DoD 8570

What is DoD 8570?

August 13, 2018 by Beth Osborne

Department of Defense Directive 8570, or DoDD 8570 provides guidance and procedures for the training, certification, and management of all government employees who perform IA functions in their official assigned duties. These individuals are required to have an approved certification for their specific job classification.

All DOD IA jobs are defined as either ‘Management’ (IAM) or ‘Technical’ (IAT) Level I, II, or III. These levels reflect the system architecture that the employee is in, not the employee’s experience or military rank. This article will guide those who are seeking DoDD IAM level II certification and will examine the requirements, certification, and job positions that demand a DoDD 8570 certification.

What is the Difference Between IAM and IAT?

To determine whether a position is an IAM or IAT position, you must ask two questions:

  • Does the position require privileged access to a DoD Information System Computing, Network, or Enclave environment?
  • Does the position include any of the functional requirements listed in Chapter 3 of DoD 8570.01-M (Manual) for that level of the information system architecture?

If the answer to both questions is yes, then the position is an IAT position. If the answer is no to both, then it is not an IAT Position. If the answer is yes to the first question and no to the second question, then it is not an IAT position. If the answer is no to the first question and yes to the second question, it may be an IAM or other IA position.

System Environments

Across the board of IAM and IAT levels, there are different system environments that these positions operate in. These system environments are the Computing Environment (CE), The Networking Environment (NE), and the Enclave. IAM Level II personnel operate within the NE system environment, so it will be the system environment that this article focuses on.

NE, as defined by DoD 8570.01-M, is a component of an enclave responsible for connecting CE by providing short-haul data transport capabilities, such as local or campus area networks, or long-haul data transport capabilities, such as operational, metropolitan, or wide area and backbone networks that provide for the application of IA controls. Examples of possible networks in the basic enclave include Operations Networks, Logistics Networks, and Human Resources networks connecting to a Component Enclave. Each NE contains at least one CE.

To Whom Does DoDD 8570 Apply?

Any full or part-time military service member, contractor, or local nationals with privileged access to a DoD information system performing information assurance (security) functions — regardless of job or occupational series. Examples of who would hire individuals with a DoDD 8570 certification are:

  • U.S. Department of Defense
  • U.S. Intelligence Agencies
  • U.S. Department of Homeland Security
  • U.S Department of Justice
  • U.S Department of State
  • Most other U.S. federal government agencies

More specifically, common job positions that require DoDD 8570 IAM Level II are Cyberspace Analyst (Level 2), Malware Analyst (Level 2), Security Specialist (Level 2) Cybersecurity Information Assurance to name a few. If you want to work for the government as a middle-level Information Assurance employee, you will need to be DoDD 8570 IAM Level II certified.

DoDD 8570 Requirements

Currently, all employees performing IAM functions must be certified. This begs the obvious question of what do you need to be IAM Level II certified? To answer this, DoD 8570.01-M(Manual) explains that an individual seeking DoDD 8570 certification must have one of the baseline certifications for the level of their position. Across the levels of DoDD IAM 8570, different certifications are required for the different levels.

IA Baseline certifications are usually required to be earned by IA personnel within six months of assignment to the position. Regarding IAM Level II, the baseline certifications accepted are:

  • CompTIA Advanced Security Practitioner (CASP) certification offered by CompTIA (InfoSec Training Course and Training Bootcamp available)
  • Certified Authorization Professional (CAP) certification offered by ISC2 (InfoSec Training Course and Training Boot Camp available)
  • Certified Information Security Manager (CISM) offered by ISACA (InfoSec Training Course and Training Boot Camp available)
  • Certified Information Systems Security Professional (CISSP) (or Associate) certification offered by ISC2 (InfoSec Training Course and Training Boot Camp available)
  • GIAC Security Leadership Certification (GSLC) offered by GIAC (InfoSec Training Course Available)

Luckily, InfoSec – the world leader in Information Security training, offers training courses for all of these baseline certifications. Additionally, InfoSec offers Certification Training Boot Camps that features an intense multi-day training regimen. Please visit for more information on Training Courses and Training Boot Camps for these baseline certifications.

Aside from the baseline certifications requirement, DoD 8570.01-M sets out some additional requirements for an individual working in an IAM Level 2 position. IAM Level II personnel are responsible for the IA program of an Information System (IS) within the Network Environment (NE). Individuals in these positions perform a variety of security-related IA tasks, including the development and implementation of system information security standards and procedures. IAM Level II personnel ensure that the IS is functional and secure within the NE.

Moreover, further IAM Level II position requirements are listed in Table C4.T4 of DoD 8570.01-M. These requirements are:

  • IAM Level II personnel usually have at least five years of management experience
  • IAM Level II personnel are responsible for managing the IA operations for the NE
  • IAM Level II personnel must apply knowledge of IA policy, procedures, and workforce structure to develop, implement, and maintain a secure the NE
  • When issues arise, they normally get reported to IAM Level III (Enclave) Managers or Designated Accrediting Authority (DAA)


Posted: August 13, 2018
Beth Osborne
View Profile