DoD Instruction 8140

DoD Instruction 8140

On August 11, 2015 representatives of the U.S. Department of Defense (DoD) signed the 8140 DoD directive. 8140 replaces the 8570 directive, which directed all DoD personnel and their contractors to be certified in their respective fields. Even though the new 8140 directive is now in force and supersedes 8570, there is no actual 8140 manual therefore, the DoD will use the 8570.01-M manual.

What is the 8140 directive?

8140 is more flexible and inclusive. Unlike, 8570, 8140 has the ability to include the National Initiative for Cybersecurity Education (NICE) and other approaches. The NICE framework was created independent of the 8570 initiative. NICE identifies critical knowledge, skills and abilities for critical job roles. It also emphasizes hands-on experience and training.

What will happen in the future?

In the long run, the government and industry alike will continue to emphasize performance-oriented and outcome-based education. 8140 is a powerful example of this particular trend. Governments and industry across the globe remain interested in making sure that people learn by experience through approaches such as:

Live fire labs and exercises: Exercises on virtualized networks that allow individuals to gain hands-on experience using the latest equipment and best practices. Hiring managers are interested in hiring people who have gained wisdom from this type of experience.

Apprenticeships: In apprenticeships, workers are educated right on the job.

In conclusion, for the foreseeable future, things will continue on as they have for the past several years: All affected organizations and their contractors still need to comply with the 8570.01-M manual and get certified.

About the DoD 8570.01-M

DoD 8570.01-M (Manual), the DoD Information Assurance Workforce Improvement Program ( IA Training ) provides guidance and procedures for the training, certification, and management of the DoD workforce conducting Information Assurance functions in assigned duty positions. Categories are IA Technical (IAT) and IA Management (IAM). Specialties are Computer Network Defense Service Providers (CND-SPs) and IA System Architects and Engineers (IASAEs). These categories and specialties are subdivided into levels each based on functional skill requirements and/or system environment focus. The certifications are now mandatory.The minimum functional certifications for the different job levels are shown below.

DoD Approved Baseline Certifications
  1. How can HyperLearning Technologies get you there?

    Let HyperLearning Technologies create a DoD 8570.01 M compliant training program for you, which will meet these Dod Information Assurance Certification Requirements at the lowest price per certification. (Before you consider other offers, ask yourself - "but will it result in the required certifications?") Our Information Assurance Support Environment (IASE) programs provide a one-stop-shop for Contractor Off the shelf ( COTS ) IA compliance training and IAT certifications.

    We provide training for all of the military, commercial, and municipalities within the Southeastern Virginia Military complex surrounding Hampton Roads and Tidewater Virginia - including US Navy, US Army, US Air Force components at NOB / Naval Station Norfolk, NAS Oceana, NAB Little Creek, Fleet Combat Training Dam Neck, Ft Story, USAFB Langley, Ft Monroe, Fort Eustis, Naval Weapons Station ( NWS ) Yorktown, Joint Forces training center Portsmouth VA, and these supporting contractors.

    Enlist Hyperlearning Technologies to be your one-stop-training service provider for 8570 training compliance. Give our Training consultant, Kathleen Morelli, a call at (757) 495-0714. Kathleen has many years of experience in managing computer training needs for DoD components and military-industrial-complex contractor companies.

  2. About the DoD 8570.01-M DoD Information Assurance Workforce Improvement Program timeline

    This Document, which was actually mandated as a requirement on ALL DoD components on Dec 19, 2005, is just coming into focus, because the DoD 8570.01 M included a phased plan, which include mostly planning and budgeting for the first year (FY 2006). FY 2007 actually requires 1/3 of the on-board personnel to be certified, and ALL NEW HIREs to be certified by the end of FY 2007. [FY 2007 ends 31 OCT 2007.] The phase-in plan mandated in DoD 8570.1 M training is:

    Year One (FY-06): Identify IA workforce positions, fill 10 percent of the IA positions with certified personnel. Develop budget to support follow-on implementation years two - four.

    Year Two: Fill a total of 40 percent of the IA positions with certified personnel.

    Year Three: Fill a total of 70 percent of the IA positions with certified personnel.

    Year Four: All IA positions are held by trained and CERTIFIED personnel.

    Thereafter, all incumbents and new hires must be trained, certified, and recertified in accordance with the DoD 8570.1-M Manual. Individuals performing IA functions and who are DoD employees or contractors on the effective date of this Manual [ DoD Instruction 8570.01-M ] have up to four years to comply with the certification requirements. New hires’ qualification periods begin the date they start in the position (i.e., they must obtain the appropriate certification within six months of being assigned to IA functions). Waivers will not extend beyond six months and must include an expiration date. New contract language must specify 8570.1M certification requirements. Existing contracts must be modified.

  3. Features of DoD 8570.1 M

    It identifies and categorizes positions and certification of personnel conducting Information Assurance (IA) functions within the DoD workforce supporting the DoD Global Information Grid (GIG) per DoD Instruction 8500.2. The DoD IA Workforce includes all individuals performing any of the IA functions. The abbreviation for Security, INFOSEC, established in this Manual, supports civilian IA workforce identification and management requirements across the Department of Defense (DoD).

