Resource
DoDM 8140.03 work-role-to-certification matrix, plus the retired 8570 baseline reference and FAR/DFARS contract context.
The Department of Defense publishes cybersecurity workforce qualification requirements in DoD Manual 8140.03, a large per-role set of documents identifying which certifications, training, and education paths qualify a person for each work role. This page reorganizes the current authoritative DoDM 8140.03 data into a single cross-cutting matrix: every work role on one axis, every accepted certification on the other.
It also preserves a reference copy of the retired DoD 8570.01-M approved-baseline list. That list was removed from public.cyber.mil after the 8140 transition but still shows up by name in active contract language, so contract officers, CORs, and contract staff still need to reference it. The copy below is faithful to the last publicly archived version of the page.
The FAR / DFARS section documents the current state of the contract-clause landscape, where policy (8140) and law-via-contract (8570) don't yet line up.
Jump to: 8140 Matrix · 8570 Reference · FAR / Contract Context
The full DoDM 8140.03 work-role-to-certification matrix. Column headers are certifications grouped by vendor; row labels are work roles. Each cell shows the proficiency level (Basic / Intermediate / Advanced) at which the certification satisfies that work role. Summary rows at the bottom show totals. Source data is the official DoD Cyber Workforce Qualifications Matrices page; see the repo for the version-controlled xlsx.
| CompTIA | RCCE | EC-Council | FITSI | GIAC (SANS) | ISACA | (ISC)2 | CertNexus | CISCO | mile2 | DAWIA | |||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Work Role | A+ | Net+ | Cloud+ | Sec+ | PenTest | SecX | CySA+ | RCCE-1 | CND | CEH | CEH(P) | CHFI | ECIH | CCISO | FITSP-D | FITSP-A | FITSP-O | FITSP-M | GISF | GDSA | GMON | GRID | GSEC | GCLD | GCED | GCIH | GFACT | GCSA | GICSP | GSNA | GCFA | GCFE | GCIA | GCTI | GPEN | GREM | GSLC | CISA | CISM | CC | CGRC | CSSLP | SSCP | CCSP | CISSP | ISSAP | ISSEP | ISSMP | CSC | CFR | CBROPS | CCNA | CCNP-E | CCNP-S | CPTE | CISSO | LCL-F | PM-P | LCL-A | PM-A | Work Role |
(111) All-Source Analyst |
3 | 3 | 3 | (111) All-Source Analyst |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
(121) Exploitation Analyst |
3 | 3 | 3 | (121) Exploitation Analyst |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
(131) Joint Targeting Analyst |
3 | (131) Joint Targeting Analyst |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
(132) Target Digital Network Analyst |
3 | 3 | (132) Target Digital Network Analyst |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
(211) Forensics Analyst |
2 | 3 | 3 | 2 | 3 | 3 | 3 | (211) Forensics Analyst |
|||||||||||||||||||||||||||||||||||||||||||||||||||||
(212) Cyber Defense Forensics Analyst |
3 | 3 | 2 | 2 | 3 | 3 | 3 | 3 | (212) Cyber Defense Forensics Analyst |
||||||||||||||||||||||||||||||||||||||||||||||||||||
(221) Cyber Crime Investigator |
2 | 3 | 3 | 2 | 1 | 3 | 3 | 3 | (221) Cyber Crime Investigator |
||||||||||||||||||||||||||||||||||||||||||||||||||||
(311) All-Source Collection Manager |
3 | 3 | (311) All-Source Collection Manager |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
(312) All-Source Collection Requirements Manager |
3 | 3 | (312) All-Source Collection Requirements Manager |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
(331) Cyber Intelligence Planner |
