What is Department of Defense (DoD) Directive 8570.1?

DoD Directive 8570.1, Information Assurance Training, Certification, and Workforce Management, establishes policy and assigns responsibilities for Department of Defense (DoD) information assurance (IA) training, certification, and workforce management.

DoD Directive 8570.1 was approved in December 2005 and requires DoD IA workers to obtain a commercial certification accredited under ISO/IEC standard 17024. ISACA's Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) certifications, accredited by the American National Standards Institute (ANSI), are among only 13 certifications approved by the DoD.

To whom does this directive apply?

All DoD IA personnel as well as any DoD contractor with employees who are categorized as IA employees are required to comply with this directive.

The directive applies to:

  • The Office of the Secretary of Defense, the military departments, the Chairman of the Joint Chiefs of Staff, the combatant commands, the Office of the Inspector General of the Department of Defense, the defense agencies, the Department of Defense field activities, and all other organizational entities in the Department of Defense (referred to collectively as the DoD components)
  • Contracts for personnel providing IA functional services for DoD information systems (IS) via appropriate Defense Federal Acquisition Regulation Supplement (DFARS) clauses

What is the timing for organizations to comply with the directive?

By the end of 2007, 10 percent of the personnel to whom this directive applies must be properly certified. At the end of each of the next three years (2008, 2009 and 2010), an additional 30 percent of personnel must be properly certified so that at the end of 2010, all IA personnel to whom the directive applies are properly certified.

What are other sources of information related to the directive?

What are the DoD Directive 8570's information assurance categories that apply to ISACA's CISA and CISM exams?

The DoD's IA professionals are classified into two categories-information assurance technical (IAT) and information assurance managerial (IAM)-that are each divided into three levels. CISA is included as a baseline certification for professionals in IAT Level III, and CISM is an approved certification for professionals in IAM Levels II and III.

Are the CISA and CISM certifications accredited under ISO-17024?

Yes! CISA and CISM have earned accreditation by ANSI, signifying that ISACA's procedures meet ANSI's essential requirements for openness, balance, consensus and due process in accordance with the ISO 17024 standard. Obtaining ANSI certification under ISO/IEC 17024:2003 is a key requirement for certifications approved under Directive 8570.1.

Are the costs of the ISACA CISA and CISM examinations reimbursable under the G.I. Bill?

Yes. US Department of Veterans Affairs has approved reimbursement under the G.I. Bill for the cost of the CISA and CISM examinations. See for more information.

Are the CISA and CISM exams approved for administration under the DANTES program?

ISACA has finalized this administration and exams can be purchased under the DANTES program. For more information, visit

Why should I take the CISA exam?

The technical skills and practices that CISA promotes and evaluates are the building blocks of success in the information assurance field. Possessing the CISA designation demonstrates proficiency and is the basis for measurement in the profession. With the growing demand for professionals possessing IS audit, control and security skills, CISA has become a preferred certification program by individuals and organizations around the world.

Foremost, the CISA designation:

  • Fulfills the certification requirement for IAT Level III Information Assurance professionals under DoD Directive 8570.
  • Is experience based and provides assurance that those who pass the exam are qualified to perform their job duties.
  • Is maintained by ISACA, which has obtained ANSI accreditation.

What are the CISA certification and exam requirements?

The CISA designation is awarded to those individuals who have met and continue to meet the following requirements:

  • Successfully pass the CISA examination
  • Have a minimum of five years of professional information systems auditing, control or security work experience (as described in the job content areas). Substitutions and waivers of such experience may be obtained.
  • Adhere to the ISACA Code of Professional Ethics
  • Adhere to the CISA Continuing Professional Education Policy
  • Adhere to the ISACA Information Systems Auditing Standards

Additional information on the CISA exam (including its length and content areas) and certification requirements is available at /cisa.

Why should I take the CISM exam?

CISM is designed for security professionals who manage, design, oversee and assess their enterprises' information security systems. The CISM designation:

  • Fulfills the certification requirement for IAM Level II and III Information Assurance professionals under DoD Directive 8570.
  • Is experience based and provides assurance that those who pass the exam are qualified to perform their job duties.
  • Is maintained by ISACA, which has obtained ANSI accreditation.

The CISM credential measures expertise on the subjects of information security governance, risk management, information security program management, information security management and response management which correlate to the job duties performed by IA DoD personnel at the IAM Level II and III.

What makes the CISM certification unique?

The CISM certification promotes international practices and provides management with assurance that those earning the designation have the required experience and knowledge to provide effective security management and consulting services. Individuals earning the CISM certification become part of an elite peer network, attaining a one-of-a-kind credential.

Is ISACA developing self-assessment tools that any candidate can use to help prepare for the CISA and CISM exams?

ISACA is currently in the process of developing self-assessment tools to help candidates prepare for the CISA and CISM exams. The goal of the self-assessment tools will be for the candidate to determine in what domain areas of the CISA and CISM exam additional work will be needed for a successful score on the exam(s).

How often are the CISA and CISM tests given, and where can I take the exam?

Both exams are offered twice every year, in June and December. There are currently more than 70 testing centers in the US and more than 150 sites internationally. ISACA is also able to establish new exam centers virtually anywhere in the world if there is an interest by a minimum of five candidates in any one location.

In what languages are the CISA and CISM exams given?

The CISA exam is offered in 12 languages. For more information on languages and terminology issues, go to Prepare for the Exam.

The CISM exam is offered in English, Spanish, Japanese and Korean.

How can I obtain training for the CISA and CISM exams?

Classroom training is offered through many ISACA local chapters. Information on classroom training is available at /cisareview and /cismreview. In addition, ISACA offers CISA and CISM self-study review manuals and question/answer/explanation manuals to help prepare for the exams. A description of these manuals can be found in the ISACA Bookstore.

Are there any government discounts available?

ISACA has established a pricing policy that provides departments of a national government, who support/recognize ISACA credentials pursuant to a national Directive or equivalent, reduced pricing on ISACA exams, fees and preparation materials.

  • For more information on discounts available to DoD IA personnel, please email or contact Karyn Waller at 847-660-5535.
  • If you are a DoD Information Assurance (IA) employee subject to DoD Directive 8570 and wish to register for either the CISA or CISM exams, go to DoD_Voucher Program for detailed instructions.
  • If you are a DoD IA employee subject to DoD Directive 8570 and wish to register for an exam but your component is not participating in the DoD Voucher pilot program, please contact Karyn Waller at 847-660-5535.
  • If you are not a DoD employee and wish to register for either the CISA or CISM exams, view the ISACA Exam Candidate Information Guide, available at

What are the government discounts?

ISACA provides discounts on exams, fees and preparation materials to national governments who support/recognize ISACA credentials pursuant to a national directive or equivalent.

  • All DoD Information Assurance employees are able to obtain such reduced pricing. DoD IA personnel that have components participating in the voucher program use the voucher program to pay for exams. All other costs such as membership and exam preparation materials must be paid for directly by the candidate.
  • DoD IA personnel that are not part of the voucher program still are able to get reduced pricing on exams and related materials, but all such costs are borne by the candidate.

Whom should I contact if I have questions?

Kim Cohen

Michele Luckman