top of page

What Is DoD 8570.01-m? Cybersecurity Certifications and Requirements

Today’s world is fast moving, connected, and highly-contested. In the face of cyberspace warfare by the most capable adversaries, the Department of Defense must ensure dependable mission execution. To offensively and defensively defend our network, our information systems, and our data in order to protect a wide range of critical services, we must have a knowledgeable and skilled DoD Cyberspace Workforce that can adapt to the dynamic cyber environment and adjust resources to meet mission requirements.

DoD 8570.01-m Defined

DoD’s cybersecurity workforce, the manual, DoD 8570.01-m, explains how to accomplish it. It provides guidance and procedures for the training, certification and management of the DoD workforce that conducts cybersecurity functions in assigned duty positions. It also provides information and guidance on reporting metrics and the implementation schedule.

6 Main Goals of DoD 8570.01-m

The manual outlines six goals for accomplishing the directive:

​

  1. Develop the DoD cybersecurity workforce to enhance protection and availability of DoD information, information systems and networks

  2. Establish baseline technical and management skills for cybersecurity functions across the enterprise

  3. Provide war fighters with qualified cybersecurity personnel

  4. Implement a formal cybersecurity workforce skills development and sustainment process

  5. Verify cybersecurity workforce knowledge and skills through standard IT certification testing

  6. Augment and enhance knowledge and skills on a continuous basis through experience and formal education

4 Job Categories of DoD 8570.01-m

The manual organizes job roles into four categories:

 

  1. Information Assurance Technical (IAT) – technical positions, such as security administrators

  2. Information Assurance Management (IAM) – management positions, such as security managers

  3. Information Assurance Security Architecture and Engineering (IASAE) – higher-level positions, such as security engineers and security architects

  4. Cyber Security Service Provider (CSSP) – this category includes the specific job roles of cybersecurity analyst, infrastructure support, incident responder, management and auditing

3 Skill Levels of DoD 8570.01-m

The IAT, IAM and IASAE categories have three skill levels: I, II and III. The CSSP categories do not include skill levels because the positions are very specific. The skill levels vary by job category, but generally increase from beginner to intermediate to advanced.

 

A DoD 8570.01-m chart of approved certifications is below, but let’s look at the IAT category as an example to better illustrate how the job categories and skill levels come into play:

 

  • Level 1: Computing Environment: At this level, DoD 8570.01-m requires an IT certification such as CompTIA A+ because it focuses on help desk support for the computing environment.

  • Level 2: Network and Advanced Computer: DoD 8570.01-m level 2 jobs require an IT certification such as CompTIA Security+ because it focuses on securing networks.

  • Level 3: Enclave/Advanced Network and Computer: Level 3 job within DoD 8570.01-m require IT certifications such as CompTIA Advanced Security Practitioner (CASP+) because it covers advanced networking skills.

What Are the DoD 8570.01-m-Approved Certifications?

At the time of this writing, DoD Directive 8140 continues to use 8570.01-m to identify the requirements. DoD 8570.01-m is still in use and actively managed by the DoD. A DoD 8140 manual is expected to be released in the next year.

 

According to the manual, “the 8570.01-m certification programs are intended to produce cybersecurity personnel with a baseline understanding of the fundamental cybersecurity principles and practices related to the functions of their assigned position. Each category, specialty and skill level has specific certification requirements that must be provided by the Department of Defense to government employees (military or civilian).”

​

DoD 8570 / 8140 Approved Baseline Certifications
IAT Level I
IAT Level II
IAT Level II
A+ CE
SSCP
CCSP
CCNA-Security
CND
GCIH
CND
Security+ CE
GCED
Network+ CE
GSEC
CISSP (or Associate)
SSCP
GICSP
CISA
CySA+ **
CCNP Security
CCNA-Security
CASP+ CE
IAM Level I
IAM Level II
IAM Level III
CAP
HCISPP
CISM
CND
CASP+ CE
CISSP (or Associate)
Cloud+
CISM
GSLC
GSLC
CISSP (or Associate)
CCISO
Security+ CE
GSLC
HCISPP
CCISO
CAP
IASAE I
IASAE II
IASAE III
CISSP (or Associate)
CISSP (or Associate)
CISSP-ISSEP
CSSLP
CSSLP
CCSP
CASP+ CE
CASP+ CE
CISSP-ISSAP
CSSP Analyst
CSSP Infrastructure Support
CSSP Incident Responder
CSSP Auditor
CSSP Manager
CEH
CEH
CEH
CEH
CISM
CFR
CySA+
CFR
CySA+
CISSP-ISSMP
CCNA Cyber Ops
GICSP
CCNA Cyber Ops
CISA
CCISO
CCNA-Security
SSCP
CCNA-Security
GSNA
CySA+
CHFI
CHFI
CFR
GCIA
CFR
CySA+
PenTest
GCIH
Cloud+
GCFA
GICSP
CND
GCIH
Cloud+
SCYBER
SCYBER
PenTest+
PenTest+

The above table provides a list of DoD approved IA baseline certifications aligned to each category and level of the IA Workforce. Personnel performing IA functions must obtain one of the certifications required for their position, category/specialty and level to fulfill the IA baseline certification requirement. Most IA levels within a category or specialty have more than one approved certification and a certification may apply to more than one level.

An individual needs to obtain only one of the “approved certifications”; for his or her IA category or specialty and level to meet the minimum requirement. For example, an individual in an IAT Level II position could obtain any one of the four certifications listed in the IAT Level II cell.

 

Higher level IAT and IAM certifications satisfy lower level requirements. Certifications listed in Level II or III cells can be used to qualify for Level I. However, Level I certifications cannot be used for Level II or III unless the certification is also listed in the Level II or III cell. For example:

  • The A+ or Network+ certification qualify only for Technical Level I and cannot be used for Technical Level II positions.

  • The System Security Certified Practitioner (SSCP) certification qualifies for both Technical Level I and Technical Level II. If the individual holding this certification moved from an IAT Level I to an IAT Level II position, he or she would not have to take a new certification.

 

Higher level CCSP and IASAE certifications do not satisfy lower level requirements

bottom of page