3 | (331) Cyber Intelligence Planner |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
(332) Cyber Operations Planner |
3 | 3 | 3 | (332) Cyber Operations Planner |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
(411) Technical Support Specialist |
1 | 1 | 2 | 3 | 2 | 3 | 2 | 2 | 3 | 3 | 3 | 3 | (411) Technical Support Specialist |
||||||||||||||||||||||||||||||||||||||||||||||||
(421) Database Administrator |
2 | 2 | 3 | 2 | 3 | 2 | 3 | 3 | 3 | 3 | (421) Database Administrator |
||||||||||||||||||||||||||||||||||||||||||||||||||
(422) Data Analyst |
3 | 2 | 3 | 3 | 2 | 3 | (422) Data Analyst |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
(431) Knowledge Manager |
2 | 2 | (431) Knowledge Manager |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
(441) Network Operations Specialist |
1 | 2 | 2 | 3 | 1 | 2 | 3 | 2 | 3 | 3 | 2 | 3 | 2 | 3 | 2 | 3 | 3 | 3 | (441) Network Operations Specialist |
||||||||||||||||||||||||||||||||||||||||||
(451) System Admin (req'd for admin access) |
1 | 1 | 2 | 2 | 3 | 1 | 3 | 2 | 3 | 2 | 2 | 3 | 3 | (451) System Admin (req'd for admin access) |
|||||||||||||||||||||||||||||||||||||||||||||||
(461) Systems Security Analyst |
2 | 2 | 3 | 3 | 1 | 3 | 2 | 2 | 3 | 3 | 2 | 3 | 1 | 2 | 3 | 3 | (461) Systems Security Analyst |
||||||||||||||||||||||||||||||||||||||||||||
(511) Cyber Defense Analyst |
2 | 2 | 2 | 3 | 1 | 2 | 2 | 1 | 2 | 2 | 2 | 2 | 2 | 1 | 3 | 3 | 3 | 1 | 3 | 3 | (511) Cyber Defense Analyst |
||||||||||||||||||||||||||||||||||||||||
(521) Cyber Defense Infrastructure Support Specialist |
1 | 1 | 2 | 2 | 2 | 2 | 1 | 2 | 1 | 2 | 2 | 2 | 1 | 1 | 3 | 3 | 1 | 2 | 3 | 3 | (521) Cyber Defense Infrastructure Support Specialist |
||||||||||||||||||||||||||||||||||||||||
(531) Cyber Defense Incident Responder |
2 | 2 | 2 | 3 | 2 | 2 | 2 | 2 | 2 | 1 | 1 | 2 | 2 | 2 | 2 | 3 | 3 | 3 | 1 | 2 | 3 | 2 | (531) Cyber Defense Incident Responder |
||||||||||||||||||||||||||||||||||||||
(541) Vulnerability Assessment Analyst |
2 | 2 | 2 | 3 | 2 | 1 | 2 | 2 | 2 | 2 | 2 | 2 | 2 | 3 | 3 | 3 | 3 | 3 | 2 | (541) Vulnerability Assessment Analyst |
|||||||||||||||||||||||||||||||||||||||||
(611) Authorizing Official/Designated Representative |
2 | 3 | 3 | 2 | 3 | 3 | 3 | 2 | 2 | 3 | 3 | 3 | (611) Authorizing Official/Designated Representative |
||||||||||||||||||||||||||||||||||||||||||||||||
(612) Security Control Assessor |
2 | 2 | 2 | 2 | 3 | 3 | 2 | 2 | 2 | 3 | 3 | 3 | 3 | 2 | 3 | 3 | 2 | (612) Security Control Assessor |
|||||||||||||||||||||||||||||||||||||||||||
(621) Software Developer |
2 | 2 | 3 | (621) Software Developer |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
(622) Secure Software Assessor |
2 | 2 | 1 | 2 | 2 | 3 | 2 | (622) Secure Software Assessor |
|||||||||||||||||||||||||||||||||||||||||||||||||||||
(631) Information Systems Security Developer |
2 | 2 | 1 | 3 | 1 | 2 | 2 | 2 | 1 | 1 | 2 | 3 | 2 | (631) Information Systems Security Developer |
|||||||||||||||||||||||||||||||||||||||||||||||
(632) Systems Developer |
1 | 3 | 3 | 2 | 2 | 3 | 2 | 3 | (632) Systems Developer |
||||||||||||||||||||||||||||||||||||||||||||||||||||
(641) Systems Requirements Planner |
2 | 3 | 1 | 2 | 2 | 3 | 3 | 2 | 2 | 2 | (641) Systems Requirements Planner |
||||||||||||||||||||||||||||||||||||||||||||||||||
(651) Enterprise Architect |
2 | 2 | 1 | 2 | 2 | 2 | 3 | 3 | 3 | 3 | 2 | 2 | 3 | 3 | 3 | (651) Enterprise Architect |
|||||||||||||||||||||||||||||||||||||||||||||
(652) Security Architect |
