People keep calling Training Camp asking which certification covers them under DoD 8140, and the honest answer is unsatisfying. It depends on your work role code. It depends on your proficiency level. It depends on whether your contracting officer is treating the qualification matrix as a floor or a ceiling. Three years into the 8140 transition and the most common mistake I still see is professionals showing up with the wrong cert because somebody told them Security+ covers everything, or you need CISSP for that role. Sometimes those answers are right. Plenty of times they aren’t even close to right for the specific work role.
Working alongside defense contractors and government teams trying to get their workforce 8140 compliant has taught me one thing about this framework. The policy itself isn’t the problem. The Department of Defense actually built something more flexible than 8570 was, with multiple qualification pathways and proper recognition that a system administrator’s job is fundamentally different from a vulnerability assessment analyst’s. The problem is operational. Job postings still use IAT II language. HR systems lag the policy. Contracts written in 2022 reference cert categories that aren’t primary classifications anymore. So you end up dealing with both the official 8140 framework and the legacy 8570 vocabulary that refuses to die quietly.
What follows is a practical map. It isn’t a substitute for the official Foundational Qualification Matrix at cyber.mil, which is the source of record. It is a working guide to which certifications cover which DCWF work roles, what proficiency levels mean in practice, and how to avoid spending six months studying for a credential your contracting officer won’t accept.
The DoD 8140 Foundational Qualification Matrix Version 2.1 became effective September 19, 2025. If your study plan was built off an older version of the matrix, or if a recruiter is telling you something different than what the current matrix shows, verify before you sit for an exam.
The 8140 Reset, Briefly
DoD 8140 replaced 8570 in February 2023 when DoD Manual 8140.03 took effect. The framework cancelled the old IAT, IAM, IASAE, and CSSP categories in favor of work roles defined by the DoD Cyber Workforce Framework, or DCWF. Where 8570 had three or four broad categories with levels stacked underneath, 8140 has more than 70 distinct work roles spread across seven workforce elements: Cybersecurity, IT (Cyberspace), Cyberspace Effects, Intelligence (Cyberspace), Cyberspace Enablers, Software Engineering, and AI/Data.
Each work role gets a numeric code. A System Administrator is 451. A Cyber Defense Analyst is 511. A Vulnerability Assessment Analyst is 541. An Information Systems Security Manager is 722. These codes matter because qualification options are tied to specific role and proficiency combinations, not to broad categories. Two people both holding cybersecurity jobs can have completely different cert requirements depending on their assigned work role.
Each work role also has a proficiency level: Basic, Intermediate, or Advanced. Proficiency level reflects readiness expected for the position, not rank or grade. A Basic level Cyber Defense Analyst position might accept Security+ as a foundational qualification. An Advanced level position in the same role probably wants SecurityX or CISSP. Qualifications cascade upward, meaning a higher proficiency cert qualifies you for lower levels within the same role, but a lower level cert doesn’t work in reverse. Which sounds intuitive until you read the next section.
The Three Variables That Decide Your Cert Requirement
For any 8140 coded position, three things decide what counts as qualified, and the order matters because each one constrains the next.
Work role code comes first. Pull it from your position description or your supervisor. Without it, every other discussion is hypothetical. People who skip this step end up studying for Security+ when they actually need CySA+, or chasing CISSP when their position description quietly accepts SSCP at Intermediate.
Proficiency level is next. Basic, Intermediate, or Advanced. This usually appears in the position description alongside the work role code. If it isn’t there, ask. Plenty of mid-grade employees end up over-certifying for Basic positions or under-certifying for Advanced ones because nobody told them which they were sitting in.
The third variable is the one that catches contractors off guard: employer or contract requirement. The official qualification matrix establishes a floor. Your contracting officer can require more. A contract that says must possess CISSP at time of hire is binding even if Security+ would technically satisfy the matrix at your work role and proficiency level. Read the actual contract language. The matrix is a DoD wide minimum, not necessarily a ceiling on what your specific contract can demand. Government contractors face additional certification requirements beyond what the framework itself spells out, and those requirements live in the contract clauses, not the matrix.
