You spent years in uniform working on networks, signals, or cyber operations. Now you want a federal cybersecurity job. You pull up a USAJOBS listing and see "DoD 8140 certification required." You have no idea what that means or which cert you need.

You are not alone. DoD Directive 8140 replaced the old 8570 framework in 2023. The change confused a lot of people. Many veterans still search for "8570 certification" and find outdated lists. The requirements are different now. The certification map is bigger. And if you pick the wrong cert, you waste time and money on something that does not count for the job you want.

This guide breaks down exactly what DoD 8140 requires. You will learn which certs map to which work roles, how the old 8570 categories translate, and which certifications give you the widest coverage for federal cyber jobs. No fluff. Just the cert list and the strategy behind picking the right one.

What Is DoD 8140 and Why Did It Replace 8570?

DoD Directive 8140.01 is the policy that tells every DoD agency which cybersecurity certifications their workforce needs. It replaced DoD 8570.01-M, which had been the standard since 2005.

The old 8570 framework was simple. It had four categories: IAT (Information Assurance Technical), IAM (Information Assurance Management), IASAE (Information Assurance System Architect and Engineer), and CSSP (Cyber Security Service Provider). Each category had three levels. You found your category and level, then picked a cert from the approved list.

That system worked for a while. But cybersecurity grew far beyond those four boxes. Roles like threat hunters, vulnerability analysts, and cyber operations planners did not fit neatly into IAT or IAM. DoD needed a framework that matched actual job functions.

The fix was DoD 8140. It maps directly to the NICE Workforce Framework created by NIST. NICE stands for National Initiative for Cybersecurity Education. It defines 52 specific work roles across 7 categories. Each work role has its own list of approved certifications.

The transition started in 2023 and is still rolling out. Some agencies fully adopted 8140. Others still reference 8570 categories in their job postings. If you see "IAT Level II" on a USAJOBS listing, that is 8570 language. It still counts. But the cert you pick should also map to an 8140 work role so you are covered going forward.

How Does the NICE Framework Work Role System Work?

The NICE Workforce Framework groups all cybersecurity work into 7 categories. Each category holds specific work roles. Your federal job posting will reference one or more of these work roles. The cert you need depends on which work role the position falls under.

Here are the 7 NICE categories:

• Securely Provision (SP): Designing, building, and configuring secure systems
• Operate and Maintain (OM): Running day-to-day IT and network operations
• Oversee and Govern (OV): Managing cyber programs, policy, and risk
• Protect and Defend (PR): Monitoring, detecting, and responding to threats
• Analyze (AN): Threat intelligence and vulnerability analysis
• Collect and Operate (CO): Cyber operations and intelligence collection
• Investigate (IN): Digital forensics and cyber crime investigation

Each category breaks down further into work roles. For example, Protect and Defend includes Cyber Defense Analyst, Cyber Defense Incident Responder, and Vulnerability Assessment Analyst. Each of those roles has its own approved cert list.

When you read a federal cyber job posting, look for the NICE work role code. It will look something like "PR-CDA-001" (Protect and Defend, Cyber Defense Analyst). That code tells you exactly which certs qualify.

Dominic Landed a Six-Figure Role
With a Top Defense Firm.

"The most effective resource I used in my transition."
— Dominic, E-7, Marines

Federal (USAJOBS) & private sector formats Translates military jargon into civilian language Tailored to each job — not a generic template

Get My Free Resume

2 free tailored resumes, cover letters & LinkedIn optimization

Which Certifications Cover the Most DoD 8140 Work Roles?

Not all certs are created equal under 8140. Some cover a single work role. Others cover 10 or more. If you are early in your career and want the widest coverage, pick certs that map to the most roles.

Here are the certifications that cover the most ground under DoD 8140:

CompTIA Security+

This is still the gold standard entry point. CompTIA Security+ maps to more 8140 work roles than any other entry-level cert. It satisfies the old IAT Level II requirement and covers work roles across Operate and Maintain, Protect and Defend, and Oversee and Govern categories.

