If you work in federal IT or support DoD systems, you have almost certainly heard the terms DoD 8570 and DoD 8140 mentioned in the same breath. The two directives govern which cybersecurity certifications are required for personnel who work with DoD information systems, and the transition between them has been a source of confusion for years.
This guide breaks down what each directive means, what changed between them, and what you should be doing right now to stay compliant.
What Is DoD 8570?
DoD Directive 8570.01-M, often called just “8570,” was the original framework for Information Assurance (IA) workforce certification requirements. Published in 2005 and updated in 2012, it created a structured set of job categories and tied specific commercial certifications (CompTIA Security+, CISSP, CISM, and others) to those categories.
For over a decade, 8570 was the standard. If you were in a Technical Level II (IAT II) role, you needed CompTIA Security+ or equivalent. If you were in a Management Level III (IAM III) role, you needed CISSP or CISM. The framework was straightforward even if the certification requirements were demanding.
What Is DoD 8140?
DoD Instruction 8140.01 is the successor to 8570. Rather than a flat list of certification requirements mapped to job categories, 8140 introduces a competency-based workforce framework built around the NICE Cybersecurity Workforce Framework. It organizes roles into work roles with defined knowledge, skills, and abilities (KSAs) rather than simply matching a job title to a certification.
The key difference: 8140 is more granular and role-specific. Instead of broad categories like “IAT Level II,” it defines dozens of specific work roles such as Vulnerability Assessment Analyst, Systems Security Engineer, or Cyber Defense Analyst. Each work role has its own qualification requirements.
What Actually Changed?
Several things shifted in the transition from 8570 to 8140:
The certification list expanded significantly. While 8570 relied heavily on a short list of well-known commercial certifications, 8140 added many more approved credentials and created a pathway for DoD components to approve additional qualifications at the local level.
The framework became more flexible. Under 8140, relevant work experience and education can contribute to qualification in ways that were not possible under 8570. This was designed to reduce barriers for skilled practitioners who might lack a specific certification.
The work role taxonomy changed. The old IAT/IAM/IASAE categories gave way to the NICE Framework taxonomy, which means that some personnel had to be remapped to new work roles. Your organization’s workforce managers should have already completed this mapping.
The timeline was extended more than once. The DoD originally set ambitious transition deadlines, then adjusted them repeatedly as organizations worked through the complexity of remapping thousands of positions.
Where Things Stand in 2026
As of 2026, DoD components are expected to be operating under 8140 as the governing instruction. However, many of the approved certifications from 8570 remain valid under 8140, so holding a CISSP, CISM, CompTIA Security+, or similar credential still counts toward your qualification requirements. The certification you earned for an 8570 role almost certainly maps to an approved qualification under 8140 as well.
The most important step if you are unsure of your status is to work with your organization’s Authorizing Official (AO) or workforce manager to confirm your current work role designation under 8140 and verify that your certifications align with the requirements for that role.
Which Certifications Are Still Required?
While the specific requirements vary by work role under 8140, the certifications that consistently appear across the most common work roles include:
CompTIA Security+ remains one of the most widely required entry-to-mid-level certifications across technical work roles. It is often the starting point for federal IT professionals who need to establish a baseline qualification.
CISSP (Certified Information Systems Security Professional) is required or approved for many of the higher-tier management and security engineering roles. It remains the gold standard for senior cybersecurity positions in the federal space.
CISM (Certified Information Security Manager) continues to be a top qualifier for management-track roles. For federal IT managers and information security officers, CISM is frequently the certification of choice.
CEH (Certified Ethical Hacker) and CASP+ appear regularly in work roles related to vulnerability analysis, penetration testing, and security engineering.
For RMF-specific roles, familiarity with NIST publications (SP 800-37, SP 800-53) is expected alongside any certification requirements.
How IT Dojo Can Help
If you need training for a certification required under DoD 8140, IT Dojo can help. We offer live instructor-led courses for CISSP, CISM, CompTIA Security+, CASP+, CEH, and Risk Management Framework (RMF) – all taught by instructors with hands-on federal experience and available live remote online. If you are working through a role transition under 8140 or your organization needs to get a team qualified, contact IT Dojo to discuss your requirements.
Bottom Line
DoD 8140 replaced 8570 as the governing directive for cybersecurity workforce qualifications, but it did not render your existing certifications obsolete. The most likely impact on working federal IT professionals is a remapping of their work role designation and, in some cases, a requirement to earn an additional or different certification to match the new role requirements.
Stay in communication with your workforce managers, verify your current work role designation under 8140, and make sure your certifications align. If there is a gap, address it now rather than waiting for a compliance deadline to force the issue.
For a full list of 8140-approved certifications and the work roles they satisfy, refer to the DoD Cyber Workforce Framework (DCWF) website.