CISSP: DoD 8140

The relatively recent introduction of the DoD 8140 manual and it replacing the DoD 8570 document I believe has started the process of undervaluing the CISSP certification. Before the CISSP would essentially qualify you for any job as it resolves requirements as IAT III & IAM III & IASAE II which covers like 95% of all security positions. With the 8140, there are very few positions that the cert actually qualify you for and there doesn't seem to be any flow down like in the 8570.

I'm not too opposed to this because there should be a bit more diversity in security so people aren't only taking Security+ and CISSP/CASP+. The issue I do have is small DoD contractors who only 3 or less IT Security personell who have the be compliant by having the correct certs for their positions. We can't just have a high level cert and call it compliant. Everyone needs unique certs or a 4 year degree for the intermediate level requirements.

It doesn't make sense to me and believe the DFARS that requires contractors to be compliant from being except from the 8140 or have additonal language stating that business should only have a handful of compulsory roles and levels rather than having contractors decide what you need and struggling to find someone on staff who can take the time to get a new cert. (I didn't mean to make the world longest run on sentence but I'm not changing it).

Edit: I don't believe contractors should be exempt from following the 8140 entirely, but there should either be some level of technical debt lifted off of subcontractors who could never afford enough personnel for compliance or have a smaller subset of certificates that still meet compliance and/or some low level audit to ensure proper security implementation.