Introduction
If you work in US federal IT, the military, or defence contracting, you've almost certainly encountered the term "DoD 8570". It's a directive that shapes the hiring, placement, and career progression of tens of thousands of IT professionals working with government systems. And for most of those professionals, passing CompTIA Security+ is the fastest path to meeting its requirements.
This guide explains what DoD 8570 actually is, how it works in practice, where DoD 8140 fits in, and exactly what Security+ satisfies — so you can plan your certification path with confidence.
What Is DoD 8570?
DoD Directive 8570 — formally titled "Information Assurance Workforce Improvement Program" — is a US Department of Defense policy that establishes mandatory baseline certifications for personnel who perform information assurance (IA) functions on DoD information systems.
In plain language: if you work with DoD IT systems in a role that involves information security, you must hold specific certifications. The directive applies to military service members, civilian federal employees, and contractors working on DoD systems.
The directive was issued in 2004 and has been supplemented and updated several times. It remains widely referred to as "DoD 8570" in practice, even though its successor framework — DoD 8140 — is now the formal governing document.
DoD 8140: The Update to Know About
DoD Directive 8140 ("Cyberspace Workforce Management") is the modernised successor to 8570. It was released in 2015 and significantly expanded in scope, moving from a focus purely on "information assurance" to the broader concept of "cyberspace workforce" — encompassing cybersecurity, IT, and cyberspace operations roles.
8140 introduced the Cyberspace Workforce Framework, which maps roles and certifications across a wider range of functions. It's also more closely aligned with the NIST National Initiative for Cybersecurity Education (NICE) framework.
The practical effect for candidates: Most job listings still reference DoD 8570. Both terms refer to the same ecosystem of requirements, and Security+ satisfies requirements under both frameworks. When you see a government IT job listing stating "DoD 8570 compliant" or "DoD 8140 compliant" as a requirement, Security+ is typically what they're looking for.
The Workforce Categories: IAT, IAM, and IASAE
DoD 8570/8140 organises IT workforce roles into three main categories:
IAT: Information Assurance Technical
IAT covers technical roles that maintain, troubleshoot, and operate IT systems with a focus on information security. There are three levels:
| Level | Example roles | Baseline certifications |
|---|---|---|
| IAT Level I | Help desk technician, IT support | CompTIA A+, Network+, SSCP |
| IAT Level II | System administrator, network technician | CompTIA Security+, CCNA Security, CySA+, SSCP |
| IAT Level III | Senior security engineer, enterprise architect | CASP+, CISA, CISSP, GCIH |
Security+ is the most common IAT Level II certification because it's vendor-neutral, widely accepted, and achievable without years of advanced experience.
IAM: Information Assurance Management
IAM covers roles with management and oversight responsibilities for information assurance:
| Level | Example roles | Baseline certifications |
|---|---|---|
| IAM Level I | ISSO, security officer at smaller installations | Security+, CAP, GSLC |
| IAM Level II | Senior ISSO, security manager | CAP, CASP+, CISM, GSLC, CISSP |
| IAM Level III | CISO, programme information security manager | CISM, GSLC, CISSP |
Security+ also satisfies IAM Level I, making it valuable not just for technical staff but for those moving into security management roles.
IASAE: Information Assurance System Architecture and Engineering
IASAE covers roles involved in designing and engineering secure systems. Security+ does not satisfy IASAE requirements; those positions typically require CASP+, CISSP-ISSAP, or CISSP-ISSEP.
Why Employers Require It — and When
The practical effect of DoD 8570/8140 is that certain roles simply cannot be filled without the required certification. This is not a preference; it's a compliance requirement. A hiring manager cannot place an uncertified individual in an IAT Level II role on a DoD contract — the contract itself requires all personnel to be certified.
This creates a structurally captive market for Security+. The demand for the certification is not driven purely by candidates choosing to study for it; it's driven by regulatory compliance requirements that affect hundreds of thousands of positions across:
- Active duty military: Army, Navy, Air Force, Marine Corps, Coast Guard, and Space Force all apply 8570/8140 requirements to IT and cybersecurity personnel
- Federal civilian employees: DoD civilians in IT roles must meet the same requirements
- Defence contractors: Companies like Lockheed Martin, Raytheon, Northrop Grumman, Booz Allen Hamilton, SAIC, and thousands of smaller contractors must ensure their staff are certified to maintain contract compliance
- Veterans transitioning to civilian IT: Many veterans complete Security+ either while still in service or immediately upon separation, because the certification is directly transferable to civilian cybersecurity roles
What Security+ Specifically Satisfies
Under DoD 8570/8140, CompTIA Security+ (SY0-701) is approved as a baseline certification for:
- IAT Level II — the level required for most system administrator, network security, and IT operations roles
- IAM Level I — the level required for security oversight and management roles at smaller installations
This dual applicability makes Security+ one of the most versatile certifications in the framework. Holding Security+ opens the door to technical and management tracks simultaneously.
How to Maintain Compliance: CE Credits
CompTIA certifications are valid for three years. To maintain your Security+ certification without retesting, you must earn Continuing Education (CE) credits through CompTIA's CertMaster CE programme or other approved activities.
CE credit activities include:
- Higher-level CompTIA certifications: Earning CySA+, CASP+, or PENTEST+ automatically renews Security+ for another three years
- Training activities: Attending industry conferences, completing online courses, webinars
- Industry experience: Documenting relevant job activities
- Other approved certifications: Certain vendor certifications (Cisco, ISC², ISACA) earn CE credits
For DoD roles, allowing your Security+ to lapse creates an immediate compliance gap. Most employers track certification expiry dates proactively and require renewal before the certification expires.
Preparing for Security+ as a Military or Federal Candidate
The good news: as a military or federal candidate, you likely have access to study resources that civilians don't.
Tuition Assistance (TA): Active duty service members can use TA to fund study materials and exam vouchers through approved education providers. CompTIA certifications are eligible under most TA programmes.
GI Bill: Veterans can use Post-9/11 GI Bill benefits for CompTIA exam fees through participating test preparation providers and institutions.
DoD COOL: The DoD Credentialing Opportunities On-Line (COOL) programme provides resources and, in some cases, funding assistance for certifications that align with military occupational specialties.
On-base training: Many military installations offer IT certification preparation courses through their education centres.
Regardless of how you fund your preparation, the most effective study approach remains the same: systematic coverage of the SY0-701 domains followed by intensive practice question sessions. Start practising with free Security+ questions to benchmark your current knowledge before committing to a full study plan.
Security+ in the Broader DoD Career Path
Security+ is the starting point, not the destination, for most DoD IT career paths. The typical progression looks like this:
- Security+ (IAT Level II / IAM Level I): Entry point to cybersecurity roles
- CySA+ or CEH (IAT Level II — higher): Intermediate cybersecurity analyst skills
- CASP+ or CISSP (IAT Level III / IAM Level III): Senior security engineering and management
Each step up the framework typically corresponds to a pay grade increase, additional clearance access, and broader responsibilities. Security+ is the gate you must pass through to start this progression.
Summary
DoD 8570 (and its successor DoD 8140) mandates baseline certifications for all personnel performing information assurance functions on DoD systems. CompTIA Security+ satisfies the IAT Level II and IAM Level I requirements — the most common certification requirements for federal and defence contractor IT roles.
If you're targeting a government IT position, a military career in IT, or a role with a defence contractor, Security+ is not optional. It's the certification that puts you in compliance and gets you in the door.
Start your Security+ preparation today with practice questions that reflect the current SY0-701 exam objectives.