If you’ve looked for cybersecurity-related jobs online, perhaps the numbers “8570” and “8140” seem familiar to you. These are, after all, the numbers of two of the most important sets of standards in the field: the numbers of the directives put forth by the Department of Defense to establish qualifications for people working on DoD databases at various levels.
The U.S. Department of Defense is, of course, one of the largest employers in the country when it comes to cybersecurity. The DoD contains numerous agencies, like the FBI, CIA and NSA, all of which have numerous information systems of their own that demand more rigorous security measures than practically any other database on the planet. Their demand for extremely competent cybersecurity professionals is extremely high.
However, DoDD 8570 and 8140 do not only apply to positions at the DoD and its sub-agencies. The DoD has numerous subcontractors that also require their cybersecurity employees to meet DoD qualifications in order to operate and protect DoD-related information systems.
Luckily, these qualifications aren’t terribly difficult to achieve. In fact, depending on the position for which you’re hoping to qualify, you’ll most likely only need to obtain one of several popular cybersecurity certifications.
What is DoDD 8570?
Originally issued in 2005, Department of Defense Directive 8570’s stated purpose was to identify, tag, track and manage the information assurance workforce. (“Information assurance” is how the DoD used to refer to cybersecurity–now, they have largely switched to the more modern terminology.)
It grouped DoD-related cybersecurity positions into several broad categories. There are two large categories, Technical (IAT) and Management (IAM), along with several specialties, which are grouped into either System Architecture and Engineering (IASAE) or Computer Network Defense-Service Provider (CND-SP).
Descriptions and requirements for each of these categories are laid out in DoDD 8570’s companion manual, which is named DoDD 8570.01-M.
In 2015, DoDD 8570 was discontinued to make way for a new directive, DoDD 8140. As of 2023, DoDD 8570 is no longer in effect. However, the certification requirements from DoDD 8570.01-M are still in place via a citation in DoDD 8140. So you should absolutely be familiar with the 8570 directive, as many of the rules it set forth will still affect you if you wish to find employment at a DoD agency or subcontractor.
Below, we will go into more detail on what these categories are and what is required for each category.
What is DoDD 8140?
In 2015, the DoD issued a new directive, called the Department of Defense Directive 8140. This was a new set of rules that laid out a more descriptive and compartmentalized system for classifying cybersecurity roles within the DoD.
In order to define these roles, DoDD 8140 binds the workforce to the DoD Cyberspace Workforce Framework, or DCWF. This divides the cyberspace workforce into five “Workforce Elements,” of which Cybersecurity is one. The others are IT (Cyberspace), Cyberspace Effects, Cyberspace Enablers, and Intelligence (Cyberspace).
It also divides these roles into seven different categories based on the overarching purpose of each role. These categories are:
- Analyze
- Collect and operate
- Investigate
- Operate and maintain
- Oversee and govern
- Protect and defend
- Securely provision
In addition, it lays out core and auxiliary Knowledge, Skills, and Abilities, or KSAs. (They are also referred to elsewhere as KSATs, the “T” standing for Tasks.) In general, DoDD 8140 is an organizational directive, so while you will want to know the KSATs required for any specific role you apply to, we will not go into too much detail on each role in this article. You can use the DCWF Tool to seek more information.
What certifications do you need?
As we mentioned previously, the certification requirements under DoDD 8140 are outlined in DoDD 8570.01-M. Here we’ve listed each role, along with its certification requirements.
Jobs will typically include any DoDD 8140-related compliance requirement in their descriptions. Still, it’s useful to know the general structure of the directive, so we’ve included descriptions of each category.
IAT
People in the Technical division work on computing environments, networks, and enclaves in order to detect and correct security vulnerabilities. If you are applying to a DoD-related job as an entry-level candidate, you’ll most likely be applying for an IAT-qualified job.
There are three levels, each corresponding to the scope of the work you’re expected to do.
IAT Level I concerns work done at the computing environment level. A computing environment is a server that interacts with one or more computers. Employees at this level will correct flaws and implement IAT controls within the hardware and software in these computer environments. These are entry-level positions for those with 0-5 years of experience in the field.
Certifications:
- A+ CE
- CCNA-Security
- CND
- Network+ CE
- SSCP
IAT Level II concerns work done at the network environment level, as well as advanced CE-level work. They specialize in intrusion detection, as well as finding vulnerabilities and ensuring access point security. Professionals at this level are expected to have at least 3 years of cybersecurity experience.
Certifications:
- CCNA-Security
- CySA+
- GICSP
- GSEC
- Security+ CE
- CND
- SSCP
IAT Level III professionals work at the enclave level–that is, they deal with systems of multiple networks. They are expected to be able to work at any of the above levels, as well, including troubleshooting for software and hardware. They typically have at least 7 years of experience.
Certifications:
- CASP+ CE
- CCNP Security
- CISA
- CISSP (or Associate)
- GCED
- GCIH
- CCSP
Generally speaking, certifications for higher levels are also applicable to lower levels, but not the reverse. There are exceptions to this rule, though.
IAM
The three-tiered IAM system is structured much the same way as the three-tiered IAT system, with each tier involving the management of a progressively larger system. The primary difference is just what it says on the label: while IAT positions are technical ones, IAM positions are management ones. Experience levels parallel each other as well.
IAM Level I includes entry-level management positions. Workers at this level are responsible for implementing and operating DoD Information Systems or DoD Components at a computing environment level. They should have 0-5 years of management experience.
Certifications:
- CAP
- CND
- Cloud+
- GSLC
- Security+ CE
- HCISPP
IAM Level II employees are responsible for securing information systems within a network environment. They develop standards and procedures for these systems, and ensure that those standards are met. They are expected to have at least 5 years of management experience.
Certifications:
- CAP
- CASP+ CE
- CISM
- CISSP (or Associate)
- GSLC
- CCISO
- HCISPP
IAM Level III employees are responsible for the security and operational objectives of all the information systems within an enclave. They develop procedures and set acquisition goals to ensure that the objectives of the system are met. They are expected to have at least 10 years of experience. These are highly advanced positions.
Certifications:
- CISM
- CISSP (or Associate)
- GSLC
- CCISO
IASAE
Information Assurance System Architecture and Engineering (IASAE) is considered within DoDD 8570.01-M to be a specialty within the information assurance workforce. These professionals are specifically responsible for performing design and engineering work for DoD-compliant systems. While managers manage and oversee the upkeep and implementation of these systems, and technical workers repair the systems and keep them functional, IASAE workers actually design these systems.
Like the other two categorizations, there are three levels here, as well, which are outlined by the same general criteria. Level I employees design and implement CE-level systems, Level II employees work on NE-level systems, and Level III employees work on enclave systems and beyond. The requirements within 8570.01-M also state that Level III workers may be responsible for the design and implementation of systems that encompass multiple classification levels.
Levels I and II have identical certification requirements, but they are not the same: Level I employees can be entry level, while Level II employees are expected to have at least 5 years of experience. Level III employees have different certification requirements, and are recommended to have at least 10 years of experience.
Level I and Level II certifications:
- CASP+ CE
- CISSP
- CSSLP
Level III certifications:
- CISSP-ISSAP
- CISSP-ISSEP
- CCSP
CSSP Specializations
Cybersecurity Service Provider (CSSP) specializations are a number of classifications related to rendering cybersecurity-related services. These specializations were once called Computer Network Defense-Service Provider positions (CND-SP), and were later renamed. Rather than being divided into labels, the broader CSSP label is divided into different sections, each of which corresponds to a different type of service rendered.
CSSP Analysts are not directly responsible for preventing cyber attacks; instead, they use CSSP-related tools, such as intrusion detection system alerts, firewall and network traffic logs, and host system logs, to analyze incidents that have already occurred and extract relevant data. Though they are assigned to specific systems, they may be required to perform analysis at a network or enclave level. It is recommended that CSSP-A employees have at least 2 years in a related field.
Certifications:
- CEH
- CFR
- CCNA Cyber Ops
- CCNA-Security
- CySA+
- GCIA
- GCIH
- GICSP
- Cloud+
- SCYBER
- PenTest+
CSSP Infrastructure Support specialists maintain, administer, and test infrastructure components of the networks to which they are assigned. This may include firewalls, routers, intrusion/detection systems, and other CSSP-related pieces of infrastructure. They may be required to perform work at a network or enclave level, but they are entrusted with specific tools. They should have 4 years or more of experience.
Certifications:
- CEH
- CySA+
- GICSP
- SSCP
- CHFI
- CFR
- Cloud+
- CND
CSSP Incident Response specialists are just what their title would suggest: they direct and carry out incident response activities. These activities may include examining available information and evidence, and planning and directing recovery activities. They should have at least 5 years in a related field.
Certifications:
- CEH
- CFR
- CCNA Cyber Ops
- CCNA-Security
- CHFI
- CySA+
- GCFA
- GCIH
- SCYBER
- PenTest+
CSSP Auditors examine systems and determine where they deviate from local, network, or enclave policies, in order to issue recommendations. They should have 2 years of experience in a related field.
Certifications:
- CEH
- CySA+
- CISA
- GSNA
- CFR
- PenTest
CSSP Managers oversee activities and personnel within their Service Provider organizations. They produce guidance and planning, assist with risk assessment and risk management activities, and manage the technical classifications of personnel within their organizations. They should have at least 4 years of related managerial experience.
Certifications:
- CISM
- CISSP-ISSMP
- CCISO
Conclusion
DoDD 8570 and 8140 lay out designations and requirements for elements of the DoD-adjacent cybersecurity workforce that can at times seem somewhat confusing or even byzantine. However, as a job applicant, the main takeaway for you should be an understanding of the certification and training requirements for the positions you’re attempting to get.
If you’re an entry-level job applicant, it’s most important to focus on the certification requirements for the Level I (entry-level) positions, like Network+ and Security+. But, no matter what type of position you’re going for, if you need to comply with the DoD 8140 directive, Cybrary has comprehensive coursework to help you earn the certifications you need in order to be a qualified member of the workforce for any given certification. Learn more about our Cybrary for Teams and Cybrary for Government solutions.