DoD Directive 8140: IT Training & Certification Requirements

Updated: March 22, 2021
In this Article

    Anyone trying to get a foot in the door of the IT world as it pertains to the defense industry will want to ensure they meet or exceed DoD standards as previously set by DoDD 8570, now governed by DoDD 8140. DoDD 8140 provides guidance and procedures for the training, certification, and management of all government employees within cyberspace workforce positions.

    Department of Defense Directive 8570 (DoDD 8570) was an official federal government policy covering requirements for training and certifying those with access to certain information assurance functions of the Department of Defense.

    This DoD policy was replaced in 2015 by DoDD 8140, which is the official policy today and supersedes the prior DoDD 8570 (see below). DoDD 8570 codified the policies and duties of DoD information assurance operations, detailed training and certification requirements and related issues.

    A Brief History Of DoD 8570

    DoD Directive 8140

    Photo by Rick Naystatt

    Before 2005, there were no requirements or provisions for certification training to do information assurance work for the federal government. In 2005, DoDD 8570 was established to give specific guidance and requirements for these workers.

    DoDD 8570 made important changes in the way system administrators, technicians, and security managers did their jobs and met their training requirements.

    Streamlining Standard Requirements

    DoDD 8570 caught on in the federal workplace, becoming more popular and widely used until there was a need to break down requirements into a variety of categories or contexts. Those categories include:

    • Information Assurance Technician
    • Information Assurance Manager
    • Computer Network Defense
    • Information Assurance System Architecture and Engineering
    • Computing Environment

    Thanks to 8570, workers in these areas could be assigned specific certification requirements and some fell across more than one single category.


    DoDD 8140 Replaces 8570

    Ten years later, a replacement (which ultimately became DoDD 8140) was desperately needed; much of the original technology and/or software had been supplemented, upgraded, or replaced by newer, more efficient systems with their own sets of vulnerabilities.

    Work began to update DoDD 8570 in 2012, with the required tasks doubling as a result.

    It was clear that a more comprehensive policy would be needed and in 2015 DoDD 8140 was rolled out to replace the older DoDD 8570.

    The alphabet soup-style letter and number combinations may be a bit confusing, but the new policy outlined by DoDD 8140 would provide much more clear and relevant-to-current-systems-and-threats policies.

    Ultimately, DoDD 8570 was incorporated into DoDD 8140 with expanded features, but until the new requirements could be fully implemented, compliance with the original standard was still necessary.

    There were interim fixes including a document known as DoD 8570.01-M which was billed as something that would “remain in effect until it is canceled formally” according to the DoD Cyber Exchange official site, public version. In the end, DoD Directive 8570 was replaced by the newer updated DoDD 8140.

    8140 Updates Standard Requirements

    DoD 8140 is known today as the Information Assurance Workforce Improvement Program and many sources cite the directive’s most common 8140-compliant IT and security certification as including A+, Network+, Security+, CEH, and CISSP.

    8140 was designed based on something known as the National Institute of Standard and Technology and National Initiative for Cybersecurity Education standard. 8140 requirements are listed under categories including:

    • Security Provision–may include jobs such as architecture and engineering. As well as operations that include information assurance compliance, software, and security engineering, system development, research, etc.
    • Operate/Maintain–this may include customer service, tech support, data administration, knowledge management, network service, and security analysis.
    • Protect/Defend–involving defense against cyberattacks, defense analysis, incident reporting, vulnerability assessment, and related areas.
    • Analyze–pertaining to different types of network analysis, resource intelligence, exploitation analysis, threat analysis, etc.
    • Operate/Collect–defined as applicable to cyber operations and planning, collection operations, planning and implementation.
    • Oversight and Development–pertaining to the legal consequences of conducting operations in the digital realm, with emphasis on planning, education, and awareness-raising.
    • Investigate–relevant to investigations and forensics work as it relates to online security or related issues.

    Who Must Comply with DoD 8140?

    Regardless of who (contractors, active duty, interns, civilian employees, etc.) is associated with work involving Defense Department information systems or how they are associated, DoD requirements under DoDD 8140 must be met. The following groups are just some of who may be required to be DoDD 8140-compliant:

    • Office of the Secretary of Defense
    • Military Departments
    • Chairman of the Joint Chiefs of Staff
    • Combatant Commands
    • Office of the Inspector General of the DoD
    • Defense Agencies
    • DoD Field Activities
    • Anyone performing IAT and IAM functions must be certified
    • Anyone in CSSP and IASAE roles must be certified
    • All IA jobs require certification whether categorized as ‘Technical’ or ‘Management’ Level I, II, or III positions

    How To Identify Information Assurance Positions That May Require IA Training

    In the context of identifying who must become 8140 compliant, the best way to proceed is to review the job position and job description of those jobs.

    Anyone performing Information Assurance functions may be required to be compliant, no matter if they are active duty, Guard, Reserve, civilian, Civil Service worker, or contractor.

    According to the Department of Defense, “Any person” filling such jobs are considered “automatically part of the Cyber or IA Workforce” regardless of the hours filled in that capacity as a part-time, full-time, embedded, or other types of duty.

    At the time of this writing, those seeking certification may be required to become familiar with one or both versions of the DoD compliance manual; IA Technical (IAT), and IA Management (IAM). Additionally, there are a pair of specialties at the time of this writing: Cyber Security Service Provider (CSSP) and IA System Architects and Engineers (IASAEs).

    Learn More About DoD 8140

    You can view the official site of the DoD 8140 Information Assurance Workforce Improvement Program Office or Call the Defense Information Assurance Program (DIAP) Office at 1-800-490-1643.


    About The Author

    Joe Wallace is a 13-year veteran of the United States Air Force and a former reporter for Air Force Television News.


    Written by Veteran.com Team