The DoD 8140 transition is no longer a future concern, it is the current standard. The February 2025 deadline required all DoD civilian employees and military service members in cybersecurity workforce element roles to be qualified under DoDM 8140.03. The February 2026 deadline extended that requirement to cyberspace IT, cyberspace effects, intelligence (cyberspace), and cyberspace enabler workforce elements.
If you are a DoD civilian, active-duty service member, or contractor with a designated cyber work role, getting qualified is not optional. This guide gives you a practical roadmap for figuring out what you need and how to get there.
Note: if you are looking for a comparison of DoD 8570 and DoD 8140 and what changed between them, see our earlier post DoD 8140 vs DoD 8570: What Federal IT Professionals Need to Know.
Step 1: Identify Your DCWF Work Role
DoD 8140 organizes the cyber workforce around 72 distinct work roles defined by the DoD Cyber Workforce Framework (DCWF). Your qualification requirements are tied to your specific work role designation, not a broad category like “IT person” or even the legacy IAT/IAM label from the 8570 era.
Your organization’s workforce manager, commanding officer’s designated representative, or human resources staff should have your work role designation on file. If you do not know your work role, start there. The DCWF work roles are also publicly available at the DoD Cyber Exchange (cyber.mil), where you can browse roles by workforce element and identify the one that most closely matches your actual duties.
Step 2: Understand the Qualification Framework
Under DoDM 8140.03, qualification has two components:
Foundational Qualification: A DoD-approved certification that validates your baseline knowledge for the work role. This is what most people mean when they discuss DoD 8140 certification requirements. For most roles, a recognized commercial certification from CompTIA, ISC2, ISACA, EC-Council, or a similar body satisfies this requirement.
Residency Qualification: Hands-on performance demonstration within a specific work role environment. This is typically satisfied through documented job experience in the designated role.
For most working DoD professionals, the gap is at the foundational level. The question is: which commercial certification does your specific work role require?
Step 3: Match Your Work Role to an Approved Certification
The DoD Foundational Qualification Matrix (version 2.1, effective September 2025) lists approved certifications by work role. The following summarizes the certifications that appear most frequently across common work roles:
Technical security and analyst roles (legacy IAT equivalents): CompTIA Security+ satisfies foundational requirements across the widest range of technical work roles and remains the most commonly required entry-to-mid-level certification in the DoD cyber workforce. CompTIA CySA+ qualifies for mid-to-senior analyst and SOC roles. CASP+ and CISSP appear in requirements for senior technical roles.
Management and governance roles (legacy IAM equivalents): CompTIA Security+ satisfies requirements for entry-level management roles. CISSP and CISM both satisfy mid-to-senior management work role requirements. CASP+ also qualifies for some management roles.
Security engineering and architecture roles (legacy IASAE equivalents): CISSP is the primary foundational qualifier for these roles. CISSP-ISSAP and CISSP-ISSEP appear in requirements for senior architecture and engineering work roles.
Vulnerability assessment, SOC analyst, and incident response roles: CompTIA CySA+ and CEH appear frequently across these work roles.
RMF, authorization, and ISSO/ISSM roles: Personnel supporting system authorization under DoDI 8510.01 need certifications aligned to their specific work role. CISSP, CISM, and CASP+ appear across most of these roles. Pairing a foundational certification with RMF training aligned to DoDI 8510.01 and NIST SP 800-37 is strongly recommended for anyone in an authorization support role.
Step 4: Close the Gap
Once you know your work role and the certifications that satisfy it, the path forward is straightforward:
Review the exam objectives. CompTIA, ISC2, ISACA, and EC-Council all publish their exam domains and objectives publicly. Review them against your current knowledge to identify where you need to focus before investing in training.
Get formal instruction. Self-study works for some candidates, but instructor-led training is significantly more effective for high-stakes certification exams. A qualified instructor can identify what the exam actually tests versus background knowledge, accelerate your preparation, and answer the kinds of DoD-context questions that generic training materials miss. IT Dojo’s courses are designed specifically for DoD and federal professionals who need to pass these exams on a deadline.
Schedule the exam promptly. Having a date on the calendar creates accountability. Most certification bodies allow reasonable rescheduling, so booking early does not create undue risk and significantly improves completion rates.
Document your qualification. Once certified, work with your workforce manager to update your official record in your organization’s system of record, often DCPAS, eMASS, or a service-specific HR system. The certification does not count toward compliance until it is documented in the official record.
How IT Dojo Can Help
IT Dojo offers instructor-led training for the certifications that appear most frequently across DoD 8140 work role requirements, including CompTIA Security+, CompTIA CySA+, CASP+, CISSP, CISM, CEH, and Risk Management Framework (RMF).
All courses are taught by instructors with direct DoD and federal experience and are available live online and on-site for commands and organizations throughout Hampton Roads and the National Capital Region. If you need to map your specific work role to the right certification and training plan, contact IT Dojo to discuss your requirements.