Cybersecurity Workforce Element: The Most Common Roles
The cybersecurity workforce element had the earliest implementation deadline (February 15, 2025) and contains the work roles most cleared IT professionals end up coded into. The patterns are predictable once you have looked at the matrix a few times. Security+ shows up at Basic levels across many roles. CySA+ and SecurityX (formerly CASP+) cover Intermediate territory. CISSP and SecurityX dominate Advanced positions, with CISSP-ISSMP and CISM appearing for management focused roles.
The pattern that emerges across these roles: Security+ remains the most efficient first cert for anyone aiming at the cybersecurity workforce element, regardless of which specific work role they end up coded into. CompTIA reports that Security+ alone maps to 20 different work roles in the matrix, more than any other single certification. From there, the path forks based on what you actually do day to day. SOC work points toward CySA+. If your daily reality leans toward risk assessment and audit, CISA or CGRC tends to fit better. Management track folks usually end up at CISSP or CISM eventually. The CISSP versus CISM question comes up constantly for managers trying to decide which to chase first.
IT (Cyberspace) Workforce Element
The IT workforce element covers the work roles that 8570 would have called system administration, network operations, technical support, and database administration. The February 15, 2026 qualification deadline applied to this element along with cyberspace effects, intelligence, and cyber enablers. As of this writing in 2026, components are now expected to have all coded IT positions in compliance.
A note on Cisco’s place in the IT element. CCNA covers Basic and Intermediate qualification for Technical Support Specialist (411) and is approved for Network Operations Specialist (441). CCNP Security has been added to the matrix for Advanced level network roles. Cisco CyberOps Associate covers some Cybersecurity work roles in addition to its core IT mapping. If routing-and-switching is your daily work, Cisco’s certification path is the most efficient way to satisfy IT element qualifications.
The Other Workforce Elements
The remaining workforce elements have narrower mappings. Most cleared IT professionals won’t be coded into them directly, but they appear on contracts and position descriptions often enough that you should know what they cover.
Cyberspace Effects work roles cover the operational side of offensive and defensive cyber operations. These positions often have qualification requirements that include DoD specific training in addition to or instead of commercial certifications. Many of them accept SecurityX, CISSP, or CISSP concentrations such as ISSEP. Cyberspace Effects qualifications also recognize Cyber Mission Forces training.
Cyberspace Enablers includes legal, acquisition, and policy support roles. The November 2025 update to the matrix expanded acceptable qualifications for this element to include cyber-related training courses from the DoD 8140 Qualification Repository, in addition to existing degree, Cyber 101, and certification options. CGRC (formerly CAP) and CRISC are common fits for the GRC end of this element.
Software Engineering work roles map to credentials like CSSLP for secure software lifecycle work. The AI/Data workforce element is still building out its qualification matrix entries as of v2.1, with TBD entries appearing in some cells where validation is in progress. Intelligence (Cyberspace) qualifications draw heavily from DoD specific training pathways and clearance level requirements that go beyond commercial certifications.
Why Higher Tier Certs Don’t Always Work Like 8570
Under 8570, holding CISSP basically gave you a hall pass. CISSP was treated as a superset of SSCP, Security+, and other lower tier credentials. Hold CISSP, and you were qualified for IAT II, IAT III, IAM I, IAM II, and a chunk of IAM III work without needing to verify each role separately.
Under 8140, that assumption breaks. CISSP is approved for somewhere around 24 work roles across five workforce elements according to ISC2 data, which is the strongest single cert coverage in the marketplace. But it isn’t all roles. There are work roles where the matrix lists SSCP at one proficiency level and CISSP at another, but CISSP doesn’t appear at the SSCP level. The cascade rule (higher level certs covering lower levels in the same role) applies, but only within the same role mapping. If a cert isn’t approved for a specific role at all, no amount of seniority makes it count.
This catches experienced professionals off guard. They look at a Basic level System Administrator role, see SSCP listed as the qualification, and assume their CISSP covers it because CISSP outranks SSCP in their mental hierarchy. The matrix may or may not agree with that assumption depending on the specific work role and proficiency combination. Verify against the current matrix entry for your specific role before assuming your senior cert covers a junior position.
The Contractor Reality
Federal civilian employees get nine months to achieve foundational qualification after assignment to a coded work role, plus 12 months for residential qualification. Contractors don’t get that grace period. Contracted support personnel must meet foundational qualification at the commencement of cyberspace work. Day one. With the cert already in hand.
