For two decades, the Department of Defense (DoD) ran its cyber workforce on a certification checklist. DoD 8570.01-M told a sailor in a network operations center that a CompTIA Security+ certificate was a green light; a CISSP was a higher tier; the matrix was static and the audit was binary. That regime ended on February 15, 2023, when the DoD issued DoD Manual 8140.03, “Cyberspace Workforce Qualification and Management Program,” replacing 8570 with a competency-based framework anchored in the NICE Workforce Framework for Cybersecurity (NIST SP 800-181 Rev 1). The shift matters because it turned cyber hiring into a multi-axis problem: a work role, a tier, a documented set of qualifications, and a cleared candidate willing to prove all three under a clock that runs months from the day they enter a covered position.
For anyone hunting a Top Secret / Sensitive Compartmented Information (TS/SCI) cyber billet — at the National Security Agency (NSA), United States Cyber Command (USCYBERCOM), the Defense Information Systems Agency (DISA), or one of the service cyber components like U.S. Army Cyber Command (ARCYBER) or U.S. Fleet Cyber Command (FLTCYBER) , 8140 is the framework that decides whether a résumé reaches a hiring manager or stops at a 4,716-page qualification matrix. “All the technology in the world is nothing without people,” then-DoD Chief Information Officer John Sherman said in February 2023 remarks the day the framework was issued. This guide breaks down DoDM 8140.03 in plain English, the seven cyber workforce elements, the three qualification tiers, the certifications that actually count under the new rules, and the deadlines a candidate now has to plan around.
Why DoDM 8140.03 replaced DoD 8570.01-M after 18 years
The original DoD 8570.01-M was published in 2005 and last updated in 2015. It mapped four “Information Assurance” categories — IAT, IAM, IASAE, and CSSP , to specific commercial certifications. The problem was structural: certifications are credentials, not competencies. A 25-year-old with Security+ and zero hands-on experience cleared the same checkbox as a 15-year incident responder. As the cyber threat surface expanded — cloud, operational technology, industrial control systems, embedded systems, mobile, supply chain , the four-bucket model stopped describing what the workforce actually does.
DoDM 8140.03 ditched the four IA categories and adopted the NICE Workforce Framework’s work-role vocabulary as canonical. Every position in the DoD cyber workforce is now mapped to one or more DoD Cyber Workforce Framework (DCWF) work roles. Each work role has a defined set of tasks, knowledge statements, skills, and abilities (the TKSAs), and each work role is qualified at one of three proficiency tiers. The shift is from “do you have the cert?” to “can you perform the role?” — and the audit is now competency-based.
Mark Gorak, principal director for resources and analysis in the DoD Office of the Chief Information Officer, put the philosophy bluntly in a December 2024 interview with GovCIO Media: “I am much more concerned about people who can actually do the job than the pedigree of what they bring to the job.” In the same interview Gorak noted that the Department had updated more than half of its work-role definitions in the prior 24 months , a level of churn that would have been unthinkable under 8570, where the matrix was structurally static.
The seven cyber workforce elements under DoD 8140
DoDM 8140.03 divides the cyber workforce into seven elements. The taxonomy is broader than 8570’s four IA buckets because cyberspace operations now include offensive action, intelligence, software engineering, and data/AI work that did not exist as separate disciplines when 8570 was written. Patrick Johnson, director of the DoD CIO’s Workforce Innovation Directorate, told Industrial Cyber in February 2023 that “the 8140 policy series unifies cyber workforce development efforts under a common umbrella and facilitates greater mobility across population types” , meaning a sailor at FLTCYBER, a civilian at DISA, and a contractor at a defense prime are now all measured against the same yardstick. The seven elements are:
- Cybersecurity — defensive operations, risk management, and information assurance. The successor to most of legacy 8570 IA work, and the element that hit its first organizational compliance deadline on February 15, 2025.
- Cyberspace Effects , offensive cyberspace operations, including the work performed by USCYBERCOM’s Combat Mission Force teams and the service cyber components.
- Cyberspace Intelligence — signals intelligence and all-source intelligence work supporting cyber operations, much of it executed at NSA and the Defense Intelligence Agency (DIA).
- Cyberspace Information Technology (IT) , network operations, systems administration, and engineering of the DoD Information Network (DODIN).
- Software Engineering — secure software development, application security, and DevSecOps work, recognized in DoDM 8140.03 as a distinct element rather than buried under generic “IT.”
- Data/AI , data engineering, data science, and AI/ML work that supports cyber decision-making. Added in the 2023 manual to reflect the operational role of AI in cyber.
