In 2015, the Department of Defense signed off on DoD Directive 8140, which replaced the earlier directive DoD Directive 8570. In plain English, that means the IT training and certification requirements for more than 100,000 government employees and contractors changed with a stroke of a pen.
As a training partner of many DoD-approved certifications, we obviously keep an eye on this type of news. Because many state and local governments and private companies inform their information security training programs after the DoD’s gold standard, that number is actually much higher.
What actually changed?
To get a sense of what to expect, let’s take a look at what happened when the DoD rolled out Directive 8570. The now-outdated DoD Directive 8570 was signed into existence in 2004. First, they published a policy, and then they released a manual. The policy was only five pages and outlined what needed to be done to train their information professionals.
In 2005, the DoD released the 96-page 8570 manual, which filled in the details about the information security training framework, position requirements, and experience levels. It’s pretty easy to follow. You can see it here. In the first two matrices, you’ll see that an information professional would move through six professional development categories outlined in the “Directive matrix,” which starts at IAT I (entry-level) to IAM III (senior-level manager).
In the same chart, you’ll see two other levels of certification for Information Assurance Systems Architect and Engineer (IASAE) and Cybersecurity Service Provider (CSSP). Particularly when looking at the Level II and Level III requirements, you’ll see the hands-on, practical exams, which are considered some of the most difficult IT security certifications to earn.
A side note: You’ll see that 8570.01-M refers to Computer Network Defense – Service Provider (CND-SP) specialty. In many other instances, these are synonymous with the CSSP specialty.
Needless to say, a lot has changed in the past 14 years, so a lot is going to change in the new DoD 8140 manual. The policy has already been published, and it can be seen that the government has become more comfortable with then-nascent technology and that the types of certifications available to professionals have expanded. In particular, certifications have started emphasizing hands-on experience — a big move.
While the DoD writes the 8140 manual, they’ve edited the 8570 manual to 8570.01-M, which is now the law of the DoD IT training land. And, when we say edited, they literally used red strikethrough font to indicate the changes. You can see it here.
The biggest change will be NICE
Here’s what we know. The training framework in the DoD Directive 8140 manual will be based on the National Initiative for Cybersecurity Education (NICE) framework, which emphasizes hands-on (or “live fire”) training, and assigns actual tasks that could be a better determination as to whether someone is qualified to handle real-world scenarios.
In addition to hands-on training, 8140 breaks the required skills for applicable jobs into seven basic categories: Security provision, operate and maintain, protect and defend, analyze, collect and operate, oversee and govern, and investigate.
The National Initiative for Cybersecurity Careers and Studies has an even better breakdown of the categories, specialty areas, and work roles.
Until the DoD releases the 8140 manual, 8570.01-M will remain the best source for information about career progression and certification within the 8140 framework, which means you can keep training on those certifications.
Where to train for DoD Directive 8140
Most certifying authorities (like CompTIA, Cisco, and (ISC)2) have already started realigning their course objectives to the new directive. When the DoD moves its entire workforce toward hands-on, practical exams, the industry notices. And when course objectives change, training has to change right alongside it. With our comprehensive learning experience, CBT Nuggets definitely has you covered to take on these new and improved certs with full force.
You can contact me directly if you have any questions about how CBT Nuggets can provide training for DoDD 8140 compliance at firstname.lastname@example.org.