8140 Manual Likely to Replace 8570.01-M in 2020
The Department of Defense is likely to release the DoD 8140 manual in 2020 or early 2021. The Qualification Program has been finalized. The 8140 Manual passed the Legal Sufficiency Review back in April, and has entered Formal Coordination stage.
For the last two years, we've been watching the public DoD Cyber Workforce newsletter for 8140 updates — and even compiled every 8140 status update since 2019 into a blog post. We are watching 8140 so closely because CBT Nuggets proudly serves the military and federal workforce with IT training for both 8570 and 8140.
As of July 2020, the long-awaited 8140 manual sits at the White House for review. Admittedly, the current White House review is not the final review. However, it seems likely the long-awaited 8140 Manual could be less than six months away from release.
According to the National Institute of Standards and Technology, DoDD 8140 is designed to accomplish three primary goals:
- Reissues and renumbers DoD 8570 to update and expand established DoD policies and assigned responsibilities for managing the DoD cyberspace workforce.
- Authorizes the establishment of a DoD cyberspace workforce management council to ensure that the requirements of this directive are met.
- Unifies the overall cyberspace workforce and establishes specific elements to align, manage and standardize work roles, baseline qualifications and training requirements.
When the 8140 Manual is released, it will change the landscape of the federal cyber landscape in a few profound ways. The eventual release and implementation of 8140 will further standardize a balkanized training framework at the DoD, better define job roles and responsibilities, and more comprehensive training.
8140 Updates a Training Structure Created in 2005
In 2015, 8140 officially replaced DoDD 8570, which was released in 2005. Let's break that down. In 2005, the DoD implemented sweeping changes to it's security and access policies for anyone working on a DoD network — as well as its technical workforce. That was 8570.
For anyone who works for or with the federal government, you're probably familiar with the three tiers of the 8570 training matrix:
- Information Assurance Technician (IAT), with Levels 1, 2, and 3
- Information Assurance Management (IAM), with Levels 1, 2, and 3
- Information Assurance System Architect and Engineer (IASAE), with Levels 1, 2, and 3
- Cyber Security Service Provider (CSSP), with named levels of Analyst, Infrastructure Support, Incident Responder, Auditor, and Manager
The DoD has made a few changes to the matrix since 2005, but it's fundamentally the same.
A lot has changed in our understanding of cybersecurity since 2005, but the DoD and the military services still use the 8140 manual. They've changed the name to 8570.01-M to indicate that it's a stopgap, but it's still 8140 at its core. If you take a look through the manual, there are literally red strikethroughs to certifications and training tiers that no longer apply.
To understand the differences between 8140 and 8570, read our full analysis.
The tiered-structure isn't expected to change in 8140, but it's going to be significantly easier to change training requirements and classify jobs. The key to those changes is in skills-based training.
8140 Means Skills-Based Training
Microsoft recently shook up their certification program by moving away from product-based certifications — and toward role-based certifications. The 8140 program takes that a step further by breaking down their roles and training into skills.
DoDD 8140 is inherently more skills-focused, allowing jobs to be defined by their requisite skills and not by the rigid, pre-defined structure shown above. By moving to a skills-based approach to training, 8140 makes it easier to classify hard-to-classify jobs, delegates some qualification structures to ANSI, and creates a nimble training program for a fast-paced world.
8140 Makes it Easier to Classify Jobs — and Hire
With 8140, jobs within the DoD will be defined by their skills, and technical professionals will be able to certify proficiency in those skills with as few as one certification. This change will make it easier to more closely align jobs that were previously hard to classify with their actual training requirements.
For example, 8570 made no provision for software developers, believe it or not. In the rigid 8570 system, programming jobs are either over-classified or under-classified, which made some positions nearly impossible to fill. The 8140 structure is expected to fix that.
8140 Makes Training More Nimble
It's easy to assume that updated government regulations require more rigidity and limit career options, but this isn't necessarily the case.
Take a look at the list of approved certifications. Each ANSI baseline certification level was expanded in 8140, with notable additions including CompTIA Advanced Security Practitioner (CASP) and Certified Ethical Hacker (CEH).
Because only one approved cert is required at each level, the expanded list of approved certifications actually broadens the base of potential approved information assurance professionals. The list is designed to be continually updated, emphasizing its evolving nature.
Since approval is delegated to ANSI, it circumvents delays typical of any federal approval process, underscoring the priority of keeping up with an evolving tech world.
In many situations, the guidance is characterized by common sense. For IAT and IAM roles, higher-level certifications satisfy lower-level requirements. For example, if you have a CCNP, there's no need to go out and take a CCNA exam just to check the box. However, with IASAE and CSSP roles, certification requirements are ironclad: if the chart indicates a particular cert for a position, you must have that specific one, and nothing else (even a more advanced certification) can replace it.
For civilians, the process of getting certified is relatively simple. Identify the role-based requirements of the job you're pursuing, review the approved baseline certifications, and select which one you'd like to pursue. If you're currently working in a DoD organization and want to be proactive, you'll need to do some coordination with your Information Assurance Manager. The previous link gives tips on where to look in the Manual for detailed position descriptions and tips on identifying your specific role.
8140 Incorporates the NICE Framework
The 8140 guidance is designed to be more inclusive when it comes to certification requirements and more flexible in its approach to cybersecurity. The DoD Cyber Workforce Framework (DCWF) is split into 7 main categories, with 33 specialty areas and 54 work roles defined under each of these.
In a recent analysis, we broke down the similarities and differences between the NICE framework and 8140 by each of the seven categories:
- Securely Provision
- Operate and Maintain
- Protect and Defend
- Collect and Operate
- Oversight and Development
Ultimately, they're very similar. The NICE framework heavily informs the DCFW, but the actual 8140 manual will include work roles not included by NICE.
You can read a deep dive about the similarities and differences between the NICE framework and 8140 in our full analysis.
The result: 8140 will be a more nimble policy with greater staying power in a quickly moving cybersecurity environment.
Shaping the Future
In 2005, 8570 was an incredible leap forward in cybersecurity and technical training policy, but it also became clear that the structure 8570 implemented was too rigid for the rapidly evolving landscape of information technology.
Not many details have been made public about the future of 8140, but we do know a few things.
First, the basic procedures outlined in 8570 will remain largely the same. There will be some additions, deletions, and modifications, but we'll still be dealing with an animal that at least resembles what we've come to know. Expect major modifications in tech areas that have experienced substantial change since the 8570 Manual was initially published, such as the cloud and smartphones.
Second, the emphasis on certification will be skill-based training, not job- or role-based training. This reflects a larger move within the IT community.
Finally, the partnership between the DoD and external accreditation sources seems to be getting closer.
These are all positive steps forward. As guidance becomes available and more clarity is issued, we'll continue to keep up updated here at CBT Nuggets.