- Cyberspace Enablers — acquisition, legal, training, and policy work that supports cyber operations without performing them directly. Captured in DoDI 8140.02 (Identification, Tracking, and Reporting of Cyberspace Workforce Requirements) as a coded population alongside the other six.
Johnson, in the same Industrial Cyber interview, framed the scope: “The manual will guide the Department’s ability to verify and advance capabilities for all 225,000 DoD cyber workforce civilians, military personnel, and contractors.” That 225,000 headcount, drawn from the DoD Cyber Workforce Strategy 2023-2027, is the population the framework now governs.
The 8140 policy stack: what each document actually does
“DoD 8140” in casual conversation collapses three different DoD issuances and two supporting documents into one phrase. Reading a job posting accurately requires knowing which one is being referenced. The stack runs from the overarching directive down to the qualification mechanics, with the NICE Framework underneath as the cross-agency reference vocabulary.
| Document (year) | Authority / signer | Scope | What it means for a candidate |
|---|---|---|---|
| DoDD 8140.01 (Oct 2020) | Office of the Secretary of Defense; supersedes DoDD 8570.1 from 2004 | Top-level cyberspace workforce management directive | Establishes that the workforce will be managed against the DCWF , the legal cover for everything below |
| DoDI 8140.02 (Dec 21, 2021) | DoD CIO | Identification, tracking, and reporting of cyberspace workforce | Tells HR how to code positions with DCWF work-role codes — the data layer behind every modern DoD cyber posting |
| DoDM 8140.03 (Feb 15, 2023) | DoD CIO; supersedes DoDM 8570.01-M (2005) | Qualification mechanics: tiers, evidence, timelines | The manual that decides whether a hire stays in their seat after the 12-month residential-qualification clock |
| DCWF (2023; expanded 2024-2025) | DoD CIO Workforce Innovation Directorate | 7 elements, 33 specialty areas, ~54 original work roles (expanded to 74 by mid-2025 per ISC2 commentary) | The vocabulary every modern DoD cyber JD is now written against |
| NICE Framework (NIST SP 800-181 Rev 1, Nov 2020) | NIST / National Initiative for Cybersecurity Education | Cross-agency cybersecurity workforce framework | The federal-civilian counterpart the DCWF maps to , and the vocabulary CISA, DHS, and most civilian agencies use |
| DoD Cyber Workforce Strategy 2023-2027 Implementation Plan | DoD CIO John Sherman (signed Aug 3, 2023) | Operational plan for the four human-capital pillars: identification, recruitment, development, retention | Authorizes apprenticeships, skill-based hiring, and non-traditional accession pathways — the legal cover for hires walking in without a cert |
For a cleared candidate, the practical reading is: DoDD 8140.01 is the why, DoDI 8140.02 is how HR codes the seat, DoDM 8140.03 is the clock you live under, and the DCWF is the language of every position description. The NICE Framework is the bridge to civilian agency work, and the Strategy Implementation Plan is the policy that authorizes the “we’ll train you” hires that have visibly increased at NSA and the service cyber components since 2023.
Specialty area codes and DCWF work-role mapping
Inside each of the seven elements, DoDM 8140.03 references the DCWF specialty areas. The codes use a two-letter prefix and a three-digit role suffix, and reading them is the fastest way to decode a DoD cyber job announcement on USAJobs or via the Defense Civilian Personnel Advisory Service (DCPAS). The current DCWF runs across 33 specialty areas; the underlying NICE Framework that DCWF maps to is published in NIST SP 800-181 Rev 1, last revised November 2020 and reflected in the NICE Framework Resource Center.
Common specialty area codes a cleared candidate will see in USAJobs listings or DCPAS postings include:
- PR (Protect and Defend) , Cyber Defense Analyst, Incident Responder, Cyber Defense Infrastructure Support Specialist, Vulnerability Assessment Analyst.
- AN (Analyze) — All-Source Analyst, Mission Assessment Specialist, Exploitation Analyst, Target Network Analyst, Warning Analyst.
- CO (Collect and Operate) , Cyber Operator, Cyber Ops Planner, All-Source-Collection Manager. This is where USCYBERCOM offensive teams live.
- IN (Investigate) — Cyber Crime Investigator, Cyber Defense Forensics Analyst. Often a Federal Bureau of Investigation (FBI) or Defense Counterintelligence and Security Agency (DCSA) billet.
- OM (Operate and Maintain) , Network Operations Specialist, System Administrator, Database Administrator, Technical Support Specialist.
