IAT Level II Explained: Security+, DoD 8140, and Approved Certifications

If you’re applying to cleared IT jobs, you’ve probably seen “IAT Level II required” in the posting. It shows up most often on systems administrator, network administrator, cybersecurity analyst, and elevated help desk roles supporting DoD information systems.

Here’s what IAT Level II actually means, which certifications are commonly accepted for it, and why Security+ became the default starting point for many cleared IT professionals at that level. If you’re new to how clearance levels and access tiers work, see Security Clearance Levels Explained first.

What IAT Level II Is

IAT stands for Information Assurance Technical. It’s a workforce category from DoD Directive 8570, the predecessor to the current DoD 8140 framework. The IAT category organized technical roles — the people who actually operate, maintain, and secure systems — into three levels based on access and responsibility.

IAT Level II is the middle tier. It covers roles with elevated privileged access to DoD systems: not quite the senior architects or security engineers at Level III, but well above the entry-level help desk and basic network support at Level I.

DoD 8570 has been superseded by DoD 8140 and DoD Manual 8140.03, which shifted the qualification model away from broad IAT/IAM categories and toward DCWF work roles, proficiency levels, approved qualification options, and continuing professional development. In plain English: the old “IAT Level II” label is legacy language, but it still appears in job postings, contracts, and HR systems across many defense and intelligence-community contractor environments. When a posting says “IAT Level II required,” treat it as a real requirement — but verify the current 8140 work role and qualification matrix before assuming one certification satisfies every case.

Roles Commonly Associated With IAT Level II

IAT Level II is commonly associated with many hands-on cleared IT roles. If any of these describe your position, IAT II may be the legacy compliance language attached to the role:

Systems Administrator — managing servers, accounts, OS configurations on DoD systems
Network Administrator / Network Technician — operating and maintaining network infrastructure in classified environments
Help Desk with Elevated Access — Tier II or Tier III support with admin or privileged credentials
IT Specialist / Information Systems Security Officer (ISSO) — personnel with system-level access and some security oversight responsibility
Junior Cybersecurity Analyst — SOC support, log monitoring, vulnerability scanning roles at entry to mid-level

IAT Level I covers more limited, supervised roles — basic help desk without elevated access, entry-level networking. IAT Level III covers senior security architects, network security engineers, and senior ISSOs. If you’re in the middle — doing real IT work with real system access but not yet at the senior engineering or architecture tier — you’re likely at Level II.

Which Certifications Satisfy IAT Level II

The following certifications are commonly listed as satisfying the legacy IAT Level II baseline under the 8570 framework, which still shows up in many job postings during the 8140 transition.

Certification	Vendor	Notes
Security+ CE	CompTIA	Most common IAT II baseline cert. Broad, entry-to-mid level coverage.
CySA+	CompTIA	Stronger fit for SOC, cyber defense, and analyst roles.
GSEC	GIAC (SANS)	Strong technical credential, but expensive and less common as an entry route.
SSCP	ISC2	Good security practitioner credential; requires experience or Associate status path.
CND	EC-Council	Network defense-focused; appears in many 8570 baseline lists. Verify current matrix use.
GICSP	GIAC	ICS/OT-focused; relevant for specialized industrial and control-system environments.
RHCSA	Red Hat	Linux administration credential. Useful for RHEL-heavy sysadmin roles — verify whether the employer accepts it for the specific 8140-coded position.

Cisco retired CCNA Security in 2020. If a posting still lists CCNA Security, treat that as legacy language and verify whether the employer accepts a current Cisco credential or another approved qualification.

For the authoritative and current list, verify against the official DoD 8140 Qualification Matrix at cyber.mil. The table above reflects the legacy IAT II baseline commonly seen in job postings. For current 8140 compliance, the official Qualification Matrix is the source of record because requirements are tied to specific DCWF work roles and proficiency levels.

