Overview
DoD 8570 became 8140 — here's what changed, why it matters for your certifications, and how the cyber workforce qualification framework evolved.
On this page · 5 sections
For years, "8570" was the shorthand for DoD certification requirements. Now it's "8140." If you built your understanding of DoD cyber qualifications around 8570, it's worth knowing what actually changed — and what it means for the certifications you hold or plan to earn.
A quick history
DoDD 8570 was the Department of Defense directive that, for over a decade, governed information assurance workforce training and certification. It's what popularized the familiar categories — IAT, IAM, IASAE, and CSSP — and the lists of approved baseline certifications mapped to each level.
DoD 8140 superseded 8570 as the department's cyber workforce policy. It wasn't a minor rename; it was a modernization and expansion of how the DoD defines and qualifies its cyber workforce.
What actually changed
1. Broader scope. 8570 focused primarily on information assurance. 8140 covers a much wider cyberspace workforce — more roles, more functions, reflecting how much the cyber mission has grown.
2. Alignment to the NICE Framework. 8140 aligns DoD roles to the National Initiative for Cybersecurity Education (NICE) Framework, a common national language for cybersecurity work roles. This creates consistency between DoD and the broader federal and industry workforce.
3. Role-based qualification. Rather than the narrower category-and-level model, 8140 emphasizes qualifying people for specific work roles through a mix of education, training, certification, and experience — a more holistic approach.
4. Continued central role for certifications. Importantly for practitioners, certifications remain a key qualification component. The familiar baseline certifications didn't become worthless — they continue to map to work-role requirements under the new framework.
What it means for your certifications
Here's the reassuring part: if you hold certifications that qualified you under 8570 — like CompTIA Security+, CySA+, CASP+, or CISSP — they generally remain valuable and relevant under 8140. The framework evolved, but the core baseline certifications continue to serve as recognized qualifications for cyber roles.
What changed is the structure around them — how roles are defined and how qualification is documented — more than the certifications themselves. The practical advice for individuals hasn't fundamentally shifted: earn the certification(s) that map to your work role, keep them current, and maintain the experience and training your position requires.
What to do about it
- Don't panic about existing certifications. They very likely still count; the well-known baselines remain central.
- Focus on your work role. Under 8140, understanding your specific role's requirements is the key — map it to the certifications and qualifications it demands.
- Keep certifications current. Renewal through continuing education remains essential; a lapsed certification doesn't qualify you.
- Confirm specifics. Implementation varies by component and contract — verify the exact requirements for your position.
The bottom line
The move from 8570 to 8140 modernized and broadened the DoD's approach to its cyber workforce, aligning it to national standards and a role-based model. But it didn't upend the value of the certifications professionals have long pursued. Understand your work role, hold the right current certifications, and you'll stay qualified under the framework that governs today's DoD cyber workforce.
Keep your workforce 8140-qualified with Force7 — request a quote or explore government & military training.