This is the operational change that matters most for anyone moving from federal civilian work into contracting. The qualification policy is identical for civilians and contractors. The timeline they have to meet it is not. Waiver provisions in DoDM 8140.03 are limited to severe operational or personnel constraints, capped at six months, and are not consecutively renewable. If you are currently a federal civilian and considering a move to contracting, finish your qualifications before you make the jump. This is also part of why CMMC compliance and 8140 compliance often get tangled up in the same conversations with contracting officers, even though they govern different things.
How to Verify Before You Spend Money
Three sources matter when you are figuring out what cert your specific position requires, and they should be checked in order.
The official DoD 8140 Foundational Qualification Matrix is the source of record. It is published by the DoD CIO Workforce Innovation Directorate and currently sits at Version 2.1, effective September 19, 2025. The matrix lives at cyber.mil and gets updated quarterly. If your supervisor, recruiter, or training vendor is telling you something different than what the current matrix shows, the matrix wins. The full DoDM 8140.03 manual spells out the policy that the matrix implements.
Your supervisor or program office is the second source. They know what work role code your position carries, what proficiency level you are coded at, and any contract-specific requirements that go beyond the matrix. Ask them in writing. Email creates a paper trail you can refer back to when a recruiter or HR rep claims you need something different.
For contractors, the contract itself is the third source and often the binding one. If the contract says you need CISSP at time of hire, that is the requirement, regardless of whether Security+ would technically satisfy the matrix for your role. Read the actual contract clauses or have your program office walk you through them. Contract requirements override matrix minimums for the simple reason that the contract is what you signed.
Frequently Asked Questions
What replaced DoD 8570?
DoD Manual 8140.03 replaced DoD 8570.01-M when it took effect on February 15, 2023. The new framework uses DCWF work roles and proficiency levels (Basic, Intermediate, Advanced) instead of the IAT, IAM, IASAE, and CSSP categories that 8570 used.
Does Security+ still satisfy IAT Level II requirements?
Job postings still reference IAT II because the language is embedded in HR systems and contracts, but the underlying policy is now DoD 8140. Security+ remains widely accepted for legacy IAT II positions, but for current 8140 compliance you should verify against the official Qualification Matrix for your specific work role and proficiency level.
How many DCWF work roles exist under DoD 8140?
The framework currently defines more than 70 work roles across seven workforce elements: Cybersecurity, IT (Cyberspace), Cyberspace Effects, Intelligence (Cyberspace), Cyberspace Enablers, Software Engineering, and AI/Data. The list expands over time as new work roles are validated and added to the matrix.
When does the contractor qualification deadline kick in?
Contractors must meet foundational qualification at the commencement of cyberspace work. There is no nine month grace period for contracted personnel. Federal civilian employees get nine months for foundational qualification and 12 months for residential qualification after assignment to a coded position.
Does CISSP automatically qualify me for SSCP roles under 8140?
Not always. Under 8570, CISSP was treated as a superset of SSCP. Under 8140, qualifications cascade within the same work role mapping but don’t automatically carry across roles. If a specific work role lists SSCP at one proficiency level but CISSP isn’t approved for that role at all, your CISSP doesn’t cover it. Check the current Qualification Matrix entry for your specific work role.
What are the three proficiency levels under DoD 8140?
Basic, Intermediate, and Advanced. Proficiency level reflects the readiness expected for the position, not your rank, grade, or years of service. Higher proficiency level certifications qualify you for lower proficiency levels within the same work role.
Where do I find the official DoD 8140 Qualification Matrix?
The DoD 8140 Foundational Qualification Matrix is published by the DoD CIO Workforce Innovation Directorate at public.cyber.mil. The current version is 2.1, effective September 19, 2025. The matrix is updated quarterly as new qualification options are validated and added.
CMO & Certification Guru | Training Camp
Mike McNelis is the CMO at Training Camp, where he combines a passion for technology with a hands-on approach to leadership. Beyond overseeing marketing strategy, Mike is actively involved in the technical side of the business — collaborating with clients, shaping learning solutions, and staying connected to the fast-changing world of IT and cybersecurity. He works closely with companies, government agencies, and individuals to help them achieve meaningful certification and workforce development goals.