DoD 8570 and 8140 Cybersecurity Training for NSS

DoD Directive 8570 and its successor framework DoD 8140 establish the baseline certification and training requirements for all personnel performing information assurance and cyberspace workforce functions on Department of Defense information systems, including National Security Systems (NSS). These frameworks define which commercial certifications qualify individuals for specific roles, how workforce categories are structured, and which positions require documented compliance before access is granted. For organizations operating within or contracting to the NSS environment, understanding the structure of these frameworks is foundational to staffing, contract compliance, and system authorization.

Definition and scope

DoD Instruction 8570.01-M, published by the Office of the Under Secretary of Defense for Intelligence, established the first comprehensive mandate requiring that all personnel with privileged access to DoD information systems hold approved baseline certifications. The scope covers military, civilian, and contractor personnel performing information assurance technical (IAT), information assurance management (IAM), and computer network defense service provider (CND-SP) functions.

DoD 8140 — formalized through DoD Instruction 8140.01 — supersedes 8570 and introduces the Cyberspace Workforce Framework, which aligns with the NICE Cybersecurity Workforce Framework (NIST SP 800-181) published by the National Institute of Standards and Technology. Where 8570 organized roles into discrete IAT/IAM tiers, 8140 maps workforce positions to work roles defined by knowledge, skills, and abilities (KSAs) — a more granular and extensible structure.

For NSS specifically, these directives apply to systems meeting the definition under Committee on National Security Systems (CNSS) Instruction 4009, which covers systems that process classified information or are otherwise critical to national security. The intersection of 8140 compliance requirements and NSS authorization processes means that workforce certification status directly affects system Authority to Operate (ATO) determinations. Listings of qualified providers in this space are catalogued through the Security Systems Listings maintained on this reference network.

How it works

Compliance with DoD 8570/8140 is enforced through a structured qualification process applied at the position level, not the individual level in isolation. The following breakdown describes the operational sequence:

1. Position categorization — Each cyberspace workforce billet is coded to a specific work role under the 8140 framework. For 8570-legacy positions, the IAT Level I, II, or III or IAM Level I, II, or III designation is assigned based on the access, responsibility, and technical scope of the role.
2. Baseline certification identification — The DoD Approved Baseline Certifications list maintained by the Defense Cybersecurity Workforce Improvement Program (CWIP) at DISA identifies which commercial certifications satisfy each role category. For example, CompTIA Security+ (CE) satisfies IAT Level II and IAM Level I baseline requirements under 8570.
3. Certification verification — Personnel must hold a current, active certification from an approved vendor. Expired certifications are not considered compliant; continuing education (CE) requirements set by issuing bodies must be maintained.
4. Computing environment (CE) qualification — Beyond the baseline certification, personnel in technical roles must hold a CE qualification demonstrating proficiency with the specific operating system or platform used in the assigned environment.
5. Documentation and tracking — Organizations submit workforce compliance data through the DISA Cyber Workforce Management tool, and non-compliance findings are reportable against a unit's or contractor's cybersecurity posture.

Under 8140, this process is augmented by the requirement to develop position descriptions using NICE work role codes, which then map to approved qualification pathways. The transition from 8570 to full 8140 implementation is governed by a phased timeline established in component-level implementation guidance issued by each DoD component.

Common scenarios

Three operational scenarios illustrate how 8570/8140 requirements surface in practice within NSS environments:

Contractor onboarding for classified networks — A defense contractor providing cybersecurity support on a classified NSS must demonstrate that all personnel with privileged access hold current baseline certifications before those personnel are granted system access. Contracting Officers verify compliance at the task order level, and non-compliant personnel may be removed from performance pending certification.

System authorization (ATO) reviews — During an Assessment and Authorization (A&A) package review conducted under the Risk Management Framework (NIST SP 800-37), authorizing officials examine whether system administrators and security control assessors hold the certifications required for their roles. A workforce compliance gap can trigger a Plan of Action and Milestones (POA&M) item.

Role reclassification under 8140 — An organization transitioning from 8570-coded billets to 8140 work roles may find that a position previously categorized as IAT Level II maps to a NICE work role — such as Systems Administrator (work role code OPS-ADM-001) — that carries a different or expanded certification requirement. This reclassification process requires coordination between HR, the ISSM, and the authorizing official.

The Security Systems Directory Purpose and Scope page provides additional context on how these workforce qualification frameworks intersect with the broader NSS service provider landscape.

Decision boundaries

The distinction between 8570 and 8140 applicability is not always a simple temporal one. DoD components were directed to begin transitioning to 8140 constructs but may maintain 8570 coding for legacy positions during the transition period. Key decision points include:

• 8570 vs. 8140 applicable standard — If a contract or position description references IAT/IAM tiers explicitly, 8570 remains the operative standard for that billet. If the position description references NICE work role codes, 8140 applies.
• Baseline vs. CE certification requirement — Baseline certifications establish minimum eligibility; CE qualifications establish platform-specific competency. Both must be satisfied for full compliance in technical roles.
• Civilian vs. contractor workforce — Military and civilian personnel are subject to mandatory compliance timelines set by service component directives. Contractor personnel are bound by contract language, which may lag the most current DoD component guidance by one contract cycle.
• NSS vs. non-NSS DoD systems — The 8570/8140 framework applies across DoD information systems broadly, but NSS-specific authorization processes, governed by CNSSI 1253 and CNSS Policy 22, layer additional requirements on top of standard 8140 compliance for systems processing classified national security information.

Personnel and organizations seeking to locate providers credentialed for NSS-adjacent cybersecurity roles can reference the How to Use This Security Systems Resource page for navigation guidance across this reference network.

References

• DoD Instruction 8140.01 — Cyberspace Workforce Management
• DoD Approved Baseline Certifications — DISA Cyber Workforce Management Program
• NIST SP 800-181 Rev. 1 — Workforce Framework for Cybersecurity (NICE Framework)
• NIST SP 800-37 Rev. 2 — Risk Management Framework for Information Systems and Organizations
• Committee on National Security Systems (CNSS) — Issuances and Instructions
• CNSS Policy Issuances
• Defense Information Systems Agency (DISA) — Cyber Workforce Management
• Office of the Under Secretary of Defense for Intelligence and Security