DoD 8570 and 8140: the certification baseline behind cleared cyber jobs

A TS/SCI is necessary for most cleared cyber jobs. It is rarely sufficient. Open almost any cleared sysadmin, network, or cybersecurity contract posting and you'll find a second hard requirement sitting right next to the clearance: a DoD baseline certification. "IAT Level II (Security+ or equivalent)." "Must meet DoD 8570." "CISSP required." A cleared candidate with Security+ on their resume is a categorically different hire than the same candidate without it, because the certification is what lets them legally touch the system.

This is the part of cleared cyber hiring that candidates outside the DoD world consistently miss, and the rules changed recently. The framework is moving from DoD 8570 to DoD 8140, the two are structured differently, and — importantly for anyone working a contract — the contractor side is still running on 8570. Here's the practical version.

This is general, factual information about DoD cyber workforce certification policy. It is not legal, security, or career advice. Certification and qualification requirements are set by the DoD and by each contract, and they change; the authoritative source is the DoD Cyber Exchange and your contract's requirements. Confirm specifics with your hiring manager or FSO.

The two-gate reality

For privileged access to DoD information systems, two separate gates have to be open at once.

The first is the security clearance: eligibility at the level the work requires, from Secret up through TS/SCI. The second is the workforce certification: proof you've met the baseline qualification for your assigned role. The clearance says you can be trusted with the information. The certification says you're qualified to administer the system that holds it. Miss either one and you can't do the job, no matter how strong the other is.

That second gate is what 8570 and 8140 govern.

What DoD 8570 set up

The DoD 8570 Information Assurance Workforce Improvement Program established a baseline: before someone gets privileged access to a DoD system, they hold an approved certification for their function and level. It sorted the workforce into categories, each with three levels:

• IAT — Information Assurance Technical. The hands-on-keyboard roles: system administrators, network technicians, anyone with technical privileged access. Levels I, II, III by scope of responsibility.
• IAM — Information Assurance Management. The roles that manage and enforce security: ISSOs, ISSMs, security managers. Levels I, II, III.
• IASAE — IA System Architect and Engineer. The roles that design and build secure systems.
• CSSP — Cybersecurity Service Provider specialties: Analyst, Infrastructure Support, Incident Responder, Auditor, and Service Provider Manager.

Each cell maps to a list of approved certifications, and you only need one cert from your cell to satisfy the baseline. Two names do most of the work in cleared hiring:

• CompTIA Security+ is the baseline for IAT Level II — the level most cleared technical roles with privileged access fall into. It is the single most-requested certification on cleared IT postings, and for good reason: it's the floor for touching the system.
• CISSP (from ISC2) anchors the senior end — IAT Level III and IAM Levels II and III. It signals depth and management scope, and it's the cert that unlocks senior and lead roles.

Around those two sit the rest of the approved list: CASP+ (now SecurityX), CISA, CISM, CySA+, GSEC and other GIAC certs, CCNA Security, and more, each mapped to specific cells. The authoritative, current mapping lives on the DoD Cyber Exchange; don't trust a cell mapping you read in a forum without checking it there.

What changed under DoD 8140

DoD transitioned from 8570 to the DoD 8140 Cyber Workforce Qualification Program when DoD Manual 8140.03 was published on February 15, 2023. The two programs are not the same shape, and DoD is explicit that there is no clean "crosswalk" between them — though an individual's certifications can carry over depending on the new role and level they're assigned.

The structural change: 8570 was built around broad functional levels (IAT II, IAM III). 8140 is built around the DoD Cyber Workforce Framework (DCWF) — a set of granular work roles (Cyber Defense Analyst, Security Control Assessor, Systems Administrator, Exploitation Analyst, and dozens more) spanning the cyber workforce elements: cybersecurity, cyber IT, cyber effects, cyber intelligence, and enablers. Each position is coded to a primary work role, and each work role has a qualification path.

