What Is DoD 8570? Cybersecurity Certifications and Requirements

Understanding DoD Directive 8570 provides a path to understanding the current DoD Directive 8140.
Working from home or in an office on a computer laptop

We recently covered the basic differences between U.S. Department of Defense (DoD) Directive 8570, the DoD 8570 manual (8570.01-m) and DoD Directive 8140. Now we’re going to focus on DoD Directive 8570. Although it is retired, it is an important milestone in cybersecurity workforce management for the U.S. government. Understanding DoD Directive 8570 provides a path to understanding the current DoD Directive 8140.

DoD Directive 8570 Defined

DoD Directive 8570 was issued in 2005 to identify, tag, track and manage the information assurance, or cybersecurity, workforce. It also established a manual that includes an enterprise-wide baseline IT certification requirement to validate the knowledge, skills and abilities of people working in cybersecurity roles. It was replaced by DoD Directive 8140 in 2015, which expands upon it.

Note: The DoD used the term information assurance to describe cybersecurity in 2005, but the term has since changed to cybersecurity in most cases.

The purpose of DoD Directive 8570 was twofold:

  • Establish policy and assign responsibilities for DoD Information Assurance (IA) training, certification and workforce management.
  • Authorize the publication of DoD 8570.01-m.

DoD Directive 8570 addresses the contractors and entities of the DoD – including military and defense agencies – that provide cybersecurity (or IA, at the time) functional services for DoD information systems.

The directive includes three important policies:

  1. Privileged users and IA managers shall be fully qualified, trained and certified to DoD baseline requirements to perform their IA duties.
  2. All IA personnel shall be identified, tracked and managed so that IA positions are staffed with personnel trained and certified by category, level and function.
  3. IA certification and training shall be monitored and reported as an element of mission readiness.

These policies made a big difference for U.S. DoD cybersecurity readiness. Not only did the DoD continue with DoD Directive 8570 for 10 years, it expanded upon it with DoD Directive 8140.

What Cybersecurity Certifications Are Approved for DoD 8570?

DoD Directive 8570 did not specify which cybersecurity certifications meet the policy requirements. Instead, 8570.01-m was established to provide them. 8570.01-m is still used and actively managed by the DoD. An 8140 manual is expected to be released in the next year.

CompTIA’s 8570-approved certifications are listed in 8570.01-m, as shown in the following table. For a complete list of approved certifications, click here

DoD 8570.01-m Approved Certifications from CompTIA

Information Assurance Technical (IAT)

IAT Level I

IAT Level II

IAT Level III

 

CompTIA A+

CompTIA Network+

CompTIA Security+

CompTIA CySA+

CASP+

 

Information Assurance Management (IAM)

IAM Level I

IAM Level II

IAM Level III

 

CompTIA Security+

CompTIA Cloud+

CASP+

-

 

Information Assurance Security Architecture and Engineering (IASAE)

IASAE I

IASAE II

IASAE III

 

CASP+

CASP+

-

 

Cyber Security Service Provider (CSSP)

CSSP Analyst

CSSP Infrastructure Support

CSSP Incident Responder

CSSP Auditor

CompTIA CySA+

CompTIA Pentest+

CompTIA Cloud+

CompTIA Cloud+

CompTIA CySA+

CompTIA CySA+

CompTIA PenTest+*

CompTIA CySA+

CompTIA PenTest+*

*CompTIA PenTest+ is pending 8570.01-m approval for CSSP Analyst, CSSP Incident Responder and CSSP Auditor.

What Training Is Required to Achieve DoD 8570 Approval?

Personnel required to obtain specific cybersecurity certifications for their position category may need training. DoD Directive 8570.01-m does not specify training requirements, so IT pros need to decide what training options will best prepare them for certification.

How to Become DoD 8570.01-m Compliant

DoD Directive 8570 and 8140 use 8570.01-m to outline cybersecurity certification requirements for specific job categories. Most DoD-related organizations are required to comply. Examples include cybersecurity workers in the Air Force and workers performing DoD work with defense contractors, such as General Dynamics IT (GDIT).

Personnel receive a position category, such as IAT II. The category determines which certifications will satisfy the requirement. For example, someone in an IAT II role could earn CompTIA Security+ for DoD 8570 compliance. You will learn more about position categories in the next article of this series.

For more information on how to comply with DoD 8570.01-m, read Steps to Obtain a DoD 8570 Baseline Certification at the DoD Cyber Exchange. 

What’s the Difference Between 8570 vs. 8570.01-m vs. 8140?

Directive 8140 is the updated version of Directive 8570; it was created to expand work roles. Directive 8140 leverages workforce frameworks, such as the Defense Cybersecurity Workforce Framework (DCWF) (based off the National Initiative for Cybersecurity Education (NICE) framework) to identify seven broad categories, 33 specialty areas and 54 work roles.

DoD Directive 8570.01-m has accompanied both Directives 8570 and 8140 and lists cybersecurity job position categories and certification requirements. The 8140 manual is expected to identify new requirements including cybersecurity certifications, training and on-the-job experience, but those won’t be known until the new manual is released.  

Stay tuned for two more articles that dive further into these DoD directives. In the next article, we’ll tackle the rationale for DoD 8140 and discuss its goals in more detail. 

Whether you work for the DoD or in the corporate sector, CompTIA certifications validate the skills you need for IT. See which certification is right for you and download the exam objectives for free.

--

Patrick Lane, M.Ed., Network+, MCSE, CISSP, directs cybersecurity workforce certifications for CompTIA, including Security+, PenTest+, CySA+, and CASP+. He assisted the U.S. National Cybersecurity Alliance (NCSA) to create the “Lock Down Your Login” campaign to promote multi-factor authentication nationwide. He has implemented a wide variety of IT projects as a network, security and server administrator, security analyst and architect. Patrick is an Armed Forces Communications and Electronics Association (AFCEA) lifetime member, born and raised on U.S. military bases, and has authored and co-authored multiple books, including Hack Proofing Linux: A Guide to Open Source Security.

Read More from the CompTIA Blog

Leave a Comment