How DOD's cybersecurity certification program for personnel works

Directive 8570 requires all personnel be qualified for their job

Defense Department Directive 8570 requires military, civilian and contract personnel who handle information assurance for department systems to have certifications appropriate for the job they perform. DOD published a manual describing various job categories, including technical and management positions, and the different certifications that meet the training requirement. DOD foots the bill for any training and certification required for its employees.

Here are examples of some job types and commercial certifications approved by DOD. Cost information does not always reflect government volume discounts.

Job category: Information Assurance Technical Level I (there are three IAT levels)
Example certification: A+
Provider: CompTIA
Training time and cost: One provider offers a five-day course for $1,800. Exam costs $132 for CompTIA members and $168 for nonmembers. No minimum work experience or education is required, but six months of job experience is recommended.

Job category: Information Assurance Management Level III (there are three IAM levels)
Example certification: GIAC Security Leadership Certification
Provider: Global Information Assurance Certification, affiliated with SANS Institute
Training time and cost: The SANS Institute offers an annual nine-day training conference for $5,250. The exam costs $899, or $499 if you take the SANS seminar. You must renew certification every four years for $325. No work experience or education is required to take the test.

Job category: Incident Responder
Example certification: CERT-Certified Computer Security Incident Handler
Provider: Carnegie Mellon Software Engineering Institute
Training time and cost: The Software Engineering Institute and its licensees offer a three-course training sequence. Each course lasts five days. Course costs vary. Exam is $200. You must have at least three years of experience in incident handling in a technical and/or management role within seven years of submission of your application.

Job category: Computer Network Defense Auditor
Example certification: Certified Information Systems Auditor
Provider: Information Systems Audit and Control Association
Training time and cost: One local ISACA chapter offers a training course of 2.5-hour weekly sessions for 14 weeks. The course cost is $300 for members and $325 for nonmembers, plus course and study materials. Other organizations also offer courses. The exam costs $400 for DOD employees. You must have five years of work experience in the fields of information systems auditing, control, assurance or security within 10 years of applying.

Job category: Information Assurance System Architect and Engineer Specialty I (there are three IASAE levels)
Example certification: Certified Information Systems Security Professional
Provider: (ISC)2
Training time and cost: (ISC)2 offers a five-day seminar for $2,695. Exam is $449. Five cumulative years of relevant experience are required.

About the Author

Ben Bain is a reporter for Federal Computer Week.


  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

  • Marines on patrol (US Marines)

    Using AVs to tell friend from foe

    The Defense Advanced Research Projects Agency is looking for ways autonomous vehicles can make it easier for commanders to detect and track threats among civilians in complex urban environments without escalating tensions.

Stay Connected