Three things about 8140 are worth knowing as a candidate:

• Certification is one path, not the only one. Under 8140, you meet a work role's foundational qualification through a certification, qualifying education, DoD training, or documented experience. A relevant degree from an accredited or CAE-designated program can satisfy the same requirement a cert does. After that, a residential qualification — demonstrated on-the-job capability in the actual mission environment — is layered on top.
• There are real deadlines. When you're assigned to a work role, the manual gives you 9 months to reach foundational qualification and 12 months for the on-the-job (residential) piece. Miss them without a waiver and you're removed from the role's duties. At the program level, the cybersecurity workforce element's foundational deadline was February 15, 2025, with the remaining elements phasing in through 2027.
• "Good for life" is dead, and so is the blanket renewal. Certifications have to be kept current per the issuing body's own rules, and 8140 adds a continuing-education floor — a minimum of 20 hours per year of professional development once you've hit residential qualification.

The contractor wrinkle most postings get right

Here's the part that confuses people reading job ads: if 8140 replaced 8570 in 2023, why do contract postings still say "DoD 8570 IAT II"?

Because for contractor personnel, 8570 is still the governing policy. DoD's own transition guidance states that contractors remain under 8570 until the Defense Federal Acquisition Regulation Supplement (the DFARS) is updated to authorize 8140 for contractor positions. Government civilians and military members moved to 8140 on the timeline above; the contract workforce did not move with them automatically.

For most of the cleared talent ClearMatch serves — people working on contracts — that means the 8570 baseline-certification language on a posting is not out of date. It's the rule that still applies to the contract seat. A posting that says "IAT Level II, Security+ within six months of hire" is using current, correct contractor language. Expect the two frameworks to coexist in postings for a while, with civilian/military descriptions citing 8140 work roles and contractor descriptions citing 8570 levels.

The practical playbook

If you're cleared (or getting there) and aiming at cyber/IT contract work:

• Security+ is the highest-leverage first cert. It satisfies the IAT Level II baseline that the largest share of cleared technical roles require, and it's the requirement you'll see most often. It's the cert that turns "cleared" into "cleared and placeable."
• Many roles let you certify after hire. Contract language frequently allows a window — commonly six months under 8570 — to obtain the baseline cert after starting. A clearance plus a credible plan to certify can be enough to get hired.
• CISSP is the senior unlock, not the entry ticket. You don't need CISSP for an IAT II role, and chasing it before you have the experience (it requires five years of relevant work) is often the wrong order. Get the baseline that fits the role you're targeting now.
• Keep them current. Budget for continuing-education units. A lapsed cert fails the gate the same way no cert does.

Common myths

• "Everyone needs a CISSP." No. CISSP is for senior technical and management levels. Most cleared technical roles need Security+ (IAT II), and over-certifying for an entry role doesn't help you and may not even be possible yet (the experience requirement).
• "8570 is gone, so the certs don't matter anymore." No. Contractors are still under 8570, and even under 8140 certifications remain a primary qualification path. The gate didn't disappear; it got more flexible about how you clear it.
• "My cert is good for life." Not for DoD purposes. "Good for life" certifications aren't valid under 8140, and 8570 phased them out too. Maintain to the issuer's schedule.
• "The cert is interchangeable with the clearance." They're separate gates. A cleared candidate with no baseline cert and a Security+-holder with no clearance are both blocked from a role that needs both.

What this looks like inside ClearMatch

ClearMatch's matcher reads the certifications on your profile the way a GovCon recruiter does: as qualifications that open specific roles, not as keywords. Security+, CISSP, CASP+, CISA, and the rest are parsed from your resume into structured skills, so a cleared role that asks for "IAT Level II" can be matched against the fact that you actually hold the baseline for it — and the per-match narrative can say so.

The agent doesn't track your DoD work-role coding or your foundational-qualification clock; that lives with your employer and the contract. What it does is make sure the roles you see are ones where your clearance and your certifications fit the requirement, instead of burying a Security+-holding TS/SCI candidate in roles they're a real match for under a pile of ones they're not.

Sources: DoD 8570 to 8140 Transition — DoD Cyber Exchange, DoDM 8140.03 — Cyberspace Workforce Qualification and Management Program, and the DoD Cyber Exchange 8140 documents library for the current approved certification and qualification matrices. Certification requirements are set by the DoD and by each contract and change over time; confirm the current baseline for your role with the DoD Cyber Exchange and your hiring manager.