If you only get one cert, this is the one. It qualifies you for most GS-7 through GS-11 cyber positions. And many DoD contractors require it as a minimum.

CISSP (Certified Information Systems Security Professional)

CISSP is the most recognized mid-to-senior level cybersecurity cert. Under 8140, it maps to work roles in every single NICE category. It covers management roles, architect roles, analyst roles, and operations roles. For GS-12 and above positions, CISSP is the cert that opens the most doors.

The catch: CISSP requires 5 years of paid cybersecurity experience. You can pass the exam with less experience and become an Associate of (ISC)2, but the full CISSP needs that work history. Military cyber experience counts toward this requirement.

CASP+ (CompTIA Advanced Security Practitioner)

CASP+ sits between Security+ and CISSP. It covers technical roles that Security+ cannot reach and does not require the 5-year experience minimum that CISSP does. Under 8140, it maps to system architect, security engineer, and advanced analyst work roles.

For veterans at the E-6 to E-8 range with 4-8 years of cyber experience, CASP+ is often the best next step after Security+.

CEH (Certified Ethical Hacker)

CEH maps to offensive security work roles under 8140. If you want to work in penetration testing, red team operations, or vulnerability assessment, CEH is on the approved list. It covers Collect and Operate and Analyze category roles that Security+ does not touch.

CISM and CISA

CISM (Certified Information Security Manager) and CISA (Certified Information Systems Auditor) cover the Oversee and Govern category heavily. These are management and audit-focused certs. If you are targeting GS-13 to GS-15 cyber policy, risk management, or audit positions, CISM and CISA are the certs to pursue.

How Do Old 8570 Categories Map to 8140 Work Roles?

Many USAJOBS postings still use the old 8570 language. If you see IAT, IAM, IASAE, or CSSP in a listing, here is how those map to the new 8140 framework.

IAT (Information Assurance Technical)

IAT Level I maps to entry-level Operate and Maintain roles. Certs: A+, Network+, CCNA, SSCP.

IAT Level II maps to mid-level technical roles across Operate and Maintain and Protect and Defend. Certs: Security+, CCNA Security, CySA+, SSCP, GSEC.

IAT Level III maps to senior technical roles. Certs: CASP+, CISSP, CISA, GCIH, GCED.

IAM (Information Assurance Management)

IAM Level I maps to entry-level Oversee and Govern roles. Certs: CAP, Security+, GSLC.

IAM Level II maps to mid-level management and risk roles. Certs: CISSP, CISM, CAP, CASP+, GSLC.

IAM Level III maps to senior leadership and CISO-level roles. Certs: CISSP, CISM, GSLC.

CSSP (Cyber Security Service Provider)

CSSP Analyst maps to Protect and Defend work roles. Certs: CEH, CySA+, GCIH, GCIA, Security+.

CSSP Incident Responder maps to Cyber Defense Incident Responder. Certs: CEH, GCIH, CSIH, GCFA.

CSSP Auditor maps to audit and compliance roles. Certs: CISA, GSNA, CEH.

The key point: if you already hold a cert that met an 8570 requirement, that cert almost certainly maps to an 8140 work role too. You do not need to start over. But check the current DoD 8140 approved certification list on the DoD Cyber Exchange website to confirm your specific cert is still listed for the work role you want.

What Are Baseline, CE, and OS Certs Under 8140?

Under the old 8570, you needed two types of certs: a baseline certification and an operating system certification. The 8140 framework keeps this structure but adds a third layer.

Baseline Certification: This is your core cybersecurity cert. Security+, CISSP, CEH, CASP+. These are the ones we already covered. They prove you understand cybersecurity concepts at the level required for your work role.

Computing Environment (CE) Certification: This replaced what 8570 called the "operating system" cert. A CE cert proves you can work with a specific technology. Examples include Microsoft Azure certifications, AWS certifications, Cisco certifications, or Linux certifications. The specific CE cert you need depends on what systems the position uses.

