Overview
What defense contractors and military IT professionals need to know about compliance deadlines, qualifying certifications, and training paths under the DoD 8140 framework.
On this page · 19 sections
- What DoD 8140 Replaces
- Who DoD 8140 Applies To
- The New Workforce Framework
- Work Roles and Categories
- Qualification Pathways
- Compliance Deadlines
- Certifications That Qualify
- How to Build a Compliant Training Plan
- Step 1: Map Each Person to a Work Role
- Step 2: Determine the Required Level
- Step 3: Pick the Path
- Step 4: Schedule the Training With Margin
- Step 5: Document Everything
- Common Mistakes to Avoid
- Frequently Asked Questions
- When did 8570 fully retire?
- Do I have to re-test if I'm already 8570-qualified?
- Does a degree alone satisfy 8140?
- Who is responsible for proving qualification — me or my employer?
If your day job involves a Common Access Card or a contract with the DoD, you've probably been hearing one phrase a lot lately: 8140. It replaces the old 8570 framework you might have built your training plan around — and the transition has real deadlines, real cert requirements, and real consequences for non-compliant positions.
This guide is for the IT directors, training managers, and individual contributors who need to understand what 8140 actually requires, who it applies to, and how to build a compliant qualification path without burning a year of training budget on certifications you don't need.
What DoD 8140 Replaces
DoD 8570.01-M was the framework from 2005 to 2023. It mapped cyber roles into Information Assurance Technical (IAT) and Information Assurance Management (IAM) levels and required a small set of named certifications per level (Security+, CISSP, CISM, etc.).
DoD Manual 8140.03 is the modern replacement. The structural shift:
- More work roles — 8570 had roughly a dozen named levels; 8140 has 70+ work roles mapped to the NIST/NICE framework
- More qualification pathways — instead of "you must hold cert X," 8140 allows education, training, and experience to combine
- Tighter alignment with NIST — the work roles correspond to NICE Framework work role IDs, so the same vocabulary now spans federal civilian and defense
- Clearer foundational vs. residential vs. advanced levels per role
Bottom line: more roles are covered, more paths qualify you, and the documentation requirements are stricter.
Who DoD 8140 Applies To
8140 applies to anyone performing cyberspace work for or on behalf of the DoD. That includes:
- Active-duty military and civilians in cyber work roles
- Defense contractors and subcontractors with cyber work in scope
- Foreign nationals supporting DoD systems
- Most "blue badge" and many "green badge" IT positions on DoD networks
If you're a contractor and your statement of work mentions cybersecurity, vulnerability management, or anything touching a DoD network — you're in scope.
The New Workforce Framework
Work Roles and Categories
Work roles are grouped into 7 categories:
- IT (Cyberspace)
- Cybersecurity
- Cyberspace Effects
- Cyberspace Intelligence
- Cybersecurity Leadership
- Software Engineering
- AI/ML
Each role has a NICE Framework code (e.g., OM-ANA-001 for "Cyber Defense Analyst") and a defined qualification path.
Qualification Pathways
For each role, 8140 defines what qualifies you. There are three accepted pathways:
- Certification-based — hold one or more approved certs at the right level
- Education-based — a degree in an approved discipline plus role-specific training
- Experience-based — documented years performing the role's tasks, with continuous learning evidence
The mix-and-match flexibility is the biggest difference from 8570. A senior practitioner with a relevant degree and 8 years of incident response can satisfy 8140 without re-credentialing — provided their command/contractor properly documents the qualification package.
Compliance Deadlines
Here's the timeline that matters:
- Foundational (Basic) qualification: required within 9 months of role assignment
- Residential qualification: required within 12 months of role assignment
- Advanced qualification: required within 24 months for senior roles
For existing personnel, the qualifications must be in place by the role's renewal cycle — most commands set this on a fiscal-year cadence. If your renewal is coming up, work backwards from that date.
Certifications That Qualify
While 8140 supports multiple paths, certification remains the fastest and most defensible. The DoD maintains a DoD 8140 Qualification Matrix that maps approved certs to each work role and level. Some of the most frequently-cited:
- CompTIA Security+ — qualifies foundational levels for many cyber defense and IT roles
- CompTIA CySA+ — qualifies analyst-tier roles, residential level
- CompTIA PenTest+ — qualifies offensive/penetration-test roles
- CISSP — qualifies advanced cyber defense, architecture, and management roles
- (ISC)² CCSP — qualifies cloud security roles
- CISM / CISA — qualify management and audit roles
- GIAC certifications (GSEC, GCIH, GCIA, etc.) — broadly accepted across multiple work roles
The matrix is updated periodically; always confirm against the current Qualification Matrix before committing budget.
How to Build a Compliant Training Plan
Whether you're staffing a team of 50 or qualifying yourself, the workflow is the same:
Step 1: Map Each Person to a Work Role
Use the NICE Framework codes. Don't guess — pull the actual SOW or position description and match the tasks performed to a 8140 work role.
Step 2: Determine the Required Level
Foundational, residential, or advanced. Most line-level analysts are residential; team leads and architects are advanced.
Step 3: Pick the Path
Will you go cert-based, education-based, or experience-based? Cert-based is most defensible during audits.
Step 4: Schedule the Training With Margin
Don't book a Security+ class the week before someone's qualification deadline. Aim for completion 3 months ahead of the deadline to allow for retake risk.
Step 5: Document Everything
Qualification packages survive audits when the documentation is tight: training transcripts, exam vouchers, dated certificates, and continuing-education evidence. Tracking this in a spreadsheet is fine for small teams; larger organizations should consider a learning management system.
Common Mistakes to Avoid
- Treating 8140 as "more 8570" — the work-role structure is genuinely different. Don't assume Security+ alone covers everyone the way IAT Level II used to.
- Letting CEUs lapse — 8140 is more forgiving on paths in but stricter on continuing maintenance. CEUs aren't optional.
- Ignoring foreign-national contractor coverage — yes, they're in scope if they touch covered work.
- Booking everyone the same cert — different roles need different certs. A blanket "all hands take Security+" is wasted budget for roles that need PenTest+ or CCSP.
Frequently Asked Questions
When did 8570 fully retire?
The transition formally ended in 2023, but many contracts referenced 8570 through 2024. New SOWs cite 8140; existing personnel continue under their prior qualification until their next renewal.
Do I have to re-test if I'm already 8570-qualified?
Generally no — if you held an approved certification under 8570 and the cert remains on the 8140 matrix, you're qualified for the equivalent 8140 role until your next renewal cycle.
Does a degree alone satisfy 8140?
Sometimes, for foundational levels. Most roles require a degree plus additional training or experience. The cert path remains the cleanest.
Who is responsible for proving qualification — me or my employer?
Both. The individual is responsible for completing the qualification; the employing organization (command or contractor) is responsible for maintaining the qualification package and producing it during audits.
Force7 runs accelerated, DoD 8140-aligned training on a recurring schedule. If you're looking at a near-term deadline and need a no-fluff path to qualification, our course schedule shows the next available cohorts.