Beginner’s Guide to Decoding DoDD 8570, 8570-M, and 8140
As you may have noticed in your own efforts to understand the cybersecurity certification landscape, there are dozens and dozens of certifications (certs) out there. CyberVista currently provides training for four certifications: CISSP (Certified Information Systems Security Professional) from (ISC)², CISM (Certified Information Systems Manager) from ISACA, CEH (Certified Ethical Hacker) from EC-Council, and the Security+ certification from CompTIA. Out of a huge field of certifications, these four are some of the most in-demand. So what sets them apart?
Well, outside of covering relevant and up-to-date cybersecurity content, these certifications are especially popular because the United States Department of Defense (DoD) recommends them by name.
Let’s get started by going back to the DoD. They tend to set policies and department-wide initiatives in two stages:
- First, they’ll put out something called a directive. You can think of the directive as an introductory policy document that lays out a program’s purpose, requirements, and directs who is in charge of making each component outlined in the policy happen.
- Sometime thereafter, the DoD will draft, and finally release and sign, something called a manual. This is a guidance document that contains all the procedures and information designated per the directive – the manual is the detailed, instructional piece.
DoD Directive 8570 and 8570-M
Back in 2004, the DoD Directive 8570 (DoDD 8570) was released; it was later signed into effect on December 19, 2005. This directive established foundational policies and assigned responsibilities for DoD’s efforts in Information Assurance (IA) training, certification, and workforce management. There are two types of roles within IA:
- Information Assurance – Technical (IAT)
- Information Assurance – Management (IAM)
DoDD 8570 meant that everyone who, in any way, touched intelligence, missions, and security in cyberspace working for or with the United States DoD (i.e. active-duty military service members, full-time government employees, and government contractors) would need to be trained and qualified per the standards outlined in the directive.
Eventually, the 8570 manual was released, and so began the process of the cyber community abiding by these rules for managing and qualifying the cyber workforce.
The manual outlined three levels within each of the IAT and the IAM categories, which correspond to the type of certification, the degree of experience, and extent of needed supervisory skills that a particular role requires.
You will often see an “Approved Baseline Certifications” chart showcasing three distinct levels, housing different certifications in each cell. The listed certifications are the minimum certification(s) a professional must hold to work in that particular role. This means that an individual must hold at least one of those listed certifications to satisfy the hiring requirements for a given role.
CISSP, CISM, CEH, and Security+ are some of the most common certs in the baseline chart, so it makes sense why CyberVista supports those particular training courses. You may have already seen one or more of those four certs listed in many job requirements, especially if you’re looking in the defense contracting space. If you’re looking to work in other areas of the government, you may see similar certification requirements.
Covering Our Six
One thing you’ll soon learn if you haven’t already, is that there is no such thing as a “coincidence” in the world of cybersecurity. So, not by coincidence, one of CyberVista’s Advisory Board Members knows exactly why DoD set out on the mission to build 8570: meet Robert F. Lentz.
Lentz is currently a senior advisor to the Cyber Security Consulting Group (CSCG), and is the former Deputy Assistant Secretary of Defense for Cyber, Identity and Information Assurance (CIIA). From 2000 to 2009, he served as the Chief Information Security Officer (CISO) for DoD. Lentz helped build a monumental program on addressing the need for cybersecurity workforce development. Lentz recently shared his thoughts on the early days of developing DoDD 8570.
When 8570 was first imagined, commanders and cyber experts fully recognized “that the lack of a capable DoD workforce [was] our Achilles Heel.” Sure, there were new tools and technology available, but operationally, people just weren’t able to keep up. That recognition was further cemented by the same gap we continue to see today between available jobs and the “key cyber positions being filled or the right skill sets in place.”
Following suit to similar, already-successful military programs, DoD leveraged professional certifications as one of the tools in cybersecurity qualification and standardization. The thinking was that a substantial program in place could help strengthen the DoD workforce and even “drive recruitment and retention” for cyber professionals.
DoD Directive 8140
Ten years following the signing of the 8570 manual, DoDD 8140 was introduced, outlining a suitable policy replacement to match the changing cybersecurity landscape.
DoDD 8140 was signed in 2015. This new directive also gave the green light for a council to be developed to ensure that the program would be effectively implemented. 8140 included updates and expanded details for those policies and responsibilities we saw in 8570.
Remember when we mentioned it sometimes takes years for a manual to be finished? Well, the 8140 manual still has not been released.
While we wait for the new manual, cybersecurity professionals must continue to reference the 8570 manual. So, for the time being, we’re using the 8140 directive and the 8570 manual. Make sense?
The Delta on 8140
Given that the manual has yet to be released, the cyber community has only been able to use the published 8140 directive and the rumor mill to really spell out the difference between the 8140 and 8570 manuals. Lentz shared with us that he thinks the 8140 manual will be “more flexible and inclusive than 8570,” and that it will “emphasize hands-on experience and training,” which is something he mentioned he actually wanted to see in 8570.
It may sound like an update to 8570 is long overdue, but let’s not take away from the success of the program. 8570 blazed a trail for workforce development in both DoD and the cybersecurity industry at large.
Want to Advance within the DoD?
If you’re looking to advance your career within the U.S. Department of Defense, we’d love to help. Check out our flexible and comprehensive online training for some of the required certifications listed for DoDD 8570/8140 including the CISSP, CISM, CEH, and Security+ certifications. If you manage a team of practitioners in or supporting the DoD, please get in touch with us through our government program specifically designed for teams like yours. See you in class!