Operating System (OS) Certification: Some positions still require proof you can work with a specific OS. This overlaps with CE certs in many cases. A Windows Server cert or a Red Hat Linux cert would count.

Not every position requires all three cert types. Many entry-level GS-7 and GS-9 positions only need the baseline cert. But GS-11 and above positions almost always require a CE cert on top of the baseline. Read the posting carefully.

How Should Veterans Build Their 8140 Cert Stack?

The biggest mistake I see veterans make with certs is getting random ones without a plan. They grab Security+, then Net+, then a random cloud cert, and end up with a pile of credentials that do not align to any specific work role.

Here is a better approach. Build your cert stack based on the specific cybersecurity job you want.

If You Want a SOC Analyst or Cyber Defense Role (GS-7 to GS-12)

Start with Security+. That is your baseline. Then add CySA+ (CompTIA Cybersecurity Analyst). CySA+ specifically maps to the Cyber Defense Analyst work role under Protect and Defend. For your CE cert, get a cloud cert in whatever platform the agency uses. AWS Cloud Practitioner or Microsoft AZ-900 are solid picks.

If You Want a Cyber Operations or Penetration Testing Role (GS-11 to GS-13)

Security+ as your baseline. Then CEH or PenTest+ for the offensive work roles. Your CE cert should be something hands-on. An OSCP (Offensive Security Certified Professional) is not officially on the 8140 list but is recognized by many agencies. GPEN (GIAC Penetration Tester) is on the approved list.

If You Want a Cyber Program Manager or ISSM Role (GS-13 to GS-15)

CISSP is the target cert here. If you do not have the 5 years of experience yet, start with Security+ and CASP+. Add CISM if you want to focus on the management track. For senior positions, CISSP plus CISM covers the widest range of Oversee and Govern work roles.

If You Are Still in Service and Planning Ahead

Get Security+ before you separate. Many military training programs will pay for it. Army Credentialing Assistance, Navy COOL, and Air Force COOL all cover the exam fee. Getting Security+ while you are still in means you separate with a DoD 8140 baseline cert already in hand. That puts you ahead of most applicants on day one.

Check out the CompTIA veteran discount for exam fee savings after you separate.

How to Pay for 8140 Certifications as a Veteran

Cybersecurity certs are expensive. Security+ costs about $400. CISSP runs $749. CEH is $1,199. But veterans have more funding options than almost anyone.

GI Bill: The GI Bill covers certification exam fees through the Licensing and Certification test reimbursement program. You can get reimbursed up to $2,000 per exam. Check the GI Bill certifications list to confirm your target cert is approved.

VET TEC: The VET TEC program covers tuition for approved cyber training programs. Some of these programs include cert exam vouchers. The program pays a housing allowance while you train. No GI Bill time is deducted.

DoD SkillBridge: If you are still on active duty with 180+ days left, some SkillBridge programs focus on cybersecurity certification prep. You train full time during your last months of service while still getting military pay.

Workforce Innovation and Opportunity Act (WIOA): Your local American Job Center can fund certification training through WIOA grants. Veterans get priority enrollment. This is a good option if you already used your GI Bill on a degree.

Employer-funded: Many DoD contractors and federal agencies will pay for certs as a condition of employment. If you get hired into a position that requires a cert you do not have yet, ask if the agency will fund the training. Many will give you 6 months to earn the cert after starting.

For a full list of free certification programs for veterans, we have a complete directory.

What Federal Cyber Jobs Require 8140 Certifications?

Almost every federal cybersecurity position at DoD, DHS, NSA, and the intelligence community requires an 8140-compliant certification. But "cybersecurity" covers a wider range of jobs than most people think.

