top of page



(DoDD 8140.01 & DoD 8570.01-m)

Screen Shot 2019-10-04 at 7.13.42 AM.png

The DoD Directive on Cyberspace Workforce Management purpose is to unify the overall cyberspace workforce and establishes specific workforce elements(cyberspace effects, cyber security, and cyberspace information technology (IT)) to align, manage and standardize cyberspace work roles, baseline qualifications, and training requirements. This directive does not address operational employment of the work roles.

Operational employment of the cyberspace workforce will be determined by the Joint Staff, Combatant Commands, another DoD Components to address mission requirements.The policy is that, The DoD maintains a total force management perspective to provide qualified cyberspace government civilian and military personnel to identified and authorized positions, augmented where appropriate by contracted services support. These personnel function as an integrated workforce with complementary skill sets to provide an agile, flexible response to DoD requirements.  {(1c,3a) DoD Directive 8140.01, “Cyberspace Workforce Management (DoD CIO),” July31, 2017}



IA certification programs are intended to produce IA personnel with a baseline understanding of the fundamental IA principles and practices related to the functions of their assigned position. Each category, specialty, and skill level has specific training and certification requirements. Meeting these requirements will require a combination of formal training and experiential activities such as on-the-job training and continuing education(DoD Directive 8570.01-M, December 19, 2005).

In addition to the IA baseline certification requirement for their level, IATs with privileged access must obtain appropriate Computing Environment (CE) certifications for the operating system(s) and/or security related tools/devices they support as required by their employing organization.


If supporting multiple tools and devices, an IAT should obtain CE certifications for all the tools and devices they are supporting. At a minimum the IAT should obtain a certification for the tool or device he or she spends the most time supporting. For example, if an IAT is spending most of his or her time supporting security functions (DoD Directive 8570.01-M, December 19, 2005).

The above table provides a list of DoD approved IA baseline certifications aligned to each category and level of the IA Workforce. Personnel performing IA functions must obtain one of the certifications required for their position, category/specialty and level to fulfill the IA baseline certification requirement.

Most IA levels within a category or specialty have more than one approved certification and a certification may apply to more than one level.Higher level IAT and IAM certifications satisfy lower level requirements. Certifications listed in Level II or III cells can be used to qualify for Level I. However, Level I certifications cannot be used for Level II or III unless the certification is also listed in the Level II or III cell.


  • Who has to pay for Certifications?
    For DoD military and civilian Cyberspace/IA Workforce members, the DoD Component must budget for and pay for an individual’s required certification. The Component must also ensure appropriate training is provided for the position and preparation for the certification exam.
  • Who needs to be certified?
    Information Assurance Technical (IAT) and IA Management (IAM) personnel must be fully trained and certified to baseline requirements to perform their Cyberspace/IA duties. The policy defines IAT workforce members as anyone with privileged information system access performing Cyberspace/IA functions. IAM personnel perform management functions for DoD operational systems described in the Manual.
  • What are the contractor certification implementation requirements?
    Contractors performing Cyberspace/IA functions on a DoD system must meet the certification requirements established in the DoD 8570.1-M for the category and level functions they are performing. Like the Military and Civilian Cyberspace/IA workforce, contractors have four years to meet the requirements of the 8570.1-M. The requirement is for 10% to be certified in the first year and 30% each year after that. The contracting officer will ensure that contracting personnel are appropriately certified. In the future they will need to provide verification to the Defense Eligibility Enrollment System (DEERS). Components should not pay for contractors to obtain/retain required certifications. However, Components may provide additional training on local or DoD specific system procedures. (See question below for additional guidance on contractor implementation requirements.)
  • What will qualify for continuous learning?
    The minimum continuous learning requirement for certifications included under DoD 8570.1M is typically 40 hours annually or 120 hours over a three-year period. Certification providers determine the specific training and other activities that qualify for continuous learning credit. However, DOD CIO is working with certification providers to identify proposed activities that would qualify for credit.
  • What do you mean by Computing Environment, Network Environment or Enclave?"
    Understanding these terms are essential to properly identifying your Cyberspace/IA Workforce. These terms are based on basic system architecture not on base, station, or command structure. The DoD Appendix 1of the 8570.01-M contains definitions for each of these environments. They key to the architecture is the location within the GIG and the purpose of the server the IAT or IAM supports. Enclave - The enclave consists of at least 2 networks controlled by the enclave security policy and procedures. Networks - In this case we have the three networks Operations Network, Logistics Network and Human Resources network connecting to a Component Enclave. Each network consists of at least 1 Computing Environment. Computing Environment - A CE has a server with multiple stations working from it. The stations can be standard computers, remote sensors, satellite feeds, etc.


bottom of page