- OV (Oversee and Govern) — Information Systems Security Manager, Cyber Policy and Strategy Planner, Cyber Workforce Developer and Manager.
- SP (Securely Provision) , Authorizing Official, Security Architect, Software Developer, Systems Requirements Planner.
The DCWF was originally rolled out with 54 work roles in 2023; by September 2025, ISC2 commentary on the framework reported the DCWF had expanded to 74 work roles across the seven elements, with the AI/data and software-engineering elements driving most of the additions. Expect the count to keep moving — Gorak’s “over 50% of work roles changed in the past two years” figure captures the cadence.
Foundational, Practitioner, and Advanced , the three qualification tiers
DoDM 8140.03 replaced 8570’s IAT-I/II/III hierarchy with three competency tiers that apply to every work role across all seven elements: Foundational, Practitioner, and Advanced. Each tier carries its own evidence requirements — certifications, education, training, and on-the-job experience , and a candidate must satisfy the tier matching the billet’s complexity before being authorized to perform unsupervised work.
| Tier (DoDM 8140.03, 2023) | Typical scope | Evidence required | Typical pay grade (2026) |
|---|---|---|---|
| Foundational | Single system or platform, supervised work | Entry cert (CompTIA Security+, Network+) plus role-specific training | GS-7 to GS-9 |
| Practitioner | Multi-system, full work-role responsibility | CySA+, PenTest+, GSEC, GCIH or equivalent plus 2-3 yrs experience | GS-11 to GS-13 |
| Advanced | Enterprise architecture, leadership, novel problems | CISSP, SecurityX (CASP+), CISM, GCFA plus 5+ yrs experience | GS-13 to GS-15 |
Critically, certifications are no longer the sole pathway. Under DoDM 8140.03, qualification can be demonstrated through any combination of education, training, certification, and on-the-job competency assessment. A candidate with a master’s degree in cybersecurity from a National Centers of Academic Excellence in Cyber Defense (CAE-CD) school and four years of validated experience can be qualified at the Practitioner tier even without a CISSP. In practice, hiring managers default to the cert lookup because it is the fastest filter — but the alternative pathways are real and used.
Which certifications actually count under DoD 8140
The DoD Cyber Exchange maintains the authoritative 8140 qualification matrices, refreshed quarterly. The matrix maps each DCWF work role to the certifications accepted at each tier. The cert universe is largely unchanged from late-8570 , the audit logic and tiering shifted. CompTIA publishes a framework-alignment crosswalk that maps its credentials to DoD 8140 work roles directly. The certifications carrying the most weight across cyber work roles in 2026:
| Certification (2026) | Issuer | List exam fee (2026) | Typical DoD 8140 tier | Strongest fit |
|---|---|---|---|---|
| CompTIA Security+ | CompTIA | $404 (US list; revised to $425 voucher mid-2025) | Foundational | Entry-level Cybersecurity / IT roles; the default first-cert on contractor billets |
| CompTIA CySA+ | CompTIA | $404 | Practitioner | PR (Protect and Defend) work roles — Cyber Defense Analyst, Incident Responder |
| CompTIA SecurityX (CASP+) | CompTIA | $509 | Advanced | SP (Securely Provision) , Security Architect; Advanced-tier technical alternative to CISSP |
| CISSP | ISC2 | $749 | Advanced (broadly mapped) | OV (Oversee and Govern) and senior Cybersecurity work roles; GS-13+ federal seats |
| CISM | ISACA | $760 (member) / $1,000 (non-member) | Advanced (OV) | Information Systems Security Manager and policy/strategy roles |
| GIAC GCIH | GIAC / SANS | $2,499 | Practitioner (PR) | Incident handling and SOC work — heavily preferred at NSA and the service cyber components |
| GIAC GCFA | GIAC / SANS | $2,499 | Advanced (IN , Investigate) | Cyber Defense Forensics Analyst; FBI and DCSA cyber forensics billets |
| OSCP | Offensive Security | $1,649 (single attempt with PEN-200 course) | Practitioner (CO — Collect and Operate) | USCYBERCOM Combat Mission Force teams and service cyber red teams |
| GIAC GPEN | GIAC / SANS | $2,499 | Practitioner (CO) | Offensive cyber roles; complements OSCP for advanced offensive billets |
Note the cost asymmetry. A complete Security+ → CySA+ → SecurityX progression from CompTIA runs roughly $1,317 in exam fees at the 2024 voucher price (closer to $1,438 at the mid-2025 voucher revision). The equivalent GIAC progression (GSEC → GCIH → GCFA) runs roughly $7,497. The DoD will reimburse exam fees for qualifying billets through programs like the DoD Information Assurance Scholarship Program (run by the DoD CIO) and service-level tuition assistance, but candidates who self-fund GIAC certs are not rare among ambitious mid-career analysts targeting NSA or FBI Cyber Action Team positions.
