DoD 8140 / 8570 Workforce Certification Requirements Explained

IAT (privileged technical access): Level I (A+, Network+, SSCP), Level II (Security+, CCNA Security, CySA+), Level III (CASP+, CISSP, CISA).

IAM (oversight and management): Level I (CAP, CND, Security+), Level II (CAP, CASP+, CISM, CISSP), Level III (CISM, CISSP, GSLC).

CSSP categories added for SOC roles: Analysts, Incident Responders, Infrastructure Support, Auditors.

Qualification through Education, Training, or Certification — not just exams. Each Work Role has Basic, Intermediate, Advanced proficiency.

NICE Framework categories: Securely Provision, Operate and Maintain, Oversee and Govern, Protect and Defend, Analyze, Collect and Operate, Investigate.

Map legacy roles deliberately: IAT II → Systems Administrator (Intermediate); IAM I → ISSO; IAM II → ISSM.

Map every billet to the Work Role or IAT/IAM level required by the SOW or DD254 — don't guess.

The six-month grace period is increasingly rare. Many AOs now require certification on Day 1. Submit candidates who don't qualify and they'll be denied access.

Track expirations relentlessly. Security+ expires in three years; CISSP requires CPEs. Lapsed cert = immediate access revocation.

Privileged access roles often need a Computing Environment cert on top of baseline (e.g., Security+ plus Azure Administrator Associate).

Formal reimbursement policy covering exams, materials, training. Tier reimbursement by whether the cert is contractually required, strategically valuable, or aspirational.

Internal training calendar that doubles as a CPE generator.

Tracking system with automated 90-day expiration alerts.