2 | 2 | 2 | 1 | 3 | 2 | 2 | 1 | 2 | 3 | 3 | 3 | 2 | 2 | 3 | 3 | 3 | 2 | (652) Security Architect |
||||||||||||||||||||||||||||||||||||||||||
(661) Research & Development Specialist |
2 | 3 | 3 | 3 | 3 | (661) Research & Development Specialist |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
(671) System Testing and Evaluation Specialist |
1 | 2 | 2 | 2 | 1 | 2 | 2 | 2 | 3 | 2 | (671) System Testing and Evaluation Specialist |
||||||||||||||||||||||||||||||||||||||||||||||||||
(711) Cyber Instructional Curriculum Developer |
2 | (711) Cyber Instructional Curriculum Developer |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
(712) Cyber Instructor |
3 | (712) Cyber Instructor |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
(722) Information Systems Security Manager |
2 | 2 | 2 | 2 | 3 | 2 | 2 | 3 | 2 | 3 | 3 | 3 | 3 | 1 | 2 | 2 | 2 | 3 | 3 | 2 | (722) Information Systems Security Manager |
||||||||||||||||||||||||||||||||||||||||
(723) COMSEC Manager |
3 | 2 | 3 | 3 | 3 | 3 | 3 | 3 | (723) COMSEC Manager |
||||||||||||||||||||||||||||||||||||||||||||||||||||
(732) Privacy Compliance Manager |
3 | 3 | (732) Privacy Compliance Manager |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
(751) Cyber Workforce Developer and Manager |
2 | 3 | 3 | 3 | 3 | 3 | 3 | 3 | (751) Cyber Workforce Developer and Manager |
||||||||||||||||||||||||||||||||||||||||||||||||||||
(752) Cyber Policy and Strategy Planner |
2 | 3 | 3 | 3 | 3 | 3 | 3 | 3 | (752) Cyber Policy and Strategy Planner |
||||||||||||||||||||||||||||||||||||||||||||||||||||
(801) Program Manager |
2 | 3 | 3 | 3 | 3 | 3 | 2 | 3 | 3 | 2 | 3 | (801) Program Manager |
|||||||||||||||||||||||||||||||||||||||||||||||||
(802) IT Project Manager |
2 | 2 | 3 | 3 | 3 | 3 | 2 | 3 | 3 | 3 | 3 | 3 | 3 | 3 | 3 | 2 | 3 | (802) IT Project Manager |
|||||||||||||||||||||||||||||||||||||||||||
(803) Product Support Manager |
3 | 3 | 3 | 3 | 3 | 3 | 2 | 3 | (803) Product Support Manager |
||||||||||||||||||||||||||||||||||||||||||||||||||||
(804) IT Investment/Portfolio Manager |
3 | 3 | 3 | 3 | 3 | 3 | 3 | 3 | 3 | (804) IT Investment/Portfolio Manager |
|||||||||||||||||||||||||||||||||||||||||||||||||||
(805) IT Program Auditor |
2 | 2 | 3 | 3 | 3 | 3 | 3 | 2 | 3 | 2 | 3 | 3 | 3 | 2 | 2 | 3 | 3 | (805) IT Program Auditor |
|||||||||||||||||||||||||||||||||||||||||||
Total Positions Covered |
3 | 5 | 15 | 20 | 10 | 17 | 10 | 12 | 10 | 7 | 3 | 3 | 1 | 11 | 4 | 5 | 5 | 7 | 8 | 6 | 4 | 3 | 25 | 9 | 4 | 9 | 9 | 15 | 12 | 4 | 7 | 3 | 7 | 4 | 5 | 1 | 14 | 6 | 13 | 5 | 5 | 5 | 14 | 15 | 11 | 5 | 10 | 3 | 2 | 9 | 2 | 1 | 1 | 4 | 1 | 11 | 1 | 2 | 1 | 2 | Total Positions Covered |
Total "Points" (proficiency levels × positions) |
3 | 5 | 30 | 40 | 22 | 43 | 29 | 33 | 11 | 13 | 6 | 6 | 2 | 32 | 10 | 13 | 13 | 20 | 15 | 12 | 8 | 6 | 50 | 19 | 9 | 22 | 22 | 39 | 32 | 11 | 21 | 9 | 21 | 12 | 15 | 3 | 42 | 18 | 39 | 5 | 10 | 10 | 28 | 37 | 33 | 15 | 30 | 9 | 4 | 25 | 5 | 3 | 3 | 12 | 2 | 30 | 2 | 4 | 3 | 6 | Total "Points" (proficiency levels × positions) |
This matrix is designed for desktop viewing. Rotate to landscape or use a larger screen for the full view.
DoD 8570.01-M was superseded by DoDM 8140.03 and the reference page at public.cyber.mil/wid/dod-approved-8570-baseline-certifications/ was removed. The table below reproduces the baseline certifications and provider details from the last publicly archived version of that page (2024-01-30, via web.archive.org). It is preserved here because active contracts still reference 8570 by name.