What the 8140 transition changed for a TS/SCI candidate in 2026
The 8140 transition has direct hiring consequences for cleared cyber roles. At the TS/SCI level , where, per the ClearanceJobs 2025 Security Clearance Compensation Report, the average cleared compensation reached an all-time high of $119,131 (up nearly 4% year-over-year) and the TS/SCI premium pushes that to $131,907 — agencies write position descriptions against DCWF work roles rather than against legacy 8570 IAT levels. ZipRecruiter’s Washington-DC TS/SCI clearance figure (October 2025 sample) is $149,398, or roughly $71.83 per hour, with full-scope-polygraph billets pushing past $180,000.
The shift from 8570 to 8140 changes three things at once for a candidate’s job hunt: the vocabulary, the timeline, and the door. The comparison table below isolates each axis.
| Dimension | DoD 8570.01-M (2005-2023) | DoDM 8140.03 (Feb 2023+) |
|---|---|---|
| Vocabulary | Four IA categories: IAT, IAM, IASAE, CSSP | Seven workforce elements; DCWF work roles (~54 → 74 by mid-2025) |
| Qualification basis | Single commercial certification per IAT level | Competency-based; combinations of cert, education, training, on-the-job assessment |
| Coverage | Information Assurance only | All 225,000 DoD cyber workforce personnel , civilian, military, contractor |
| Qualification clock (in-process candidate) | Short grace, generally treated as cert-on-day-one in practice | 9 months to foundational qualification, 12 months to residential qualification from entry into a covered position |
| AI/data treatment | Not addressed | Data/AI is a named workforce element with its own work roles |
| Audit cadence | Annual cert-status check | Continuous: live qualification file with CPEs, annual learning hours, skill assessments |
The qualification clock is the most operationally consequential change. DoDM 8140.03 directs that personnel newly assigned to a cyberspace work role “achieve foundational qualification within 9 months and demonstrate on-the-job readiness (residential qualification) within 12 months” — language consistent across DoD CIO summaries and the DCWF program documentation. On top of the individual clock, the manual layered organizational compliance deadlines that govern how fast each element of the workforce has to be fully qualified.
| Deadline (per DoDM 8140.03) | Applies to | Operational meaning for a candidate |
|---|---|---|
| February 15, 2025 | All cybersecurity workforce element personnel , foundational qualification | Already in effect. Most cleared cyber-defense roles fall here. Hiring is now strictly 8140 vocabulary. |
| February 15, 2026 | Cyberspace IT, Cyberspace Effects, Cyberspace Intelligence, Cyberspace Enablers — foundational; Cybersecurity element , residential qualification deadline | In effect now. Position descriptions for offensive and intelligence cyber roles are being rewritten against DCWF. |
| February 15, 2027 | Residential qualification deadline for the remaining four elements | The end-state. By this date every DCWF-coded seat has to be filled by a residentially qualified person. |
The third practical effect is the door. The 2023-2027 DoD Cyber Workforce Strategy Implementation Plan, signed by then-DoD CIO John Sherman on August 3, 2023 (DoD press release), directs components to expand non-traditional accession pathways including apprenticeships and skill-based hiring. That has visibly loosened the cert-or-bust filter at NSA, ARCYBER, FLTCYBER, and several pure-play contractors. Patrick Johnson’s December 2024 comment to GovCIO that “that’s something we’re going to kind of cast our gaze on, because you’re talking about career pathing” reflects how active the workforce-development side of the policy has become.
Recertification, continuous learning, and the 8140 compliance cycle
Under 8570, recertification was a per-cert problem the workforce member managed individually. DoDM 8140.03 layered a continuous-learning requirement on top: every qualified cyber workforce member must complete an annual minimum of structured cyber-related learning, tracked through the component’s workforce management system. The annual hour requirement varies by tier and work role, but at the Practitioner level it generally runs 20-40 hours per year of documented training, conferences, or coursework, in addition to maintaining cert-specific continuing-education credits.
