You’ve seen it on cleared job postings: “DoD 8570/8140 compliant required.” You’ve seen others list “IAT Level II” as a hard requirement. If you’ve spent any time in the cleared IT space, you’ve probably nodded along without being entirely sure which framework actually applies to you, or what the difference between those two numbers is.
Here’s the straightforward version.
Why the Directive Exists
The DoD doesn’t let just anyone touch classified systems. Anyone with privileged access to DoD information systems — whether you’re a GS employee, a uniformed service member, or a contractor sitting in a SCIF — is required to hold a qualifying credential that demonstrates they understand cybersecurity fundamentals appropriate to their role.
DoD Directive 8140 is the policy that enforces that requirement across the entire defense workforce. It defines who falls under the mandate, what qualifications they need, and how agencies track and verify compliance. Without it, there’s no standardized way to ensure that the network admin at a forward operating base and the IAM at a defense contractor meet the same baseline.
If your job touches DoD systems in a cyber capacity, this directive governs what you’re required to hold.
From 8570 to 8140 — What Changed
DoD 8570 was the original framework, introduced in 2005. It organized the workforce into three categories:
- IAT (Information Assurance Technical) — Levels I, II, and III for technical roles
- IAM (Information Assurance Management) — Levels I, II, and III for management roles
- IASAE (Information Assurance System Architect and Engineer) — Levels I, II, and III for architecture and engineering roles
Each level had a corresponding list of approved certifications. Security+ satisfied IAT II and IAM I. CISSP satisfied IAM III and IASAE. The system was simple and widely understood.
DoD 8140 replaced it. The official transition came with the release of DoD Manual 8140.03 on February 15, 2023. Instead of three broad categories with levels, 8140 uses the DoD Cyber Workforce Framework (DCWF) — a structure of more than 50 distinct work roles that map more precisely to what people actually do day to day.
A few things worth knowing about the transition:
Job postings still use 8570 language. You’ll see “IAT II required” on postings today. That’s not wrong — many organizations are still operationalizing the transition, and 8570 terminology is deeply embedded in contracting language. But the underlying policy is now 8140.
There is no direct crosswalk. The DoD has explicitly stated that 8570 and 8140 are not structured the same and there is no official mapping between them. Your certifications may carry over depending on the work roles and proficiency levels assigned to your position — but it’s role-dependent, not automatic.
The Seven Workforce Elements
Under 8140, the entire DoD cyber workforce is organized into seven elements. Your position falls into one of these:
| Workforce Element | What It Covers |
|---|---|
| Information Technology (IT) | System administration, network operations, help desk, IT project management |
| Cybersecurity (CS) | Security operations, vulnerability assessment, policy, incident response |
| Cyber Effects (CE) | Offensive cyber operations, cyberspace superiority |
| Intelligence (Cyber) | Cyber threat intelligence, all-source analysis with a cyber focus |
| Data / Artificial Intelligence | Data management, AI/ML development and operations |
| Software Engineering (SE) | Software development, secure coding, DevSecOps |
| Cyber Enablers | Legal, acquisition, workforce development, policy support |
If you’re in cleared IT working as a sysadmin, network engineer, or security analyst, you’re most likely in the IT or Cybersecurity workforce elements.
The Three Proficiency Levels
Within each work role, positions are coded at one of three proficiency levels:
- Basic — Familiarity with core concepts; works with frequent specific guidance. Entry-level positions.
- Intermediate — Extensive knowledge with real-world application; works with periodic high-level guidance. Mid-level positions.
- Advanced — In-depth understanding of advanced concepts; operates with significant autonomy. Senior positions.
Your position should have a specific DCWF work role code and a proficiency level assigned to it. That combination is what determines your qualification requirement — not a broad category like IAT II.
Compliance Timelines
DoDM 8140.03 took effect February 15, 2023, and set implementation windows that vary by workforce element and qualification type. The Cybersecurity workforce element had the earliest window; other elements — IT, Cyber Effects, Intelligence, Data/AI, Software Engineering, and Cyber Enablers — followed on a longer timeline. The framework also distinguishes between foundational qualifications and residential qualifications, and deadlines differ between them.
The important takeaway: if you’re in a coded position, the transition is no longer theoretical. Implementation is underway across the workforce. Confirm your specific deadline and qualification status with your security officer, supervisor, or component workforce management office — don’t rely on a single date pulled from a third-party summary.
Qualification Is More Than a Certification
This is one of the most commonly misunderstood parts of 8140: a certification is only one way to satisfy a qualification requirement.
DoDM 8140.03 establishes multiple pathways for foundational qualification, which can include:
- Commercial certifications from the approved Qualification Marketplace
- DoD-approved training courses
- Academic degrees or education aligned to the work role
- In some cases, documented experience
This is a meaningful shift from 8570, which was almost entirely certification-driven. Under 8140, the focus is on demonstrated capability for the assigned work role, not just holding a specific cert. Your organization’s workforce management chain can tell you which pathways are available for your specific position.
