Sign Up
Updated January 30, 2025
Fact-Checked

DoD Directive 8140: IT Training & Certification Requirements

Anyone trying to get a foot in the door of the IT world as it pertains to the defense industry will want to ensure they meet or exceed DoD standards […]

Inside This Article

    Anyone trying to get a foot in the door of the IT world as it pertains to the defense industry will want to ensure they meet or exceed DoD standards as previously set by DoDD 8570, now governed by DoDD 8140. DoDD 8140 provides guidance and procedures for the training, certification, and management of all government employees within cyberspace workforce positions.

    Department of Defense Directive 8570 (DoDD 8570) was an official federal government policy covering requirements for training and certifying those with access to certain information assurance functions of the Department of Defense.

    This DoD policy was replaced in 2015 by DoDD 8140, which is the official policy today and supersedes the prior DoDD 8570 (see below). DoDD 8570 codified the policies and duties of DoD information assurance operations, detailed training and certification requirements and related issues.

    A Brief History Of DoD 8570

    DoD Directive 8140

    Photo by Rick Naystatt

    Before 2005, there were no requirements or provisions for certification training to do information assurance work for the federal government. In 2005, DoDD 8570 was established to give specific guidance and requirements for these workers.

    DoDD 8570 made important changes in the way system administrators, technicians, and security managers did their jobs and met their training requirements.

    Streamlining Standard Requirements

    DoDD 8570 caught on in the federal workplace, becoming more popular and widely used until there was a need to break down requirements into a variety of categories or contexts. Those categories include:

    • Information Assurance Technician
    • Information Assurance Manager
    • Computer Network Defense
    • Information Assurance System Architecture and Engineering
    • Computing Environment

    Thanks to 8570, workers in these areas could be assigned specific certification requirements and some fell across more than one single category.

    DoDD 8140 Replaces 8570

    Ten years later, a replacement (which ultimately became DoDD 8140) was desperately needed; much of the original technology and/or software had been supplemented, upgraded, or replaced by newer, more efficient systems with their own sets of vulnerabilities.

    Work began to update DoDD 8570 in 2012, with the required tasks doubling as a result.

    It was clear that a more comprehensive policy would be needed and in 2015 DoDD 8140 was rolled out to replace the older DoDD 8570.

    The alphabet soup-style letter and number combinations may be a bit confusing, but the new policy outlined by DoDD 8140 would provide much more clear and relevant-to-current-systems-and-threats policies.

    Ultimately, DoDD 8570 was incorporated into DoDD 8140 with expanded features, but until the new requirements could be fully implemented, compliance with the original standard was still necessary.

    There were interim fixes including a document known as DoD 8570.01-M which was billed as something that would “remain in effect until it is canceled formally” according to the DoD Cyber Exchange official site, public version. In the end, DoD Directive 8570 was replaced by the newer updated DoDD 8140.

    8140 Updates Standard Requirements

    DoD 8140 is known today as the Information Assurance Workforce Improvement Program and many sources cite the directive’s most common 8140-compliant IT and security certification as including A+, Network+, Security+, CEH, and CISSP.

    8140 was designed based on something known as the National Institute of Standard and Technology and National Initiative for Cybersecurity Education standard. 8140 requirements are listed under categories including:

    • Security Provision–may include jobs such as architecture and engineering. As well as operations that include information assurance compliance, software, and security engineering, system development, research, etc.
    • Operate/Maintain–this may include customer service, tech support, data administration, knowledge management, network service, and security analysis.
    • Protect/Defend–involving defense against cyberattacks, defense analysis, incident reporting, vulnerability assessment, and related areas.
    • Analyze–pertaining to different types of network analysis, resource intelligence, exploitation analysis, threat analysis, etc.
    • Operate/Collect–defined as applicable to cyber operations and planning, collection operations, planning and implementation.
    • Oversight and Development–pertaining to the legal consequences of conducting operations in the digital realm, with emphasis on planning, education, and awareness-raising.
    • Investigate–relevant to investigations and forensics work as it relates to online security or related issues.

