security into each phase of the software lifecycle to help mitigate threats
- ISSAP: places an emphasis on the technical aspects of security architecture
- ISSEP: focuses on Security Systems Engineering and the construction of an efficient network
- ISSMP: undergo four days to learn about the five major domains of the Information Systems Security Management Professional (ISSMP) Concentration
- There’s also a 7-day training boot camp for (ISC)² CISSP that prepares students on all eight Common Body of Knowledge domains and all the concepts covered by the complex Certified Information Systems Security Professional test
So, if a team needs to achieve DOD 8140 and 8750 compliance, InfoSec Institute’s boot camp-style programs might be the best options to gain the essential knowledge and hands-on skills needed to be familiar with a variety of security concepts practiced in their daily routine at work. What’s more, all training programs are designed for the GI Bill funds (for training active duty or selected reserve, officer or enlisted) that can be used for InfoSec Institute certification courses.
Ethical Hacking Training – Resources (InfoSec)
Another great option for professionals who have no chance or time to attend the in-class courses, instead, is online training. InfoSec Institute offers this format to help students achieve compliance in the comfort of their own home or office:
- CISM Online Certification Training: designed for professionals who manage and/or assess an organization’s information security program, this course offers the same content as the instructor-led option in 47 online modules
- CISSP Online Training: this online version of the popular CISSP training is self-paced to cater to the needs of professionals with difficult or unpredictable schedules but still allows access to the help of an instructor/mentor when needed. The course offers over 45 hours of content and prepares students for the newest CISSP visual exam question format
- CompTIA A+ Online Training: includes over 25 hours of training in a mentored-learning format for professionals preparing to pass the CompTIA A+ exam or that are looking to increase their foundation-level knowledge and skills necessary for a career in IT support
- CISA Online Course Overview: intended for students that are preparing to pass the CISA test; a designation for IS audit control, assurance, and security professionals. The course comprises of 47 online modules and covers the same content of in-class versions
There are a number of other courses on hand that can cover additional skills and help professionals get an overview of a variety of other security topics that can help them in their daily work affected by DoD Directive (DoDD) 8140 (8570) Training and Certification – see more about the 8140 Training with InfoSec Institute. After selecting the needed Information Security Training, “you can trust that you are getting the most up-to-date information, complete hands-on labs, industry-leading instructors, and the certification preparation you will need,” vouches InfoSec Institute, as noted on its official website.
So, who should be concerned about DoD Directive 8140? All those who are most likely involved with IA/Cybersecurity positions within the DoD must be compliant with this directive within 6 months of employment. Therefore, if you are looking for specially designed courses available that fully comply with DoD 8140, then InfoSec Institute can be a good option with their specifically-designed courses in multiple formats to cater to the requests of students with different needs: online classes, workshops, and boot camps.
DoDD8140.com. (n.d.). DoDD 8570 & 8140 Background & History. Retrieved from http://dodd8140.com/
IASE. (n.d.). DoD 8570.01-M Manual Information Assurance Workforce Improvement Program and DoD Directive 8140.01 Cyberspace Workforce Management Frequently Asked Questions (FAQs). Retrieved from https://iase.disa.mil/iawip/Pages/iaetafaq.aspx
IASE. (n.d.). DoD Approved 8570 Baseline Certifications. Retrieved from https://iase.disa.mil/iawip/Pages/iabaseline.aspx
IASE. (n.d.). Summary of IA Workforce Qualification Requirements. Retrieved from https://iase.disa.mil/iawip/Pages/summary_wf_requirements.aspx
InfoSec Institute. (n.d.). 8140 Training with InfoSec Institute. Retrieved from https://www.infosecinstitute.com/8140-training-with-infosec-institute/
InfoSec Institute. (n.d.). 8570 Mandate Compliance Training. Retrieved from https://www.infosecinstitute.com/courses/8570-mandate-compliance-training/
Kyzer, L. (2015, April 23). What is DoD 8570? Retrieved from https://news.clearancejobs.com/2015/04/23/dod-8570/
McCray, J. (2017, May 3). What is DoD 8570, who does it apply to, and how it works. Retrieved from https://infosecaddicts.com/dod-8570/
McCurry, T. (2014, April 8). 8570 Certification and the Way Ahead to 8140 Certification. Retrieved from http://resources.infosecinstitute.com/dod-8570-requirements/#gref
NIST. (2016, August 11). DoD Directive 8140.01 Cyberspace Workforce Management. Retrieved from https://www.nist.gov/news-events/news/2016/08/dod-directive-814001-cyberspace-workforce-management
Sherman, R. (2017, August 30). Security+ and the DoD 8570. Retrieved from http://resources.infosecinstitute.com/category/certifications-training/securityplus/dod-8570/
Stanger, J. (2015, September 11). What are U.S. DoD 8140, 8570 and 8570.01-M and What Do They Mean for Your Career? Retrieved from https://certification.comptia.org/it-career-news/post/view/2015/09/11/what-are-u-s-dod-8140-8570-and-8570-01-m-and-what-do-they-mean-for-your-career-
Tittel, E. (2015, September 23). DoD 8570 Gives Way to DoD 8140, Specifies Security Certs for Government Workers. Retrieved from http://www.pearsonitcertification.com/blogs/blog.aspx?uk=DoD-8570-Gives-Way-to-DoD-8140-Sepcifies-Security-Certs-for-Government-Workers
Yip, K. N. (2018, March 30). CISSP: DoD 8570 Overview. Retrieved from http://resources.infosecinstitute.com/category/certifications-training/cissp/dod-8570-overview-for-the-cissp/