Certifications and Where They Land
Certifications remain the most common and practical way to satisfy qualification requirements, especially at entry and mid levels. The tables below are a directional guide based on the DoD 8570 baseline — the certification mappings that carried forward into the 8140 transition. They are not a substitute for checking the official Qualification Matrix for your specific work role and proficiency level.
The IAT, IAM, and IASAE labels used here reflect 8570 terminology that still appears on job postings. Under 8140 proper, these map to specific DCWF work roles and proficiency levels rather than broad categories.
CompTIA
| Certification | Where It Applies |
|---|---|
| A+ | IAT Level I — entry-level technical support roles |
| Network+ | IAT Level I — networking and infrastructure roles |
| Security+ | IAT Level II, IAM Level I |
| CySA+ | IAT Level II — analyst and SOC roles |
| PenTest+ | IAT Level II — penetration testing and offensive roles |
| SecurityX (formerly CASP+) | IAT Level III, IAM Level II, IASAE Levels I–III |
Security+ is the most widely held compliance cert in the cleared space and appears on more job postings than any other — a practical observation, not a policy claim. For most entry and mid-level IT and security positions, it’s the starting point. For guidance on which CompTIA certifications to pursue and in what order, see The CompTIA Trifecta: Worth It, Overrated, or Mandatory?.
ISC2
| Certification | Where It Applies |
|---|---|
| SSCP | IAT Levels I–II, IAM Level I |
| CAP | IAM Level I — policy and authorization roles |
| CISSP | IAT Level III, IAM Levels II–III, IASAE Levels I–III |
| CCSP | IAT Level III — cloud security roles |
| CSSLP | IASAE Levels I–III — software security and DevSecOps roles |
CISSP has the broadest role coverage of any single certification in the framework, spanning senior technical, management, and architecture positions across multiple workforce elements.
EC-Council
| Certification | Where It Applies |
|---|---|
| CND (Certified Network Defender) | IAT Level I |
| CEH (Certified Ethical Hacker) | CSSP Analyst, CSSP Incident Responder |
| CHFI (Computer Hacking Forensic Investigator) | CSSP Auditor — forensics-focused roles |
| CCISO | IAM Levels II–III — executive and senior management roles |
GIAC (SANS)
| Certification | Where It Applies |
|---|---|
| GSEC | IAT Level II |
| GSLC | IAM Level I |
| GCIA | CSSP Analyst roles |
| GCIH | CSSP Incident Responder roles |
| GPEN | Penetration testing and incident response roles |
| GWAPT | Offensive CSSP roles |
GIAC has deep coverage across technical and specialized work roles, particularly incident response, forensics, and penetration testing.
ISACA
| Certification | Where It Applies |
|---|---|
| CISM | IAM Levels II–III — security management and governance |
| CISA | IAT Level III — audit and compliance-heavy roles |
Cisco
| Certification | Where It Applies |
|---|---|
| CCNP Security | IAT Level III — senior network security roles |
Note: Cisco’s CCNA Security and CCNA Cyber Ops certifications were retired in 2020. For current Cisco certification status under 8140, verify against the official Qualification Matrix.
A Note on IT-Specific Qualifications
The 8140 Qualification Marketplace extends beyond security certs. Work roles in the IT Workforce Element have their own approved qualification lists that may include vendor-specific and platform certifications. If your position is primarily an IT operations role rather than a security role, your requirement may look different from the tables above.
How to Find Your Exact Requirement
The tables above are a starting point. Your actual requirement is determined by your specific DCWF work role code and proficiency level. Here’s how to find it:
- Get your DCWF work role code and proficiency level. Your security officer, supervisor, or component workforce management office should have this. If your position hasn’t been coded, that’s something your organization is responsible for — ask.
- Check the official Qualification Matrix. The DoD 8140 Qualification Matrix is maintained at cyber.mil and is the authoritative source for approved certifications, training, and education by work role and proficiency level.
- Confirm with your security officer or FSO. They manage compliance tracking for your organization and can confirm whether your current qualifications satisfy the requirement or what you still need.
Key Takeaways
- DoD 8140 replaced DoD 8570 in February 2023. 8570 language still appears on job postings, but 8140 is the governing framework.
- The new structure uses 50+ DCWF work roles across seven workforce elements — not the old IAT/IAM/IASAE categories.
- Positions are coded at Basic, Intermediate, or Advanced. Your requirement is determined by your work role code and proficiency level, not a broad category.
- Qualification under 8140 is broader than certifications alone — education, training, and experience are also valid pathways depending on the role.
- Implementation timelines vary by workforce element and qualification type. Confirm your specific deadline with your organization, not a third-party summary.
- The official Qualification Matrix at cyber.mil is the authoritative source. The cert tables in this article are directional — use them to orient yourself, then verify against the matrix.