| Category | Level I | Level II | Level III |
|---|---|---|---|
| IAT | A+ CE, CCNA-Security1, Network+ CE, SSCP | CCNA-Security1, CySA+3, GICSP, GSEC, Security+ CE, SSCP | CASP+4 CE, CCNP-Security, CISA, CISSP (or Associate), GCED, GCIH |
| IAM | CAP, CND, Cloud+, GSLC, Security+ CE, HCISPP | CAP, CASP+4 CE, CCISO, CISM, CISSP (or Associate), GSLC, HCISPP | CCISO, CISM, CISSP (or Associate), GSLC |
| IASAE | CASP+4 CE, CISSP (or Associate), CSSLP | CASP+4 CE, CISSP (or Associate), CSSLP | CCISO, CISSP-ISSAP, CISSP-ISSEP |
| CSSP Analyst | CEH, CFR, CCNA Cyber Ops, CCNA-Security1, CySA+3, GCIA, GCIH, GICSP, Cloud+, SCYBER, PenTest+ | ||
| CSSP Infrastructure Support | CEH, CySA+3, GICSP, SSCP, CHFI, CFR, Cloud+, CND | ||
| CSSP Incident Responder | CEH, CFR, CCNA Cyber Ops, CCNA-Security1, CHFI, CySA+3, GCFA, GCIH, SCYBER | ||
| CSSP Auditor | CEH, CySA+3, CISA, GSNA, CFR, PenTest+ | ||
| CSSP Manager | CCISO, CISM, CISSP-ISSMP | ||
| Certification | Provider |
|---|---|
| CISSP, CISSP-ISSAP, CISSP-ISSEP, CISSP-ISSMP, CSSLP, HCISPP, CAP, SSCP, CCSP | (ISC)² |
| A+ CE, Network+ CE, Security+ CE, CASP+4 CE, CySA+3, Cloud+, PenTest+, CTT+ | CompTIA |
| CEH, CCISO, CHFI, CND | EC-Council |
| CISA, CISM | ISACA |
| GSEC, GCED, GCIH, GCIA, GCFA, GICSP, GSLC, GSNA, GSE, CFR | SANS / GIAC |
| CCNA Cyber Ops, CCNA-Security1, CCNP-Security | Cisco |
| SCYBER | Logical Operations |
1 CCNA-Security was retired by Cisco. Existing holders retain qualification.
2 GIAC GSE and GISF were removed from earlier revisions of this list.
3 CSA+ was renamed to CySA+.
4 CASP+ was renamed to SecurityX by CompTIA. Existing CASP+ holders retain qualification; new candidates pursue SecurityX.
Source: web.archive.org snapshot (2024-01-30). Polished reference copy: 8570 Baseline Reference (PDF).
Policy shifted from 8570 to 8140, but contract language (including clauses in the FAR and DFARS) in many cases still references 8570 by name. The note below explains the gap and what it means for contracts, COR oversight, and workforce compliance.
Not legal advice. This is one practitioner's reading of publicly available contract-clause text. Consult your KO, legal counsel, or the issuing agency for qualification determinations.
DoD 8570.01-M was superseded as DoD policy by DoDM 8140.03 on 15 Feb 2023. But it has not been superseded in the contract clause that binds DoD contractors to cyber workforce qualification requirements. DFARS 252.239-7001 (last revised 2025-11-10) still references 8570.01-M by name:
The Contractor shall ensure that personnel accessing information systems have the proper and current information assurance certification to perform information assurance functions in accordance with DoD 8570.01-M, Information Assurance Workforce Improvement Program.
The 2025-11-10 revision did not update that reference. And since the DoD removed the authoritative 8570 page from public.cyber.mil during the 8140 transition, contractors needing to cite the 8570 baseline list were left with no canonical source. That's why this repo keeps a reference copy, reconstructed from the last publicly-archived snapshot of the page before removal.
DoD's own 8140 transition guidance is explicit:
The DoD 8570 and DoD 8140 programs are not structured the same and there is no "crosswalk" of qualifications between them.
The 8570 workforce model had four broad categories: IAT, IAM, IASAE, and CSSP. An IAT-II technician might have qualified with Security+, and that Security+ satisfied the contract requirement.
DoDM 8140.03 replaces those four categories with roughly 70 specific work roles. The person previously coded as IAT-II may now be coded as (621) Software Developer and (632) Systems Developer. Security+ does not qualify either of those roles under 8140.
Contractors carrying an 8570-era cert portfolio into the 8140 world cannot assume their people are still qualified. They need the current 8140 qualification matrix to see which certs satisfy which work roles at which proficiency levels.
But a Contracting Officer reading a contract that says "comply with DoD 8570.01-M" cannot wave it away as out-of-date. The DFARS clause carrying the requirement still names 8570.01-M in its latest revision.
For Contracting Officers and CORs. The clause as currently written is the clause in force. Until DFARS 252.239-7001 is revised to reference 8140, or until a specific contract is modified, existing contract language governs.
For contractors. Many contracts copy-pasted 8570-specific language (cert lists, workforce categories) into their statements of work rather than incorporating DFARS 252.239-7001 by reference. In those contracts, the 8570 list persists contractually until the SOW itself is amended, regardless of what the DFARS clause says.
For program managers with mixed populations. DoD civilians and military service members are governed by DoDM 8140.03 on the DoD CIO's implementation timeline: cybersecurity element by 15 Feb 2025; IT, cyber effects, intelligence, and cyber enablers by 15 Feb 2026. Contractors on the same program are governed by their contract language, which may not have been updated to match.