Here are federal job series that commonly require DoD 8140 certs:

• GS-2210 (IT Specialist): The catch-all federal IT series. Covers INFOSEC, network, sysadmin, and application roles. Nearly all 2210 positions at DoD agencies require 8140 certs.
• GS-0854 (Computer Engineer): Hardware and system engineering roles. Often require IASAE-equivalent 8140 certs.
• GS-1550 (Computer Scientist): Research and development cyber positions. Typically require CISSP or CASP+ level certs.
• GS-0132 (Intelligence): Cyber intelligence analyst positions. Require Analyze category 8140 certs.
• GS-1801 (General Investigation): Digital forensics and cyber crime roles. Require Investigate category certs like GCFE, EnCE, or CFCE.

The Cyber Excepted Service (CES) positions use a different pay scale than GS. These jobs are still under DoD and still require 8140 certs. But they pay on bands instead of steps. If you want to understand how CES pay compares to GS, read our guide on Cyber Excepted Service pay bands.

A security clearance also matters for most of these positions. Having a TS/SCI clearance from your military service combined with an 8140 cert puts you in a small pool of qualified candidates. That combination is worth a lot in this market.

How to List DoD 8140 Certifications on Your Federal Resume

Having the cert is step one. Showing it correctly on your federal resume is step two. After reviewing thousands of applications in my federal career, I can tell you that many applicants bury their certs or list them wrong.

Here is how to list your 8140 certifications so they stand out:

Create a dedicated Certifications section. Do not bury your certs in your education section or scatter them in your work descriptions. Put them in their own section near the top of your resume, right after your professional summary.

Include the full cert name, issuing body, cert number, and expiration date. Federal HR specialists verify certifications. Make it easy for them. "CompTIA Security+ CE, CompTIA, Cert #COMP001234567, Expires 03/2028" is what they want to see.

Note the 8140 work role category. If the posting says "DoD 8140 qualified," add a line like "Meets DoD 8140 baseline certification requirement for Protect and Defend work roles." That tells the reviewer exactly how your cert maps to the position.

Reference the cert in your work experience too. If you used the skills from your certification in a previous role, mention it in that job description. "Applied Security+ knowledge to configure and monitor IDS/IPS systems across a 500-node network" connects the cert to real work.

BMR's Federal Resume Builder formats your certifications section to match what federal HR specialists expect. Paste in the job posting and it will pull the cert requirements from the listing so you can match them directly.

Where to Find the Current DoD 8140 Approved Cert List

The official list of approved certifications lives on the DoD Cyber Exchange website. The direct URL is public.cyber.mil. The page still references 8570 in the URL, but the list has been updated to reflect 8140 work role mappings.

A few things to know about the approved list:

• It gets updated periodically. Certs are added and removed. Check the list before you commit time and money to a specific certification.
• Some certs have version requirements. An older version of Security+ might not be on the current list even though the newer version is.
• The list shows which certs satisfy which work role categories. Use this to cross-reference the work role code from your target job posting.
• Vendor-specific certs (Cisco, Microsoft, AWS) appear for CE requirements, not baseline requirements.

Bookmark that page. It is the only source that matters. Blog posts, Reddit threads, and forum advice become outdated fast. The DoD Cyber Exchange page is the ground truth.

If you are planning your full transition into cybersecurity, pair the cert research with a solid understanding of which military cyber MOS codes translate to civilian roles. Your military training covers more than you think. The cert is the proof that makes it official on paper.

What to Do Next

Stop guessing which cybersecurity cert to get. Start with the job you want and work backwards.

Go to USAJOBS and search for "cybersecurity" or "information security" positions. Find 5 listings at the GS level you are targeting. Look at the qualifications section for the NICE work role code and the specific certification requirements. Write them down.

You will see a pattern. The same 2-3 certs will show up across most of the positions you want. That is your cert stack. Get those, in order, and you will be qualified for the jobs you actually want.

If you need help building a federal resume that puts your 8140 certifications and military cyber experience in the right format, BMR's Federal Resume Builder was built for this. Paste a USAJOBS listing and get a resume tailored to that specific position. Built by veterans who have sat on both sides of the federal hiring desk.