DoD Directive 8140 – The Next Generation Directive

DoDD 8570 had acted as the backbone of cybersecurity readiness for ten years, but as the internet matured, so did the need for a revised directive. So, in 2015, the DoD CIO began work on DoD Directive 8140.01 (referred to here as simply DoDD 8140).

DoD Directive 8140 effectively replaces DoD Directive 8570. DoDD 8570 is now part of a larger initiative that falls under the guidelines of DoDD 8140. While the manual for 8140 is still being drafted, and the directive is not fully promulgated, it is increasingly being reviewed and showing up in requirements.

DoDD 8140 incorporates the DoD Cyber Workforce Framework (DCWF) which drew heavily from the National Initiative for Cybersecurity Education (NICE) framework, developed by none other than the National Institute of standards and technology (NIST). This is valuable because:

The granularity of the NICE framework creates great cyber workforce opportunities, including:
Expanded coverage to individuals working directly in cybersecurity, or who are significant influencers into an organization’s cybersecurity practices
- Expands and adequately addresses the myriad of paths that lead to the proficiency and compliant levels for cybersecurity workers (degrees, on-the-job training, etc.)
Adopts a methodology and framework that helps span from DoD through the rest of the Federal Government and into the commercial space

DoDD 8140 allows for more granular compliance and credentialing management as roles are more clearly defined.

DoDD 8140 Requirements

All personnel performing IAT and IAM functions must be certified.
All personnel performing CSSP and IASAE roles must be certified.
All IA jobs will be categorized as ‘Technical’ or ‘Management’ Level I, II, or III, and to be qualified for those jobs, you must be certified.

DoD Approved 8140 (DoDD 8570) Baseline Certifications

IAT Level I	IAT Level II	IAT Level III
A+ CE CCNA-Security CND Network+ CE SSCP	CCNA Security CySA+ ** GICSP GSEC Security+ CE CND SSCP	CCNA Security CySA+ ** GICSP GSEC Security+ CE CND SSCP

IAM Level I	IAM Level II	IAM Level III
CAP CND Cloud+ GSLC Security+ CE HCISPP SSCP	CAP CASP+ CE CISM CISSP (or Associate) GSLC CCISO HCISPP	CISM CISSP (or Associate) GSLC CCISO

IASAE I	IASAE II	IASAE III
CASP+ CE CISSP (or Associate) CSSLP	CASP+ CE CISSP (or Associate) CSSLP	CISSP-ISSAP CISSP-ISSEP CCSP

CSSP Analyst¹	CSSP Infrastructure Support¹	CSSP Incident Responder¹
CEH CFR CCNA Cyber Ops CCNA-Security CySA+ ** GCIA GCIH GICSP Cloud+ SCYBER PenTest+	CEH CySA+ ** GICSP SSCP CHFI CFR Cloud+ CND	CEH CFR CCNA Cyber Ops CCNA-Security CHFI CySA+ ** GCFA GCIH SCYBER PenTest+

CSSP Auditor¹	CSSP Manager¹
CEH CySA+ ** CISA GSNA CFR PenTest	CISM CISSP-ISSMP CCISO

8140 vs. 8570 – The Differences

While DoDD 8140 (generally) expands on DoDD 8570, there are some specific differences worth noting.

Role organization
- DoDD 8570 has a flat structure to determine the information assurance (IA) level required
- Each level has a flat number of possible certifications or trainings required to address it
8140 / NICE groups into work roles

A work role carries with it a number of Tasks, Knowledge, and Skills statements (TKS).
The resulting TKSs can then be collected for an individual worker
To achieve proficiency for a given task, those Knowledge and Skills can be obtained by a large number of overlapping certifications, on the job experience, and degrees

The CyberSTAR Advantage

WillCo Tech’s CyberSTAR™ solution is the largest Credentials Management and Cyber Workforce Compliance software system in use by the Federal Government. The WillCo Tech-developed software solution tracks training credentials and certifications for more than 1.8 million government users.

CyberSTAR is helping the Department of Defense and its move to DODD 8140 by offering: