If you’re an information systems security professional, it’s important to be familiar with the DoD 8570. If you’re not sure what this is or aren’t clear on some aspects of it, this guide is here to walk you through what you need to know.
We’ll go over:
By the end, you should have a more solid understanding of what it is, and some concrete ideas for what to do next. We also have a full breakdown on the DoD’s Cybersecurity Maturity Model (CMMC)
Let’s get started!
DoD 8570 stands for Department of Defense (DoD) Directive 8570, also known as the Information Assurance Workforce Improvement Program. One of the first important things to note about the DoD 8570 is that it isn’t actually a qualification or certification — it’s a policy.
That means your goal won’t be to get ‘qualified’ for the DoD 8570, instead, you should be aiming to become compliant with it. This is done by getting a range of separate cybersecurity certifications, which we’ll cover in more depth later in the post.
You may have heard that the DoD 8570 is in the process of being replaced by the DoD 8140, which is correct. However, it’s expected to be a few years before this is complete, so the 8570 will be the relevant directive until then.
The DoD 8570 was established in 2005 to address the problem of unqualified workers doing cybersecurity work for the DoD. For obvious reasons, having staff working on issues of national security without proper training was a big concern for the federal government.
The DoD 8570 ensures all staff working with information security within the DoD are properly qualified. This is done by requiring members of staff to attain certain respected certifications.
These required certifications are divided into categories based on the kind of work the person will be doing. We’ll get into this in more detail later on.
Anyone working in the above jobs will need to become DoD 8570 compliant. In addition to that, anyone hoping to work for the DoD at some point should also consider getting the relevant qualifications.
In that sense, becoming DoD 8570 compliant comes with a lot of potential career options, such as the ability to work in defense and use your skills to make a real difference to national security.
Your road to DoD compliance is going to depend on the kind of work you do. As mentioned above, the required qualifications are grouped into categories. The two main categories are Information Assurance Technical (IAT) and Information Assurance Management (IAM). Let’s dive into those a little deeper.
These categories are further broken down into three levels based on the responsibilities of the job.
In the rest of the guide, we’ll take you through each of the levels for each category. We’ll look at the jobs you need each level for, the options for certification, some training advice, and the skills you’ll gain at each level.
Only one certificate is needed at each level to become compliant. The good news here is that there are several options for certifications at each stage.
Let’s start with the IAT levels, for technical-level staff. If the IAM applies to you instead, you can skip this part and scroll down to that section below.
As you browse, please note that you are not required to satisfy one level of DoD compliance before moving to the next. For example, you may achieve IAT Level II compliance without first becoming IAT Level I compliant. However, be advised that some certifications do have prerequisites that are not directly tied to their DoD compliance level, and you may still need to satisfy those unassociated prerequisites before earning a given certification.
The first level of the IAT category is for personnel with 0-5 years of experience. Their role is to fix flaws, implement IAT controls, and perform basic security controls.
According to the DoD 8570, these are some of the functions that level 1 IAT personnel will be expected to perform:
This is a solid base for any IT career, focusing on IT operations, problem-solving, troubleshooting, and networking. It includes operating systems and mobile devices. To become certified in CompTIA A+, you must pass two exams: Core 1 (220-1001) and Core 2 (220-1002), which are 90 minutes each and no more than 85 multiple choice / performance-based questions.
The CompTIA A+ would be a good fit for jobs such as support specialist and field service technician.
This is another fundamental IT qualification, with a sharper focus on networks. Skills gained here include how to troubleshoot, manage, and configure networks, and how to design and implement functional networks. It covers basic networking concepts and infrastructure, with some focus on security.
The exam contains 90 multiple choice questions and is 90 minutes long.
The CompTIA Network+ is a good choice for computer technicians, IS consultants, systems engineers, and network analysts.
The Systems Security Certified Practitioner from (ISC)² is focused on operation security. It teaches students how to implement, monitor, and administer IT infrastructure with security best practices. The exam consists of 125 multiple choice questions with a time limit of 3 hours.
This qualification applies best to job titles like network security engineer, security consultant, and security analyst.
With a CCNA Security certification, a network professional demonstrates the skills required to develop a security infrastructure, recognize threats and vulnerabilities to networks, and mitigate security threats.
Level 2 of the IAT generally applies to people with at least 3 years experience in information assurance technology or a similar area. It requires mastery of the IAT level 1 functions.
At this level, personnel tend to focus more on security-related duties like intrusion detection, finding and fixing vulnerabilities, and improving the security of systems.
According to the DoD 8570, these are some of the functions that level 2 IAT personnel will be expected to perform:
Jobs for IAT level 2 professionals include:
This certification is aimed at security professionals. It requires candidates to demonstrate an understanding of information security beyond basic concepts and terminology, covering areas like active defense, contingency plans, endpoint security, threat hunting, and wireless network security. The exam contains 180 questions with a time limit of 5 hours.
It’s a pathway to jobs like Information Security Systems Officer, Information Security Engineer, Information Security Analyst, and Senior Cyber Security Engineer.
GICSP will assess a base level of knowledge and understanding across a diverse set of professionals who engineer or support control systems and share responsibility for the security of these environments.
CompTIA Security+ focuses on baselines skills for core security functions. It’s made up of performance based questions, with an emphasis on practical skills, and comprises some of the latest trends and techniques. The exam consists of 90 multiple choice questions with a 90-minute time limit.
This is a good fit for jobs like Systems Administrator, Network Administrator, Security Specialist, Security Consultant, and Junior IT Auditor/Penetration Tester. More on the value of Security+ certification here.
CompTIA Cybersecurity Analyst (CySA+) is an IT workforce certification that applies behavioral analytics to networks and devices to prevent, detect and combat cybersecurity threats.
The SCNP stands for Security Certified Network Professional and covers hands-on information security skills. For this qualification, you’ll need to already have the SCNS certification.
The SCNP demonstrates prevention techniques, risk analysis, and security policy creation among other things, and builds on foundational skills like cryptography, ethical hacking techniques, and creating a security policy. The exam takes the form of multiple choice questions.
Jobs the SCNP qualifies students for include Security Analyst, Information Security Consultant, and Systems Administrator.
(Covered in the above section)
Level 3 of the IAT concerns professionals with at least seven years experience in information assurance who have expert knowledge of the IAT level 2 and 3 functions.
Professionals at this level are expected to fulfill high-level, possibly leadership roles and be responsible for secure integration and operation of systems.
According to the DoD 8570, these are some (but not all) of the functions that level 3 IAT personnel will be expected to perform:
Jobs for IAT level 3 professionals include high-level technical roles like Chief Information Security Officer, Information Technology Manager, and PCI Security Specialist.
The Certified Information Systems Auditor certification is aimed at high-level IT professionals and demonstrates the ability to audit, monitor, access, and control data. It concerns IT government systems and infrastructure lifecycle management.
The exam is four hours long and features 200 multiple choice questions.
Jobs for CISA certified professionals include Internal Auditor, Public Accounts Auditor, Information Security Analyst, IT Audit Manager, and PCI Security Specialist.
CISSP is aimed at information security professionals with deep experience in senior level roles, with at least five years on the job.
It demonstrates the ability to design, implement, and manage a security program and is one of the most highly respected certifications in the field.
Jobs for a CISSP include Chief Information Security Officer, Security Systems Administrator, Information Assurance Analyst, and Senior IT Security Consultant.
Although the CISSP exam is challenging with 100-150 questions and a 3-hour time limit, the Beyond20 CISSP Bootcamp is a great way to prepare and give yourself the best possible chance of success.
The (ISC)² Certified Cloud Security Professional (CCSP) covers the required knowledge, skills, and abilities in cloud security design, implementation, architecture, operations, controls, and compliance with regulatory frameworks.
The GIAC Security Expert qualification was developed by infosec industry leaders and experts. It focuses on the assessment of hands-on skills and practical knowledge, and candidates are expected to demonstrate advanced ability and knowledge of security functions.
Topics covered in the exam include incident handling skills, intrusion detection and analysis, and general security skills. The assessment is split into a 3-hour multiple choice exam and a 2-day hands-on lab.
It’s tough and highly respected, and candidates need a GSEC, GCIA, and GHIC certificate to even begin. However, the GSE qualifies you for some of the top jobs in information security.
The GIAC Certified Enterprise Defender (GCED) certification builds on the security skills measured by the GIAC Security Essentials certification. It assesses more advanced, technical skills that are needed to defend the enterprise environment and protect an organization as a whole. GCED certification holders have validated knowledge and abilities in the areas of defensive network infrastructure, packet analysis, penetration testing, incident handling and malware removal.
The Security Certified Network Architect certification is the top qualification in the SCP program. It requires an SCNP certificate and focuses on the skills and technology required to build trusted networks.
Topics include legal issues, wireless security, biometrics, digital certificates and signatures, and PKI policy and architecture. The exam is 2 hours long.
The SCNA is relevant for leadership roles such as Security Administrator and Information Technology Manager.
Cisco Certified Network Professional Security (CCNP Security) certification program is aligned specifically for security in routers, switches, networking devices and appliances, as well as choosing, deploying, supporting and troubleshooting Firewalls, VPNS, and IDS/IPS solutions for their networking environments.
A GCIH, or Certified Incident Handler, is trained to manage security incidents. They do this through understanding the threats to an organization and having the skills necessary to defend against an attack.
The exam is 4 hours long with 100-150 questions, and requires 73% to pass. Jobs for GCIH professionals include Cybersecurity Analyst and SOC Analyst.
The CompTIA Advanced Security Practitioner (CASP+) certification is designed for technical professionals who wish to remain immersed in technology as opposed to strictly managing. It’s a hands-on, performance-based cert for practitioners (not managers necessarily) with advanced skill levels. Essentially, this certification equips practitioners with the skills necessary to figure out how to implement solutions within the policies and frameworks implemented by management.
The pass/fail CASP+ exam covers risk management, enterprise security operations and architecture, research and collaboration, and integration of enterprise security. The maximum of 90 performance-based / multiple choice questions must be completed within 165 minutes – and CompTIA recommends about 10 years of experience in IT administration, including at least five years of hands-on technical experience, prior to sitting for it.
Level 1 of the IAM category contains professionals with 0-5 years of experience. They’re expected to apply knowledge of IA policy, procedures, and structure to develop, implement, and maintain a secure computing environment.
Compared to the IAT group, this category is more focused on managerial and leadership skills, and the required qualifications reflect that.
According to the DoD 8570, these are some (but not all) of the functions that level 1 IAM personnel will be expected to perform:
IAM level 1 qualifications generally relate to junior-level management jobs in infosec, such as:
The GIAC Information Security Fundamentals certification requires candidates to demonstrate key concepts of information security, understand threats and risks, and be aware of how to defend against these.
Topics on the exam include application security, computer math, cryptography, and network attacks. It’s aimed at professionals who want to get familiar with information assurance. The exam is 2 hours long and contains 75 questions.
Jobs for GISF certified professionals include Information Security Officer, Managers, and System Administrators.
The GIAC Security Leadership certification focuses on leadership and management skills in information security. This includes managing security operation centers, managing application security, managing security policy, managing system security, and vulnerability management.
It’s a single 3-hour exam with 115 questions. A GSLC certification can be a route to a range of managerial and supervisory roles in information security.
(Covered in the previous section)
The (ISC)² Certified Authorization Professional (CAP) certification covers the advanced technical skills and knowledge needed to authorize and maintain information systems within the RMF using best practices, policies and procedures established by the cybersecurity experts at (ISC)².
HealthCare Information Security and Privacy Practitioner (HCISPP) certification by (ISC)² covers the core knowledge and experience needed to implement, manage, or assess the appropriate security and privacy controls of a healthcare organization.
Level 2 of the IAM category concerns professionals with at least 5 years of management experience. It focuses on knowledge of IA policy, procedures, and workforce structure to develop, implement, and maintain a secure network environment.
According to the DoD 8570, these are some (but not all) of the functions that level 2 IAM personnel will be expected to perform:
Level 2 IAM includes high-level management and leadership roles in information security.
Certified Information Security Manager (CISM) certification is aimed at those looking for leadership and management roles in the information security industry. Candidates should demonstrate how to build, design, and implement enterprise infosec programs.
The exam contains 150 multiple choice questions in a time limit of 4 hours. Candidates must have 5 years of experience in infosec, although this time can be lower if supplemented with other qualifications such as the CISSP. Learn more about CISM exam prep.
Jobs for CISM professionals include Senior Cybersecurity Manager, Senior IT Security Analyst, and Network Security Consultant.
(Covered in the above section)
(Covered in the above section)
(Covered in the section above)
(Covered in the section above)
(Covered in the previous section)
Bringing together all the components required for a C-Level positions, the CCISO program combines audit management, governance, IS controls, human capital management, strategic program development, and the financial expertise vital to leading a highly successful IS program.
Level 3 of IAM features professionals with at least 10 years of management experience. They’re expected to apply their knowledge of IA policy, procedures, and workforce structure to develop, implement, and maintain a secure enclave environment.
According to the DoD 8570, these are some (but not all) of the functions that level 3 IAM personnel will be expected to perform:
Level 3 IAM and the associated certifications apply to the highest-level management roles in information security.
(Covered in the previous section)
(Covered in the previous section)
(Covered in the previous section)
(Covered in the section above)
Level 1 of IASAE is typically entry-level. According to the DoD, professionals in this bracket are expected to apply knowledge of IA policy, procedures, and structure to design, develop, and implement CE system(s), system components, or system architectures.
According to the DoD 8570, these are some (but not all) of the functions that level 1 IASAE personnel will be expected to perform:
Jobs for level I IASAE professionals include entry level positions in roles like IT systems engineer, systems engineer, or data architect.
The Certified Secure Software Lifecycle Professional (CSSLP) certification recognizes leading application security skills. It shows employers and peers you have the advanced technical skills and knowledge necessary for authentication, authorization and auditing throughout the SDLC using best practices, policies and procedures established by (ISC)².
Jobs for CSSLPs include software architect, software engineer, application security specialist, IT Director/Manager, and many other leadership-level cybersecurity positions.
The certification exam is focused on the 8 CSSLP domains and consists of 175 multiple choice questions to be completed within 4 hours. To sit for the exam, you must have 4 years of cumulative paid full-time software development lifecycle professional work experience in 1 or more of the 8 domains with a 4-year degree or equivalent in computer science, IT, or related fields.
Level II of the IASAE concerns those with at least 5 years of IASAE experience. Their duties include the design, development, implementation, and/or integration of a DoD IA architecture, system, or system component for use within the network environment.
According to the DoD 8570, these are some (but not all) of the functions that level II IASAE personnel will be expected to perform:
Jobs for level II IASAE professionals include Data architect, cybersecurity engineer, cybersecurity architect, and information system security engineer (ISSE).
Level III of the IASAE focuses on professionals with at least 10 years of IASAE experience. According to the DoD 8570, they are responsible for the design, development, implementation, and/or integration of a DoD IA architecture, system, or system component for use within CE, NE, and enclave environments. They ensure that the architecture and design of DoD IS are functional and secure. This may include designs for program of record systems and special purpose environments with platform IT interconnectivity.
According to the DoD 8570, these are some (but not all) of the functions that level III IASAE personnel will be expected to perform:
IASAE level III applies to the highest level jobs in the field. These include positions like senior systems engineer, information assurance systems engineer, chief technology officer, and system and network designer.
The CISSP-ISSAP is a qualification aimed at chief security architects and analysts. The certification demonstrates your ability to develop, design and analyzing security solutions, It also covers advising and providing security guidance to help the organization.
The exam can be up to 3 hours long and contains 125 multiple-choice questions. Candidates need a score of at least 700/1000 to secure a pass.
Jobs for CISSP-ISSAP certified professionals include System architect, chief technology officer, and system and network designer, among others.
The CISSP-ISSEP qualification is aimed at security engineering professionals. It demonstrates the candidate’s ability to incorporate security into every level of the business and a range of different operations.
The exam is up to 3 hours long with 150 multiple-choice questions. To pass, you’ll need a score of at least 700/1000.
The CISSP-ISSAP certification is geared towards jobs like Senior systems engineer, information assurance systems engineer, information assurance officer, and information assurance analyst.
(Covered in the IAT III section above)
The CSSP Analyst is usually expected to have around 2 years of experience. Responsibilities revolve around using data from a range of sources and tools to analyze events within the environment.
According to the DoD 8570, these are some (but not all) of the functions that CSSP Analyst personnel will be expected to perform:
The Certified Ethical Hacker certification is essentially aimed at teaching hacking skills to the ‘good guys’. A CEH uses the same skills and expertise as a hacker to identify vulnerabilities and help protect organizations.
The exam is 4 hours long and consists of 125 multiple-choice questions. Jobs for CEH professionals include Security Operations Analyst, Cyber Threat Analyst, and CSOC Analyst.
A certified GCIA Certified Intrusions Analyst will be qualified to configure and monitor intrusion detection systems. They’ll have the skills and experience to analyze and interpret network files and log traffic.
The exam has a time limit of 4 hours, with 100-150 questions and a passing score of 67%. Jobs for GCIA professionals include IT Security Analyst and Associate Engineer.
Global Industrial Cyber Security Professionals are expected to secure Industrial Control Systems, by combining knowledge of IT, cybersecurity, and engineering.
The exam is made up of 115 questions with a time limit of 3 hours and a required passing score of 71%. Jobs include Industrial Security Specialist, Industrial Security Engineer, and Industrial Cybersecurity Expert.
The CCNA Cyber Ops certification prepares candidates to begin a career working with associate-level cybersecurity analysts within security operations centers.
The CyberSec First Responder cybersecurity certification program prepares security professionals to become the first responders who defend against cyber attacks by teaching students to analyze threats, design secure computing and network environments, proactively defend networks, and respond/investigate cyber security incidents.
The CSSP Infrastructure Support level requires at least four years’ experience supporting CSSP and/or network systems and technology. Duties are based around handling the infrastructure systems required to manage the network and resources.
According to the DoD 8570, these are some (but not all) of the functions that CSSP Infrastructure Support personnel will be expected to perform:
The purpose of the CHFI credential is to validate the candidate’s skills to identify an intruder’s footprints and to properly gather the necessary evidence to prosecute in the court of law. The tools and techniques covered in EC-Council’s CHFI program will prepare the student to conduct computer investigations using the latest digital forensics technologies.
CSSP Incident Responders are expected to have five years of experience in CSSP technology or a similar field. Their role involves investigating and analyzing response activities related to cyber incidents.
According to the DoD 8570, these are some (but not all) of the functions that CSSP Incident Responder personnel will be expected to perform:
The GCFA focuses on the skills required to collect and analyze data from Windows and Linux systems. Professionals will be able to investigate and handle a range of security incidents.
The exam contains 115 questions with a time limit of 3 hours and a passing score of 71%. Jobs for GCFA professionals include Security Analyst and Incident Response Analyst.
CSSP Auditors generally have two years’ experience in CSSP or a related field. Their job involves assessing different systems and networks and identifying where they deviate from what’s acceptable.
According to the DoD 8570, these are some (but not all) of the functions that CSSP Auditor personnel will be expected to perform:
The Certified Information Systems Auditor is qualified in areas related to audit control, assurance and security. It’s designed to prepare candidates to audit and control within organizations and assess vulnerabilities.
The exam is 4 hours long with 150 multiple choice questions. Jobs for CISA certified professionals include Director of Internal Auditing, Director of Cybersecurity, and Security Analyst.
GIAC Systems and Network Auditors are certified to audit information systems and conduct risk analysis.
The exam has a time limit of 3 hours with 115 questions and a passing score of 73%. Jobs for GSNA certified professionals include Cybersecurity Analyst and Defense Assessment Analyst.
CSSP Managers typically have at least four years of experience in CSSP or a related field. Their job involves overseeing CISSP operations within the organization and helping with risk assessments and management.
According to the DoD 8570, these are some (but not all) of the functions that CSSP Manager personnel will be expected to perform:
The CISSP-ISSMP certification demonstrates leadership skills and the ability to establish and manage information security programs.
The exam is up to 3 hours long with 125 multiple choice questions. Candidates need 700/1000 to pass. Jobs for CISSP-ISSMP professionals include high level management roles like Chief Security Officer.
If you’re going to be working with specific software or operating systems, the DoD 8570 also requires some further qualifications. These are:
Becoming DoD 8570 compliant is an important step if you’re working with the DoD or planning to do so. The good news is there are plenty of routes you can take and a lot of support out there, regardless of your current level. And in a time with new technological opportunities such as AIOps, Blockchain, and increased accessibility to remote work, there are also greater security concerns everywhere you look – such as sophisticated ransomware, social engineering attacks, and bad passwords. Becoming DOD 8570 compliant ensures that you’re up to speed on what the Department of Defense considers to be absolutely critical information security today.