In 2005, the U.S. Department of Defense (DoD) set out to assess and manage its cybersecurity workforce with DoD Directive 8570. In 2015, it was replaced with DoD Directive 8140. And as discussed in our article on the difference between DoD 8570, 8140 and 8570.01-m, DoD 8570.01-m outlines which cybersecurity certifications are approved to validate the skills for certain job roles. Today we’re going to dive into the updated directive, DoD Directive 8140.
DoD 8140 Defined
DoD 8140 replaces DoD 8570 to expand covered work roles. DoD 8570 was created to identify, tag, track and manage the information assurance, or cybersecurity, workforce.
According to the National Institute of Standards and Technology (NIST), DoD 8140:
- Reissues and renumbers DoD 8570 to update and expand established DoD policies and assigned responsibilities for managing the DoD cyberspace workforce.
- Authorizes the establishment of a DoD cyberspace workforce management council to ensure that the requirements of this directive are met.
- Unifies the overall cyberspace workforce and establishes specific elements to align, manage and standardize work roles, baseline qualifications and training requirements.
DoD 8140 expands on DoD 8570 to leverage the Defense Cybersecurity Workforce Framework (DCWF), which draws from the original National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NCWF) and the DoD Joint Cyberspace Training and Certification Standards (JCT&CS).
7 DoD Cybersecurity Job Categories
The DCWF defines seven broad job categories including 33 specialty areas and 54 work roles. Cyber personnel categories and additional work roles were added from the NICE framework.
These are the 7 job categories shared by both frameworks:
- Security Provision: May include jobs such as architecture, engineering, operations that include information assurance compliance, software, security engineering, system development, research, etc.
- Operate/Maintain: This may include customer service, tech support, data administration, knowledge management, network service and security analysis.
- Protect/Defend: This involves defense against cyberattacks, defense analysis, incident reporting, vulnerability assessment and related areas.
- Analyze: This pertains to different types of network analysis, resource intelligence, exploitation analysis, threat analysis, etc.
- Operate/Collect: This is defined as applicable to cyber operations and planning, collection operations, planning and implementation.
- Oversight and Development: This pertains to the legal consequences of conducting operations in the digital realm, with emphasis on planning, education and awareness.
- Investigate: This is relevant to investigations and forensics work as it relates to online security or related issues.
In comparison, DoD 8570.01-m only includes four broad job categories:
- Information Assurance Technical (IAT)
- Information Assurance Management (IAM)
- Information Assurance Security Architecture and Engineering (IASAE)
- Cyber Security Service Provider (CSSP)
How to Become DoD 8140 Compliant
Most DoD organizations must be in 8140 compliance. This means that DoD information assurance and cybersecurity personnel must obtain one of the IT certifications listed in DoD 8570.01-m for their job category and level.
The DoD Cyber Exchange outlines the four steps to obtaining a DoD 8570 baseline certification:
- Identify your position, level and IT certification requirements within the IA workforce.
- Train for your IT certification, following your organization’s protocols.
- Request a certification voucher.
- Notify your IA manager when you’ve completed your training and earned your certification.
What Are the DoD 8140 Approved Certifications?
At the time of this writing, DoD 8140 approved certifications are listed in DoD 8570.01-m. DoD 8570.01-m is still in use and actively managed by the DoD. A DoD 8140 manual is expected to be released in the next year.
CompTIA is well represented in the list of approved, required IT certifications under DoD 8140. There is not currently a DoD 8140 chart, but DoD 8570.01-m lists which IT certifications are approved for which job categories under DoD 8570 and 8140. For a complete list of approved certifications, click here.
DoD 8570.01-m Approved Certifications from CompTIA
Information Assurance Technical (IAT)
IAT Level I
IAT Level II
IAT Level III
Information Assurance Management (IAM)
IAM Level I
IAM Level II
IAM Level III
Information Assurance Security Architecture and Engineering (IASAE)
Cyber Security Service Provider (CSSP)
CSSP Infrastructure Support
CSSP Incident Responder
* CompTIA PenTest+ is pending 8570.01-m approval for CSSP Incident Responder and CSSP Auditor.
What’s the Difference Between 8570 vs. 8570.01-m vs. 8140?
DoD 8140 is the updated version of DoD 8570 and was created to expand the work roles covered. DoD 8570.01-m is the manual that lists the IT certification requirements. The new DoD 8140 manual is expected to be published within the next year and will identify new requirements, details are unknown at this time.
Stay tuned for one more article that dives into DoD 8570.01-m, where we’ll tackle the 8570.01-m job categories and discuss the manual’s goals in more detail.
Whether you work for the DoD or in the corporate sector, CompTIA certifications validate the skills you need for IT. See which certification is right for you and download the exam objectives for free.
Patrick Lane, M.Ed., Network+, MCSE, CISSP, directs cybersecurity workforce certifications for CompTIA, including Security+, PenTest+, CySA+, and CASP+. He assisted the U.S. National Cybersecurity Alliance (NCSA) to create the “Lock Down Your Login” campaign to promote multi-factor authentication nationwide. He has implemented a wide variety of IT projects as a network, security and server administrator, security analyst and architect. Patrick is an Armed Forces Communications and Electronics Association (AFCEA) lifetime member, born and raised on U.S. military bases, and has authored and co-authored multiple books, including Hack Proofing Linux: A Guide to Open Source Security.