Resource
DoDM 8140.03 work-role-to-certification matrix, plus the retired 8570 baseline reference and FAR/DFARS contract context.
The Department of Defense publishes cybersecurity workforce qualification requirements in DoD Manual 8140.03 — a large, per-role set of documents identifying which certifications, training, and education paths qualify a person for each work role. This page reorganizes the current authoritative DoDM 8140.03 data into a single cross-cutting matrix: every work role on one axis, every accepted certification on the other.
It also preserves a reference copy of the retired DoD 8570.01-M approved-baseline list. That list was removed from public.cyber.mil after the 8140 transition but still shows up by name in active contract language — so contract officers, CORs, and contract staff still need to reference it. The copy below is faithful to the last publicly archived version of the page.
The FAR / DFARS section documents the current state of the contract-clause landscape, where policy (8140) and law-via-contract (8570) don't yet line up. It is descriptive, not legal advice.
Jump to: 8140 Matrix · 8570 Reference · FAR / Contract Context
The full DoDM 8140.03 work-role-to-certification matrix. Column headers are certifications grouped by vendor; row labels are work roles. Each cell shows the proficiency level (Basic / Intermediate / Advanced) at which the certification satisfies that work role. Summary rows at the bottom show totals. Source data is the official DoD Cyber Workforce Qualifications Matrices page; see the repo for the version-controlled xlsx.
| CompTIA | RCCE | EC-Council | FITSI | GIAC (SANS) | ISACA | (ISC)2 | CertNexus | CISCO | mile2 | DAWIA | ||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Work Role | A+ | Net+ | Cloud+ | Sec+ | PenTest | SecX | CySA+ | RCCE-1 | CND | CEH | CEH(P) | CHFI | ECIH | CCISO | FITSP-D | FITSP-A | FITSP-O | FITSP-M | GISF | GDSA | GMON | GRID | GSEC | GCLD | GCED | GCIH | GFACT | GCSA | GICSP | GSNA | GCFA | GCFE | GCIA | GCTI | GPEN | GREM | GSLC | CISA | CISM | CC | CGRC | CSSLP | SSCP | CCSP | CISSP | ISSAP | ISSEP | ISSMP | CSC | CFR | CBROPS | CCNA | CCNP-E | CCNP-S | CPTE | CISSO | LCL-F | PM-P | LCL-A | PM-A |
| (111) All-Source Analyst | 3 | 3 | 3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| (121) Exploitation Analyst | 3 | 3 | 3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| (131) Joint Targeting Analyst | 3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| (132) Target Digital Network Analyst | 3 | 3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| (211) Forensics Analyst | 2 | 3 | 3 | 2 | 3 | 3 | 3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| (212) Cyber Defense Forensics Analyst | 3 | 3 | 2 | 2 | 3 | 3 | 3 | 3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| (221) Cyber Crime Investigator | 2 | 3 | 3 | 2 | 1 | 3 | 3 | 3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| (311) All-Source Collection Manager | 3 | 3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| (312) All-Source Collection Requirements Manager | 3 | 3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| (331) Cyber Intelligence Planner | 3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| (332) Cyber Operations Planner | 3 | 3 | 3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| (411) Technical Support Specialist | 1 | 1 | 2 | 3 | 2 | 3 | 2 | 2 | 3 | 3 | 3 | 3 | ||||||||||||||||||||||||||||||||||||||||||||||||
| (421) Database Administrator | 2 | 2 | 3 | 2 | 3 | 2 | 3 | 3 | 3 | 3 | ||||||||||||||||||||||||||||||||||||||||||||||||||
| (422) Data Analyst | 3 | 2 | 3 | 3 | 2 | 3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| (431) Knowledge Manager | 2 | 2 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| (441) Network Operations Specialist | 1 | 2 | 2 | 3 | 1 | 2 | 3 | 2 | 3 | 3 | 2 | 3 | 2 | 3 | 2 | 3 | 3 | 3 | ||||||||||||||||||||||||||||||||||||||||||
| (451) System Admin (req'd for admin access) | 1 | 1 | 2 | 2 | 3 | 1 | 3 | 2 | 3 | 2 | 2 | 3 | 3 | |||||||||||||||||||||||||||||||||||||||||||||||