Why Security+ Is the Default

Security+ became the common IAT Level II default for three practical reasons.

It’s achievable early in a career. Security+ has no experience prerequisite. Someone transitioning from the military, finishing a degree, or making their first move into cleared IT can sit for it and pass. GSEC requires real technical depth and costs significantly more (SANS training can run $5,000+). SSCP requires a year of relevant experience. CySA+ assumes you already understand what you’re monitoring. Security+ is the realistic on-ramp. For a full study plan, see How to Pass the CompTIA Security+.

It satisfies IAT II and IAM I simultaneously. Security+ covers two compliance categories. An IT professional who moves into a hybrid technical/management role, or who needs to satisfy both categories for a given position, can do it with one cert. That flexibility makes it the practical default across a wide range of role descriptions.

It’s what cleared employers recognize. When a cleared hiring manager or staffing recruiter reads a resume, Security+ reads unambiguously. It appears constantly across cleared IT postings and is one of the most recognizable baseline certifications in the DoD contractor market. It’s not that the other options are inferior — GSEC is arguably a harder and more rigorous credential — but Security+ has become a lingua franca for the cleared baseline, and its signal value in that market is well established.

For most entry and mid-level cleared IT roles, Security+ is the right first cert to target at this level. The path forward from there — CySA+, CASP+/SecurityX, eventually CISSP — is a different conversation. See CompTIA’s Cert Order for the DoD Space for how those credentials sequence.

Higher-level certifications can help, but do not assume “higher” automatically means “accepted” for every 8140-coded role. Always check the specific work role, proficiency level, and employer requirement.

Do You Need IAT Level II Before Applying?

Sometimes yes, sometimes no.

If the posting says “must possess IAT Level II certification at time of hire,” you should assume you need an approved certification before onboarding. If it says “must obtain within six months” or “within 180 days,” the employer may hire you first and require the certification after placement.

Under DoD 8140, qualification timelines and options can depend on the coded work role, proficiency level, component policy, and contract requirements. Do not assume every employer will give you the same grace period. For job seekers, the safest move is practical: if you are targeting cleared IT roles, get Security+ before you need it. It removes a variable from a hiring process that already has plenty of them.

The 8140 Translation

Under DoD 8140, IAT Level II doesn’t map directly to a single DCWF work role. The transition moves away from broad category labels and toward specific role codes with assigned proficiency levels (Basic, Intermediate, Advanced).

A few DCWF work roles that commonly align with what used to be called IAT Level II include:

Systems Administration (IT) — operating and maintaining enterprise IT systems. Linux skills are increasingly relevant here; see RHCSA Explained for how Red Hat certification fits cleared sysadmin roles.
Network Operations (IT) — managing and monitoring network infrastructure
Vulnerability Assessment and Management (Cybersecurity) — identifying and tracking vulnerabilities in DoD systems
Cyber Defense Analysis (Cybersecurity) — analyzing events and threat data in a SOC context

Under 8140, the right question is no longer “What IAT level am I?” The right question is: “What DCWF work role and proficiency level is this position coded to?”

Security+ still appears as a qualifying option for many common DoD cyber workforce paths, but the official DoD 8140 Qualification Matrix is the source of truth. A certification that satisfies one work role or proficiency level may not satisfy another. Components and contracts can also impose stricter requirements than the baseline matrix. Verify your specific requirement before assuming a certification carries over.

How to Confirm Your Requirement

The job posting tells you the label. Your actual requirement is determined by your coded position.

Ask your supervisor, ISSM/ISSO, security office, training manager, or contract program office what DCWF work role and proficiency level your position is coded to. The FSO handles clearance tracking; workforce coding under 8140 may sit with a different office depending on your organization.
Check the official Qualification Matrix. The DoD 8140 Qualification Matrix at cyber.mil lists approved qualifications by work role and proficiency level. This is the authoritative source — not this article, not a forum post, not a recruiter’s interpretation.
Read the job posting carefully. Many postings still list specific certs rather than just the IAT level. If the posting says “Security+ required,” that’s your answer regardless of what the level language says.