    It implements formal IA workforce skill development and sustainment, comprised of instructor-led resident courses, distributive training, blended training, supervised on-the-job training, exercises. Certification and recertification are no longer "nice-to-have." Certification is REQUIRED, even if you have the skills.

    If you are a contractor - or work for a contractor - or expect to work for a contractor, it specifies contractor certification and training requirements in all contracts that include acquisition, repair, maintenance, or day-to-day support of IA services.

    DoD 8570.01 M outlines requirements for an initial IA orientation and annual awareness training to all authorized users to ensure they know, understand, and can apply the IA requirements of their system(s).

    It requires all DoD and Contractors to specify contractor certification and training requirements in all contracts that include IA services.

    It ensures that all IA personnel performing IA functions obtain and maintain a certification corresponding to the highest level function(s) required by their position.

    It identifies two overall categories within the IA workforce: Technical and Management. These categories are subdivided into three levels each based on functional skill requirements and system environment focus. The levels and functional requirements in both the technical and the management categories apply to all civilian, military, and contractor personnel.

    DoD 8570.01 M specifies that "Contractor personnel supporting IA functions shall be appropriately certified prior to being engaged. The contracting officer will ensure that contracting personnel are appropriately certified." New hire civilians and contractor personnel must agree as a "condition of employment" that they will obtain the appropriate certification for the position to be filled.

    In addition to the baseline IA certification requirement for their level, Information Assurance Technicians (IATs) with privileged access MUST OBTAIN APPROPRIATE COMPUTING ENVIRONMENT (CE) CERTIFICATIONS for the operating system(s) they support. (e.g. appropriate level of Microsoft certifications for Microsoft systems support technicians, vendor-specific Linux or Linux+ certifications for Linux-based systems technicians, Cisco certifications for Cisco equipment technicians, etc.) The Microsoft CE certifications could include MCP in Windows XP, MCTS in Windows 7, MCITP Server Administrator or Enterprise depending upon the systems support and systems support levels.

    Overview of Basic IA Workforce Structure.

    Completion of training, certification, and continuing education required to maintain certification status is normally "20 to 40 hours annually, or 120 hours over three years." [Footnote: none of the minimum functional certifications specified in DoD 8570.01-M can be completed in less than 40 hours. Technical CE certifications, such as Microsoft job-related certifications, also specified, often require 160 to well over 200 hours.]

  4. DoD Inst 8570.01-M:

    Information Assurance (IA) certification programs are intended to produce IA personnel with the demonstrated ability to perform the functions of their assigned position. Each category and skill level has specific training and certification requirements. Meeting these requirements will require a combination of formal training, experiential activities such as on-the-job training, and continuing education.

    This applies to all positions with Information Assurance (IA) duties, whether performed as primary or additional embedded duties. This requirement applies to military and civilian positions including those staffed by contractors.

    Personnel performing IA functions described in the Manual must satisfy both the preparatory and sustaining DoD IA training and certification requirements. These certification requirements apply to DoD civilian employees, military personnel, and support contractors performing the IA functions.

    Participation in initial training (instructor-led classroom, distributive, or blended) before, or immediately on, assignment of IA responsibilities, must be sufficient to meet minimum certification standards, which includes obtaining the certification(s) specified from the designated certifying agency (e.g. A+, Network+, Security+; from CompTIA: MCITP, MCSA, MCSE etc from Microsoft). Certification holders must ensure that their certificates stay active. Expired certifications must be renewed.

  5. Detailed Requirements of DoD 8570.01-M

    IA Technical Workforce Requirements

    Levels of Information Assurance (IA) privileges, and required certifications in DoD Inst 8570.01-M:

      IAT Level I

      IAT Level I applies basic knowledge of IA concepts, practices and procedures utilizing established policies and procedures. Personnel performing these functions, regardless of their occupational title (e.g., system administrator, help desk technician, information system technician, etc,) shall be identified as part of the IA workforce and must comply with these requirements.

      IAT Level I personnel are responsible for the implementation and operation of a DoD IS or system component within their CE. Incumbents ensure that IA related IS are functional and secure within the CE by correcting issues with hardware and software and implementing established IA procedures and controls.

      IAM Level II

      IAT Level II personnel provide network environment (NE) and advanced level Computing Environment (CE) support. They pay special attention to intrusion detection, finding and fixing unprotected vulnerabilities, and ensuring that remote access points are secure. The focus is on threats, vulnerabilities and the security of systems.

      IAM Level II personnel are responsible for the IA program of an Information System (IS) within the Network Environment (NE). Incumbents in these positions perform a variety of security related tasks, including the development and implementation of system information security standards and procedures. They ensure that the IS are functional and secure within the NE. They provide advanced CE support and configure, test and secure Network Infrastructure components.