| (461) Systems Security Analyst | 2 | 2 | 3 | 3 | 1 | 3 | 2 | 2 | 3 | 3 | 2 | 3 | 1 | 2 | 3 | 3 | ||||||||||||||||||||||||||||||||||||||||||||
| (511) Cyber Defense Analyst | 2 | 2 | 2 | 3 | 1 | 2 | 2 | 1 | 2 | 2 | 2 | 2 | 2 | 1 | 3 | 3 | 3 | 1 | 3 | 3 | ||||||||||||||||||||||||||||||||||||||||
| (521) Cyber Defense Infrastructure Support Specialist | 1 | 1 | 2 | 2 | 2 | 2 | 1 | 2 | 1 | 2 | 2 | 2 | 1 | 1 | 3 | 3 | 1 | 2 | 3 | 3 | ||||||||||||||||||||||||||||||||||||||||
| (531) Cyber Defense Incident Responder | 2 | 2 | 2 | 3 | 2 | 2 | 2 | 2 | 2 | 1 | 1 | 2 | 2 | 2 | 2 | 3 | 3 | 3 | 1 | 2 | 3 | 2 | ||||||||||||||||||||||||||||||||||||||
| (541) Vulnerability Assessment Analyst | 2 | 2 | 2 | 3 | 2 | 1 | 2 | 2 | 2 | 2 | 2 | 2 | 2 | 3 | 3 | 3 | 3 | 3 | 2 | |||||||||||||||||||||||||||||||||||||||||
| (611) Authorizing Official/Designated Representative | 2 | 3 | 3 | 2 | 3 | 3 | 3 | 2 | 2 | 3 | 3 | 3 | ||||||||||||||||||||||||||||||||||||||||||||||||
| (612) Security Control Assessor | 2 | 2 | 2 | 2 | 3 | 3 | 2 | 2 | 2 | 3 | 3 | 3 | 3 | 2 | 3 | 3 | 2 | |||||||||||||||||||||||||||||||||||||||||||
| (621) Software Developer | 2 | 2 | 3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| (622) Secure Software Assessor | 2 | 2 | 1 | 2 | 2 | 3 | 2 | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| (631) Information Systems Security Developer | 2 | 2 | 1 | 3 | 1 | 2 | 2 | 2 | 1 | 1 | 2 | 3 | 2 | |||||||||||||||||||||||||||||||||||||||||||||||
| (632) Systems Developer | 1 | 3 | 3 | 2 | 2 | 3 | 2 | 3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| (641) Systems Requirements Planner | 2 | 3 | 1 | 2 | 2 | 3 | 3 | 2 | 2 | 2 | ||||||||||||||||||||||||||||||||||||||||||||||||||
| (651) Enterprise Architect | 2 | 2 | 1 | 2 | 2 | 2 | 3 | 3 | 3 | 3 | 2 | 2 | 3 | 3 | 3 | |||||||||||||||||||||||||||||||||||||||||||||
| (652) Security Architect | 2 | 2 | 2 | 1 | 3 | 2 | 2 | 1 | 2 | 3 | 3 | 3 | 2 | 2 | 3 | 3 | 3 | 2 | ||||||||||||||||||||||||||||||||||||||||||
| (661) Research & Development Specialist | 2 | 3 | 3 | 3 | 3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
| (671) System Testing and Evaluation Specialist | 1 | 2 | 2 | 2 | 1 | 2 | 2 | 2 | 3 | 2 | ||||||||||||||||||||||||||||||||||||||||||||||||||
| (711) Cyber Instructional Curriculum Developer | 2 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| (712) Cyber Instructor | 3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| (722) Information Systems Security Manager | 2 | 2 | 2 | 2 | 3 | 2 | 2 | 3 | 2 | 3 | 3 | 3 | 3 | 1 | 2 | 2 | 2 | 3 | 3 | 2 | ||||||||||||||||||||||||||||||||||||||||
| (723) COMSEC Manager | 3 | 2 | 3 | 3 | 3 | 3 | 3 | 3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| (732) Privacy Compliance Manager | 3 | 3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| (751) Cyber Workforce Developer and Manager | 2 | 3 | 3 | 3 | 3 | 3 | 3 | 3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| (752) Cyber Policy and Strategy Planner | 2 | 3 | 3 | 3 | 3 | 3 | 3 | 3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| (801) Program Manager | 2 | 3 | 3 | 3 | 3 | 3 | 2 | 3 | 3 | 2 | 3 | |||||||||||||||||||||||||||||||||||||||||||||||||
| (802) IT Project Manager | 2 | 2 | 3 | 3 | 3 | 3 | 2 | 3 | 3 | 3 | 3 | 3 | 3 | 3 | 3 | 2 | 3 | |||||||||||||||||||||||||||||||||||||||||||
| (803) Product Support Manager | 3 | 3 | 3 | 3 | 3 | 3 | 2 | 3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| (804) IT Investment/Portfolio Manager | 3 | 3 | 3 | 3 | 3 | 3 | 3 | 3 | 3 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| (805) IT Program Auditor | 2 | 2 | 3 | 3 | 3 | 3 | 3 | 2 | 3 | 2 | 3 | 3 | 3 | 2 | 2 | 3 | 3 | |||||||||||||||||||||||||||||||||||||||||||
| Total Positions Covered | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Total "Points" (proficiency levels × positions) |
This matrix is designed for desktop viewing — rotate to landscape or use a larger screen for the full view.
