When the Department of Defense passed down the new Directive 8140 in 2015, the IT training world took note. (We certainly did.) It signaled a major change in how cybersecurity training would be stratified and administered.
What is DoD Directive 8140?
If you’re unfamiliar with DoD Directive 8140, then you must be new here. Let’s back up a little. First, there was DoD Directive 8570, which was signed into policy in 2004, and structured the “training, certification, and management” of every person in a DoD information assurance (IA) function. In sum, that’s more than 100,000 information professionals — both government employees and contractors. The impact is even greater when you consider that other federal agencies, state and local authorities, and even private companies follow the DoD’s lead.
When the 96-page 8750 manual came out in 2005, we saw that the DoD structured their cybersecurity personnel into two tiers — technicians and managers, each comprising three levels of proficiency. The workforce structure had six categories through which DoD employees would pass as they accrued experience, acquired responsibility, and earned increasingly more advanced certifications. It also has two specialty tiers — Information Assurance Systems Architect and Engineer (IASAE) and Cybersecurity Service Provider (CSSP).
You can see the current 8750.01-M tiers in this blog post.
In 2015, DoD raised the stakes again by implementing a new policy Directive 8140. Just like in 2004, the DoD signed the policy and then started working on the manual to fully direct the workforce development. As a stop-gap measure, the DoD edited the existing manual (and called it 8570.01-M) to implement some of the changes while it works on the 8140 manual.
That’s where we are now. The IT training industry again responded quickly, but the ultimate direction for Directive 8140 is still forthcoming. So, there’s not much to do — yet.
The devil is in the details
How do you remain compliant? Right now, all you have to do is keep your certifications current as outlined by the 8570.01-M. However, it’s important to note that DoD is rather finicky about their regulations. In the event that you undergo an audit, here are a few things you should know.
You can only occupy on specialty at a time. We understand that IT professionals often wear many different hats, but there’s not really room for that classification in the 8570/8140 frameworks. It’s specifically stated that anyone performing functions in multiple specialties should be designated based on the one “that most closely aligns with the position’s primary responsibilities and functions.” In most cases, you’ll be required to earn certifications based on your highest level function.
Continuing education. Each of these occupation categories requires at least 20 to 40 hours of annual training to maintain certification status. Luckily, most of the certifying authorities that administer the exams bake these requirements into their recertification structure. CompTIA is particularly good about this, offering a wide range of activities for continuing education (CE) credit hours. As a CompTIA partner, CBT Nuggets courses are pre-approved for CE hours.
You have six months to get certified. Any new employees must be compliant within six months of employment — and that goes for promotions or lateral moves. Old, traditional 8570 rules gave companies four years to be compliant, so the amount of time you have to earn certification has been dramatically reduced.
You have to start at Level I. In the IAT track, you can’t just earn your Level III baseline certification and automatically get Level I and II certification. These technical levels are cumulative in nature. Instead, you’ll need to earn the baseline certifications for Level I, then Level II, and finally Level III.
IAM certs aren’t necessarily cumulative. While managers don’t necessarily need to start from Level I, they do need to earn the certifications at their respective levels. Here’s where the “necessarily” comes in. If an IAM has any IAT functions, then they’ll need to earn the certifications for that IAT level.
If your IT team works with government infrastructure, understanding how you stay compliant should be a top priority. As a GSA-approved vendor, CBT Nuggets will be reporting about emerging details about the new Directive 8140, its future implementation and adjusting its training to comply with the evolving standards imparted by the DoD. Stay tuned.
You can contact me directly if you have any questions about how CBT Nuggets can provide training for DoDD 8140 compliance at email@example.com.