The ultimate guide to DoD 8570 certification and compliance
If you are either a systems security engineer or an IT security contractor interested in working for the DoD (Department of Defense), then you need to know about DoD Directive 8570. It is a baseline criterion for operating the agency’s IT systems. Specifically, it’s a policy designed by DoD’s Information Assurance Workforce Improvement Program (IA WIP) that requires all personnel with privileged access to systems, including defense contractors, military service personnel and foreign and civilian employees, to hold certain IA certifications and training.
The directive aims to ensure the IA workforce has knowledge and skills through standard certification testing to effectively protect DoD data, information systems and networks from threats, vulnerabilities and related risks; this skilled, uniform workforce has users that can identify and mitigate attacks.
DoDD 8140 replaced DoDD 8570 to expand coverage to better align and standardize cyberspace work roles, baseline qualifications, and training requirements; however, as an accompanying qualification manual has not been released yet, DoD 8570.01-M is still in effect.
Who needs to comply with DoD 8570?
Again, DoDD 8570 and DoDD 8140 apply to any part or full-time contractor, civilian, member of the military, non-appropriated fund (NAF) personnel or local national with private access to a DoD system executing information assurance functions, regardless of role or branch of occupation. Hence, defense agencies, combatant commands, military departments, the Office of the Secretary of Defense, the Office of the DoD Inspector General and all other organizational bodies within the DoD are subjected to its requirements.
All incumbents and new hires need to be trained, certified, and recertified to the highest-level function(s) performed, whether on a primary or additional/embedded duty basis, as broken down by IA category, specialty and level.
Are contractors and government employees treated differently?
Per the DoD 8570.01-M, contractors performing IA functions must meet the same certification and background investigation requirements of government employees in the same roles. Contractors must meet the necessary initial training and certification(s) to carry out their duties and have up to six months to obtain the rest of the qualifications for their position.
There are differences, however, when it comes to funding. DoD Components need to budget and pay for DoD military and civilian IA Workforce members’ required certifications. The Government does not pay for contractors’ certifications, preparation training or recertification. However, Components are free to offer additional training on DoD-specific or local system procedures.
How DoD 8570 changed over the years?
Signed December 19, 2005, DoD 8570 was established to address the concern of unqualified workers repeatedly taking up cybersecurity positions. This Directive meant that anyone who touched missions, security, and intelligence in cyberspace working with or for the DoD would need to be qualified and trained per the standards set in the directive. At the same time, the 8570 manual was published, marking the beginning of the DoD abiding by these rules for qualifying and managing personnel identified as part of the IA workforce.
The guideline brought several changes in how the government dealt with cybersecurity personnel. Right away, units were able to place requests for funds to train current employees to enhance the skills of the current staff to the level required to do their jobs efficiently. It also made way for training to change before new personnel was assigned IA roles. Most noteworthy, the Department of Defense was able to raise the standards of its professionals and the industry. It broke down 8570 into certifications and categories and helped set standards that were needed for a long time.
Much has changed since the release of DoD 8570. Recently, stakeholders apprehended a need to tweak how the Department of Defense handled network security and data. Advancements in these technologies and the uptick in cyberattacks were the driving force behind developing a new directive gradually replacing DoD 8570.
Signed August 11, 2015, the DoD 8140 Directive focuses on hands-on experience and confirms how crucial renowned IT certifications like CISSP are in filling IT security positions in DoD. The training framework in its manual is expected to be based on the NICE (National Initiative for Cybersecurity Education) framework, which emphasizes “live fire” training. It gives exercises to determine whether someone is qualified to tackle real-world cybersecurity challenges.
Directive 8140 responds to the need to recognize that cybersecurity includes a broader range of activities and responsibilities. The newly-labeled DoD Cybersecurity Workforce encompasses the functions under the IA umbrella but moves beyond that. It “establishes specific workforce elements (cyber effects, cybersecurity, cyber information technology (IT), and intelligence (cyber)) to align, manage and standardize cyberspace work roles, baseline qualifications and training requirements.”