The cert-CPE math is concrete and worth knowing before any tier-change conversation. CISSP requires 120 CPEs over a 3-year cycle. GIAC certs require 36 CPEs over 4 years. CompTIA’s Security+ requires 50 CEUs over 3 years for the SY0-701 cycle. Continuous-learning hours can stack with cert CPEs in many cases , a SANS conference attended in 2026 will count toward both a GIAC CPE and a DCWF annual-learning hour.
Sherman, the DoD CIO at the time of the 2023 strategy signing, framed the long-term framing in his February 2023 remarks: “People are our foundation — the women and men who make up our workforce that come into DOD, whether it’s military or civilian, and ensuring that we stay where we need to be in the most modern thinking about careers, upskilling, recruitment and training.” The operational reality is that a 2026 cleared cyber analyst’s qualification file is now a living portfolio , cert status, work-role mapping, tier, annual learning hours, and skill-assessment results — rather than a one-time cert lookup. Components are still operationalizing this; DISA, DCSA, and the service cyber commands are at varying maturity stages of their workforce-management dashboards, with full visibility expected by FY2027 when the residential-qualification deadline lands for the remaining four elements.
Frequently asked questions about DoD 8140
Is DoD 8570 still valid in 2026?
No. DoD 8570.01-M was formally superseded when DoDM 8140.03 was published on February 15, 2023. Current cyber workforce qualification flows entirely through the 8140 program. Some legacy position descriptions and training catalogs still cite 8570 baselines; treat those as transitional artifacts rather than current requirements.
Do I still need a CompTIA Security+ for an entry-level cleared cyber job?
In practice, yes for most Foundational-tier roles. CompTIA Security+ remains the most widely accepted single cert across DoD 8140 work roles at the Foundational tier and the cheapest fast-track to baseline qualification (US voucher price $404 through mid-2024, revised to $425 in 2025). Equivalent training plus on-the-job competency assessment can substitute under the new manual , but most contractor billets still require the cert as a precondition for the seat.
How long do new hires have to meet 8140 qualification?
DoDM 8140.03 grants 9 months to foundational qualification and 12 months to residential (on-the-job) qualification from the date a workforce member enters a covered position. On top of the individual clock, the manual sets organizational compliance deadlines: the cybersecurity element hit its foundational deadline on February 15, 2025; cyberspace IT, effects, intelligence, and enablers reached theirs on February 15, 2026; the residential deadline for the remaining elements lands February 15, 2027. The DoD Cyber Exchange program portal publishes the current matrices.
Does the 8140 framework apply to DoD contractors?
Yes. DoDM 8140.03 applies to all DoD military, civilian, and contractor personnel performing cyber work in covered positions — the full 225,000-person workforce Patrick Johnson cited when the program rolled out. Contractors are typically qualified through the prime contractor’s workforce management process, and contract solicitations now reference DCWF work roles and 8140 tiers rather than 8570 IAT levels. Contractor grace is tighter than for federal civilians in some readings , solicitations increasingly require qualification at award.
Which certifications carry the most weight for offensive cyber roles?
For Cyberspace Effects work — the offensive element executed primarily by USCYBERCOM and the service cyber components , the most-cited credentials are the Offensive Security Certified Professional (OSCP), the GIAC Penetration Tester (GPEN), and at the advanced level the GIAC-issued offensive specializations. SecurityX (CASP+) and CISSP support the broader leadership track within offensive units.
How does DoDM 8140.03 relate to the NICE Framework?
The NICE Workforce Framework for Cybersecurity (NIST SP 800-181 Rev 1), published by NIST in November 2020, is the cross-agency federal cybersecurity workforce framework. The DCWF is the DoD-specific tailoring of NICE — it adopts the NICE work-role vocabulary and adds DoD-specific work roles for offensive cyber, intelligence-related cyber, and DoD enabler functions. The two frameworks are intentionally crosswalkable so cleared cyber professionals can move between DoD and civilian agencies (CISA, DHS, NSA-civilian, FBI) without re-qualifying from scratch.
Where to look next
- TS/SCI Cyber Jobs in 2026: The Cleared Cybersecurity Career Guide
- CISSP for Cleared Cyber Analysts: Cost, ROI, and Hiring Impact
- Splunk for Cleared SOC Analysts Complete Skills Guide
- CrowdStrike for Cleared Endpoint Security Skills Guide
- Tenable Nessus for Cleared Vulnerability Analysts Skills Guide
- Kali Linux for Cleared Penetration Testers Skills Guide
- IT Information Systems Technician to Cleared Cyber Career Guide
- ICS/SCADA Cybersecurity Careers in the Defense Sector