At a recent Department of Defense cyber workforce event, Katherine Arrington—Performing the Duties of the DoD Chief Information Officer—delivered a message that cut to the core of national security: we cannot defend what we are not trained to protect. Her message underscored the critical role of certification training under DoD Directive 8140, which governs how both government and contractor cyber personnel are qualified, managed, and held accountable.
 |
“This is your moment to lean in, to take risks,” Arrington told the audience. “Our adversaries know our architecture. Our adversaries know how we do business… We’re fighting a war right now, one-handed.” |
Directive 8140 is designed to change that. By mapping defined work roles to approved certifications, 8140 creates a common language across government and industry. It ensures that everyone working in a cyber capacity—whether in uniform, civil service, or as a contractor—is trained and validated to perform at the highest level.
“You are one of the elite few,” Arrington emphasized. “7,000 people are in the Cyber Excepted Workforce. China alone has 50,000. That means you have to be better than best. You have to be great.”
Certification training is the mechanism that makes that possible. It provides the foundation for technical proficiency, operational effectiveness, and strategic agility. It also ensures consistency in capability across a complex and distributed cyber mission force.
Too often, Arrington warned, the U.S. has tried to “bolt security on instead of baking it in.” Certification addresses that challenge directly, ensuring that workforce members are trained not just in reaction, but in resilience and prevention. “If you don’t build security in at the base,” she said, “does it matter what the cost is if the adversary is able to produce it at a lower rate and a lower cost?”
For defense contractors, the message is equally clear: certification training under 8140 is not optional. Personnel supporting cyber functions must hold the certifications aligned to their designated roles. Failing to meet these standards doesn’t just risk non-compliance—it risks national security.
“You are the first line of defense,” Arrington stated. “You are my cyber special forces.”
This wasn’t just rhetoric. She reminded attendees that kinetic attacks are increasingly preceded by cyber disruptions. “Is our adversary going to turn the power off before they launch a kinetic attack? Yes. Where have we seen this time and time again?”
Certification training ensures the workforce is prepared—not only to detect and respond to these threats, but to anticipate and outpace them. And that training must be continuous. “Our education is key,” Arrington said. “Right now we try to bolt security on instead of faking it in… The ripple effect is really critical.”
As 8140 evolves, it empowers the workforce to evolve with it—through clear role definitions, policy flexibility, and most importantly, access to training. But that system only works if the community leans in. “If a regulation or a policy is impeding you to do your job, say something,” she urged. “This is an opportunity to change.”
The heart of 8140 is more than compliance—it’s capability. Certification is not about checking boxes. It’s about ensuring that when the time comes, the people in the room are ready to act. “Knowledge is powerful. Communication through this community is powerful. What you bring every day to the war fight is powerful.”
Arrington closed with a reminder of what’s truly at stake: “This is the most amazing country that has ever been… And she is only successful when all of you are leaning in every day.”
The mission is clear: Build a cyber workforce that is trained, certified, and always ready. Certification under 8140 isn’t just policy—it’s protection.