The 8140 Directive canceled and replaced DoD 8570.01, but it is taking a few years for the Department of Defense to develop a new manual; therefore, the 8570 manual is still current for the time being until it is formally canceled.
How does DoD 8570 work?
DoD 8570.01-M states that all individuals in charge of information assurance for department IT systems must possess the necessary certifications to do their jobs effectively. The manual also lists basic identification requirements to help determine whether positions fall under one of two subcategories
- IAT (Information Assurance Technical) certifications: Prepare students to handle the technical side of things.
- IAM (Information Assurance Management) certifications: Prepares students to handle the managerial side of things.
Or one of two specialties:
- IASAE (Information Assurance architecture and engineering): Prepares students to secure interfaces, applications, servers, databases and other system components.
- CSSP (Cyber Security Service Provider): Encompasses job roles such as analyst, infrastructure support, incident responder, auditor or manager. It is equivalent to the CND-SP group cited in the DoD 8570.01-M but now reflects the terminology used in DoD Instruction 8530.01 “Cybersecurity Activities Support to DoD Information Network Operations.”
Each of these groups has levels or subcategories outlined in them. IAT, IAM & IASAE are sub-categorized into three levels based on the nature of job skills. Level 1 jobs are based on system/PC assets. Level 2 jobs relate to managing network-level equipment and supporting architecture. Level 3 contains all the elements of previous levels and introduces enterprise or enclave server environments.
Certifications required for DoD 8570 compliance
An individual must obtain only one of the listed certifications in their IA category or level and specialty to fulfill the minimum requirement. Below is a table that highlights certifications needed for DoD 8570 compliance.
|Position category, specialty and level||Certification|
|IAT Level I||A+ CE|
|IAT Level II||CCNA Security|
|IAT Level III||CASP+ CE|
|IAM Level I||CAP|
|IAM Level II||CAP|
|IAM Level III||CISM|
|IASAE I||CASP+ CE|
|IASAE II||CASP+ CE|
CCNA Cyber Ops (It is now called Cisco Certified CyberOps Associate)
CCNA-Security (It retired Feb 2020. Now just CCNA, which also covers security fundamentals.)
SCYBER (The Cisco Cybersecurity Specialist certification has been retired as of July 27, 2018. CCSS (SCYBER) -> CCNA Cyber Ops -> CyberOps Associate Migration)
|CSSP Infrastructure Support||CEH|
|CSSP Incident Responder||CEH
CCNA-Security -> CCNA
SCYBER -> CCNA Cyber Ops -> CyberOps Associate Migration – See our Boot Camp
Obtaining these certifications not only enhances your ability to do well in IA but can also get you promoted, increasing your pay and prospects.
Do higher-level certifications satisfy lower-level requirements?
IAT and IAM certifications are cumulative. In this case, high-level certifications satisfy lower-level requirements. Certifications listed in Level II or III cells can qualify for Level I; however, Level I certifications cannot be used for Level II or III unless the certification is also listed in the Level II or III cell. In contrast, higher-level CSSP (CND-A/AU/IS/IR/SPM functions) and IASAE certifications do not satisfy lower-level requirements.
Find out the important bits about DoD 8570 certification and compliance
For those who will work within DoD, it is important to refer to the list above to ensure meeting the certification minimum requirements for their category or specialty and level. Note that “until certification is attained, individuals in IA positions not meeting qualification requirements may perform those duties under the direct supervision of an appropriately certified individual unless the qualification requirement has been waived due to severe operational or personnel constraints,” as mentioned in the DoD 8570.01-M. This manual helps fulfill a vision of a sustained, knowledgeable cybersecurity workforce with the aptitude and right mindset to defend DoD systems from potential and lurking threats or vulnerabilities. The Directive continues to allow DoD to place the right individuals with the right abilities in the right positions.
- DoD Approved 8570 Baseline Certifications, DoD Cyber Exchange
- Information Assurance Workforce Improvement Program, esd.whs.mil
- Frequently Asked Questions – FAQs, DoD Cyber Exchange