DoD 8570.01-M was superseded by DoDM 8140.03 and the reference page at public.cyber.mil/wid/dod-approved-8570-baseline-certifications/ was removed. The table below reproduces the baseline certifications and provider details from the last publicly archived version of that page (2024-01-30, via web.archive.org). It is preserved here because active contracts still reference 8570 by name.
| Category | Level I | Level II | Level III |
|---|---|---|---|
| IAT | A+ CE, CCNA-Security1, Network+ CE, SSCP | CCNA-Security1, CySA+3, GICSP, GSEC, Security+ CE, SSCP | CASP+ CE, CCNP-Security, CISA, CISSP (or Associate), GCED, GCIH |
| IAM | CAP, CND, Cloud+, GSLC, Security+ CE, HCISPP | CAP, CASP+ CE, CCISO, CISM, CISSP (or Associate), GSLC, HCISPP | CCISO, CISM, CISSP (or Associate), GSLC |
| IASAE | CASP+ CE, CISSP (or Associate), CSSLP | CASP+ CE, CISSP (or Associate), CSSLP | CCISO, CISSP-ISSAP, CISSP-ISSEP |
| CSSP Analyst | CEH, CFR, CCNA Cyber Ops, CCNA-Security1, CySA+3, GCIA, GCIH, GICSP, Cloud+, SCYBER, PenTest+ | ||
| CSSP Infrastructure Support | CEH, CySA+3, GICSP, SSCP, CHFI, CFR, Cloud+, CND | ||
| CSSP Incident Responder | CEH, CFR, CCNA Cyber Ops, CCNA-Security1, CHFI, CySA+3, GCFA, GCIH, SCYBER | ||
| CSSP Auditor | CEH, CySA+3, CISA, GSNA, CFR, PenTest+ | ||
| CSSP Manager | CCISO, CISM, CISSP-ISSMP | ||
| Certification | Provider |
|---|---|
| CISSP, CISSP-ISSAP, CISSP-ISSEP, CISSP-ISSMP, CSSLP, HCISPP, CAP, SSCP, CCSP | (ISC)² |
| A+ CE, Network+ CE, Security+ CE, CASP+ CE, CySA+3, Cloud+, PenTest+, CTT+ | CompTIA |
| CEH, CCISO, CHFI, CND | EC-Council |
| CISA, CISM | ISACA |
| GSEC, GCED, GCIH, GCIA, GCFA, GICSP, GSLC, GSNA, GSE, CFR | SANS / GIAC |
| CCNA Cyber Ops, CCNA-Security1, CCNP-Security | Cisco |
| SCYBER | Logical Operations |
1 CCNA-Security was retired by Cisco. Existing holders retain qualification.
2 GIAC GSE and GISF were removed from earlier revisions of this list.
3 CSA+ was renamed to CySA+.
Source: web.archive.org snapshot (2024-01-30). Polished reference copy: 8570 Baseline Reference (PDF).
Policy shifted from 8570 to 8140, but contract language — including clauses in the FAR and DFARS — in many cases still references 8570 by name. The note below documents the clauses most commonly encountered, their current status, and the contract-vs-policy gap in practice. Not legal advice; links to authoritative sources only.
Not legal advice. This document summarizes publicly available contract-clause text as one practitioner's reading. It is not written by a lawyer, a Contracting Officer, or a COR, and it is not a complete legal analysis. If you are making a contract qualification determination, consult your KO, legal counsel, or the issuing agency.
DoD 8570.01-M has been superseded as DoD policy (replaced by DoDM 8140.03 on 15 Feb 2023), but it has not been superseded in the contract clause that binds DoD contractors to cyber workforce qualification requirements. That clause — DFARS 252.239-7001 — still references 8570.01-M by name.
So contractors can end up in a situation where their contract requires compliance with an explicitly retired DoD manual. The authoritative 8570 list once lived at public.cyber.mil/wid/cwmp/dod-approved-8570-baseline-certifications/; DoD removed that page during the 8140 transition. That's why this repo preserves a reference copy of the retired 8570 baseline list. A KO, COR, or contractor compliance team that needs to cite 8570 still has somewhere to cite.
Paragraph (a), quoted in full as of the 2025-11-10 revision:
The Contractor shall ensure that personnel accessing information systems have the proper and current information assurance certification to perform information assurance functions in accordance with DoD 8570.01-M, Information Assurance Workforce Improvement Program.
The reference to DoD 8570.01-M is not incidental — it is the clause's substantive qualification mandate. The 2025-11-10 revision did not update this reference to DoDM 8140.03.
From the DoD 8140 program's public transition materials:
The DoD 8570 and DoD 8140 programs are not structured the same and there is no "crosswalk" of qualifications between them.
A contractor cannot mechanically translate "Security+ under 8570" into "Security+ satisfies work role X at proficiency Y under 8140" without referencing the current DoD 8140 qualification matrix. And a Contracting Officer reading a contract that says "comply with DoD 8570.01-M" cannot wave it away as out-of-date when the very DFARS clause that carries the requirement names 8570.01-M in its latest revision.
When the authoritative list moved behind the 8140 transition and the 8570 page was removed from cyber.mil, the practical need to cite the 8570 baseline list did not disappear. This repo preserves a reference copy — reconstructed from the last publicly-archived snapshot of the DoD page before removal — so that anyone managing a contract that still names 8570 has an authoritative source to cite.
8570/8570-baseline-reference.pdfCompiled by Jeff Krueger. Unaffiliated with any firm, agency, or contracting office. Not legal advice.