If your position hasn’t been coded yet — which is common during the ongoing 8140 transition — your organization should still have a working requirement based on 8570 legacy standards. Security+ is a safe starting assumption for many IAT II-style job postings, but the final answer is always the employer’s requirement and the current 8140 matrix.

Key Takeaways

IAT Level II is a legacy DoD 8570 workforce category commonly associated with technical roles that involve privileged system access: sysadmins, network admins, elevated help desk, junior security analysts, and some ISSO-type positions.
DoD 8140 replaced 8570 in February 2023, but IAT II language is still embedded in job postings, contracts, and HR systems. The requirement is real even though the label is from the previous framework.
Security+ CE, CySA+, GSEC, SSCP, CND, GICSP, and RHCSA are commonly associated with the legacy IAT Level II baseline, but current 8140 qualification decisions should be verified against the official matrix and the employer’s requirement. Cisco retired CCNA Security in 2020 — treat any posting that still lists it as legacy language and verify with the employer.
Security+ is the common default because it has no experience prerequisite, satisfies both IAT Level II and IAM Level I under the legacy model, and is widely recognized across the cleared IT job market.
Under DoD 8140, your actual requirement is determined by your specific DCWF work role code and proficiency level — not the IAT II label. The official Qualification Matrix at cyber.mil is the source of truth. Components and contracts can impose stricter requirements than the baseline matrix.
If a posting says “must possess at time of hire,” you need the cert before onboarding. If it says “must obtain within 180 days,” you may have a window. Don’t assume — confirm with the employer or contracting office.
For most entry and mid-level cleared IT roles, Security+ is the right starting point. The path forward involves CySA+, SecurityX, and eventually CISSP depending on your role trajectory.

FAQ

Is Security+ enough for IAT Level II?

For many legacy IAT Level II job postings, yes. Security+ CE is one of the most commonly accepted baseline certifications. Under DoD 8140, however, you should verify the specific DCWF work role, proficiency level, and current Qualification Matrix requirement.

Is IAT Level II still used under DoD 8140?

Not as the primary organizing model. DoD 8140 uses DCWF work roles and proficiency levels instead of the old 8570 IAT/IAM categories. But IAT Level II language still appears in job postings, contracts, and HR systems.

Can I apply without IAT Level II?

Sometimes. Some employers require the certification at hire, while others allow 180 days or another window after onboarding. Read the posting carefully and confirm with the recruiter or program office.

Is RHCSA an IAT Level II certification?

RHCSA is commonly associated with the legacy IAT Level II baseline and can be valuable for RHEL-heavy systems administration roles. For current 8140 compliance, verify the specific work role and qualification requirement in the official matrix.

Sources

DoD Manual 8140.03 — Cyberspace Workforce Qualification and Management Program — February 15, 2023
DoD 8140 Qualification Matrices — cyber.mil — Official approved qualification lists by work role and proficiency level
DoD 8570.01-M — Information Assurance Workforce Improvement Program — Legacy baseline that still governs many compliance requirements during the 8140 transition
CompTIA Security+ Certification — Official exam page

For the full DoD 8140 framework — workforce elements, DCWF work roles, and how the transition from 8570 works — see DoD 8140 Explained. For a practical walkthrough of the Security+ exam and how to pass it, see How to Pass the CompTIA Security+. For how Security+ fits into a longer certification sequence for the DoD space, see CompTIA Cert Order for Cleared IT Professionals. For Linux skills relevant to systems administrator roles in the cleared space, see RHCSA Explained. For a breakdown of clearance levels relevant to IAT-coded positions, see Security Clearance Levels Explained.

Certification approval lists are subject to change. Verify current qualification requirements against the official DoD 8140 Qualification Matrix at cyber.mil before making decisions based on any specific cert.