      IAM Level III

      IAT Level III personnel focus on the enclave environment and support, monitor, test, and troubleshoot hardware and software IA problems pertaining to the CE, NE, and enclave environments. [An enclave is any secured, self-contained computational system within a system of local area networks.]

      IAM Level III personnel are responsible for ensuring that all enclave IS are functional and secure. They determine the enclaves’ long term IA systems needs and acquisition requirements to accomplish operational objectives. They also develop and implement information security standards and procedures.

  6. DoD 8570.01 M: General Requirements - User Awareness

    This requirement, specified in Chapter 6, paragraph C6.3 mandates a minimum level of awareness for all Information Assurance (IA) users. It is anticipated that this requirement will be fulfilled by the organization using seminars, handouts, online, and CBT courses. HyperLearning Technologies offers a 2-day training program which covers the identified requirements for user level security awareness.

    User orientation and awareness programs will address:

    The importance of IA to the organization and to the authorized user.

    Relevant laws, policies, and procedures, and how they affect the authorized user (e.g., copyright, ethics, standards of conduct).

    Examples of external threats such as script kiddies, crackers, hackers, protesters, or agents in the employ of terrorist groups or foreign countries.

    Examples of internal threats such as malicious or incompetent authorized users, users in the employ of terrorist groups or foreign countries, disgruntled employees or service members, hackers, crackers, and self-inflicted intentional or unintentional damage.

    The potential elevated sensitivity level of aggregated unclassified information.

    Authorized user risk from social engineering.

    Common methods to protect critical system information and procedures.

    Principles of shared risk in networked systems (i.e., how a risk assumed by one person is imposed on the entire network) and changes in the physical environment (e.g. water, fire, dust/dirt).

    Risks associated with remote access (e.g., telecommuting, during deployment, or on temporary duty).

    Legal requirements regarding privacy issues, such as email status (DoD Directive 2500 and the need to protect systems containing payroll, medical and personnel records.

    Knowledge of malicious codes (e.g., logic bomb, Trojan horse, malicious mobile code, viruses, and worms) including how they attack, how they damage an IS, how they may be introduced inadvertently or intentionally, and how users can mitigate their impact.

    The impact of distributed denial of service attacks and what users can do to mitigate them.

    How to prevent self-inflicted damage to system information security through disciplined application of IA procedures such as proper log on, use of passwords, preventing spillage of classified information, e-mail security, etc.

    Embedded software and hardware vulnerabilities, how the Department of Defense corrects them (e.g., IAVA process), and the impact on the authorized user.

    Prohibited or unauthorized activity on DoD systems (e.g., peer-to-peer file sharing, gambling, personal use and gain issues).

    Requirements and procedures for reporting spillages, unauthorized or suspicious activity, and local IA office point of contact information.

    Categories of information classification and differences between handling information on the Non-Classified Internet Protocol Router Network (NIPRNet) or the SECRET Internet Protocol Router Network (SIPRNet).

    Software issues including license restrictions on DoD systems, encryption, and media sanitation requirements and procedures.

    Definition of Information Operations Condition (INFOCON) and its impact on authorized users.

    Sources of additional information and training.

  7. Current DoD 8570.01 M Information

    The most current DoD directive 8570.01-M Information Assurance Workforce Improvement Program Incorporating Change 3, January 24, 2012 can be read or downloaded online.

    If you have anything to do with SIPRNET, NIPRNET, or any DoD computer system or network, which hosts DoD Personnel or Medical records, you are probably REQUIRED to comply with this mandate. This is a DoD wide mandate, so it includes all .mil network components; US Army ( USA ), Defense Information Systems Agency ( DISA ), National Security Agency ( NSA ), Office of the Secretary of Defense ( OSD ) / ( OUSD ), US Navy ( USN ), Navy Individual Augmentee Combat Training ( NIACT ), US Coast Guard ( USCG ), US Air Force ( USAF ), National Guard, and most of the DoD "alphabet soup" of acronyms.

    Compliance can ONLY be met by computer training and accredited computer CERTIFICATIONS. A+ and N+ are required for most DoD IT trusted positions, and S+ is required for mid-level trusted DoD positions.

  8. Acronym List from DoD Inst 8570.01-M

    AIS - Automated Information System
    ASD(NII) - Assistant Secretary of Defense for Networks and Information Integration
    CBT - Computer Based Training
    CE - Computing Environment
    CMIS - Corporate Management Information System
    COTR - Contracting Officer’s Technical Rep.
    DCPDS - Defense Civilian Personnel Data System
    DEERS - Defense Eligibility Enrollment Reporting System
    DIMHRS - Defense Integrated Military Human Resources System
    DAA - Designated Approving Authority
    DISA - Defense Information Systems Agency
    DMDC - Defense Manpower Data Center
    e-JMAPS - e-Joint Manpower and Personnel System
    Enclave Environment - A contained computing environment
    FISMA - Federal Information Security Management Act
    FN - Foreign National
    GIG - DoD Global Information Grid
    IA - Information Assurance
    IAM - Information Assurance Manager

  9. Back to Top of Page