    Who Must Comply with DoD 8140?

    Regardless of who (contractors, active duty, interns, civilian employees, etc.) is associated with work involving Defense Department information systems or how they are associated, DoD requirements under DoDD 8140 must be met. The following groups are just some of who may be required to be DoDD 8140-compliant:

    • Office of the Secretary of Defense
    • Military Departments
    • Chairman of the Joint Chiefs of Staff
    • Combatant Commands
    • Office of the Inspector General of the DoD
    • Defense Agencies
    • DoD Field Activities
    • Anyone performing IAT and IAM functions must be certified
    • Anyone in CSSP and IASAE roles must be certified
    • All IA jobs require certification whether categorized as ‘Technical’ or ‘Management’ Level I, II, or III positions

    How To Identify Information Assurance Positions That May Require IA Training

    In the context of identifying who must become 8140 compliant, the best way to proceed is to review the job position and job description of those jobs.

    Anyone performing Information Assurance functions may be required to be compliant, no matter if they are active duty, Guard, Reserve, civilian, Civil Service worker, or contractor.

    According to the Department of Defense, “Any person” filling such jobs are considered “automatically part of the Cyber or IA Workforce” regardless of the hours filled in that capacity as a part-time, full-time, embedded, or other types of duty.

    At the time of this writing, those seeking certification may be required to become familiar with one or both versions of the DoD compliance manual; IA Technical (IAT), and IA Management (IAM). Additionally, there are a pair of specialties at the time of this writing: Cyber Security Service Provider (CSSP) and IA System Architects and Engineers (IASAEs).

    Learn More About DoD 8140

    You can view the official site of the DoD 8140 Information Assurance Workforce Improvement Program Office or Call the Defense Information Assurance Program (DIAP) Office at 1-800-490-1643.

    • Written by Veteran.com Team

      The editorial team here at Veteran.com works to help the U.S. military community discover the many military benefits available to them. Our team is supported by our Veteran Review Board and its Standard of Care, which all content on Veteran.com is reviewed to meet.

    Find VA Approved Colleges that Accept Military & Veteran Benefits

    Get Started

    Search nearly 3,000 VA-approved school profiles to find your perfect fit.

    Copyright © 2025 Three Creeks Media, LLC

     

    Veteran.com is a property of Three Creeks Media. Neither Veteran.com nor Three Creeks Media are associated with or endorsed by the U.S. Departments of Defense or Veterans Affairs. The content on Veteran.com is produced by Three Creeks Media, its partners, affiliates and contractors, any opinions or statements on Veteran.com should not be attributed to the Dept. of Veterans Affairs , the Dept. of Defense or any governmental entity. If you have questions about Veteran programs offered through or by the Dept. of Veterans Affairs, please visit their website at va.gov. The content offered on Veteran.com is for general informational purposes only and may not be relevant to any consumer’s specific situation, this content should not be construed as legal or financial advice. If you have questions of a specific nature consider consulting a financial professional, accountant or attorney to discuss. References to third-party products, rates and offers may change without notice.

    Advertising Notice: Veteran.com and Three Creeks Media, its parent and affiliate companies, may receive compensation through advertising placements on Veteran.com. For any rankings or lists on this site, Veteran.com may receive compensation from the companies being ranked; however, this compensation does not affect how, where, and in what order products and companies appear in the rankings and lists. If a ranking or list has a company noted to be a “partner” the indicated company is a corporate affiliate of Veteran.com. No tables, rankings, or lists are fully comprehensive and do not include all companies or available products.

    Editorial Disclosure: Editorial content on Veteran.com may include opinions. Any opinions are those of the author alone, and not those of an advertiser to the site nor of Veteran.com.

    Information from your device can be used to personalize your ad experience.