Skip to content
CertiGuard

Search

Type a word like "security+" or "ccna". Search runs on the published site.

DoD 8140 Approved Certifications: The Verified List and What Each Costs

By Mario Bailey, Editor

Facts last verified against official sources: 2026-07-11

If a DoD job posting, military billet, or defense contract says you need an “8140 approved” certification, the authoritative answer lives in one document: the DoD 8140 qualification matrix on the DoD Cyber Exchange. Try to open it and you hit a Department of Defense sign-in page. We checked again the day this guide was last verified, and every 8140 page on cyber.mil, the matrix included, now resolves to a DoD login. If you are transitioning out of the military, applying from outside, or bidding on a contract without a CAC, you cannot read the list you are being measured against.

The internet fills that gap badly, mostly with tables copied from the old 8570 program that ended in 2023. This page takes a different approach: it lists only the certifications whose own vendor publicly states 8140 approval, in writing, on the vendor’s own site. By that standard, 17 of the 40 certifications on this registry qualify. Every exam price below comes from the certification’s own profile here, verified against the vendor. Everything about the 8140 program itself was verified against DoD documents that are actually public, all linked in the sources.

What DoD 8140 is, and what happened to 8570

For most of two decades, DoD cyber jobs ran on DoD 8570.01-M, the “Information Assurance Workforce Improvement Program.” It sorted jobs into IAT and IAM levels and published a baseline-certification table for each, which is why half the certification pages on the internet still say things like “meets IAT Level II.” The replacement arrived in stages: a directive (DoDD 8140.01, first signed August 11, 2015, which cancelled the 8570 directive, then reissued October 5, 2020), an instruction on identifying and tracking the workforce (DoDI 8140.02, December 21, 2021), and finally the piece that changed what you actually need to get hired, DoD Manual 8140.03, issued February 15, 2023, which replaced the 8570 manual and its baseline tables.

The manual gave the DoD a phased schedule: civilian and military personnel in cybersecurity work roles had to be qualified under 8140 by February 15, 2025, and everyone else in the cyber workforce (IT, cyber effects, intelligence, and cyber-enabler work roles) by February 15, 2026. Both dates have now passed. Every DCWF-coded DoD position today is governed by 8140 qualification rules, and any certification list organized by IAT levels describes a program that no longer exists.

How qualification actually works under 8140

8570 asked what level your job was. 8140 asks what your job is. Every covered position is coded to a work role from the DoD Cyber Workforce Framework (DCWF), each with a name and a three-digit code, like Technical Support Specialist (411) or Cyber Defense Analyst (511). A billet carries a primary work role and up to two additional ones, and you must qualify for each work role your position is coded to.

For each work role at each proficiency level (Basic, Intermediate, or Advanced), the qualification matrix lists foundational qualification options in three lanes: an educational degree, a specific training course, or a personnel certification. You need one, not all three; this guide covers the certification lane, which is usually the fastest and the only one you can buy off the shelf. Two mechanics in the DoD’s own matrix SOP are worth knowing before you spend money. First, proficiency levels waterfall downward: a certification listed at Advanced also qualifies you at Intermediate and Basic for that work role. Second, the clock is short: foundational qualification must be fulfilled within 9 months of assignment, and residential qualification (your component’s own on-the-job requirements, on top of the foundational baseline) within 12 months. Components are also allowed to be more stringent than the matrix and demand a combination of education, training, and certification.

The matrix itself is refreshed quarterly, and the current published version is v2.1, effective September 19, 2025. One more structural fact explains the biggest surprise on this list: to appear in the matrix, a certification body must hold ANAB (ISO/IEC 17024) accreditation for the credential. AWS, Microsoft Azure, and Google Cloud certifications do not carry that accreditation, so none of them qualify, no matter how technically relevant they are to the work.

The standard this list uses

The matrix is sign-in gated, so this registry does not guess at its contents. A certification is flagged 8140 here only when the vendor itself publishes the approval: CompTIA names its eight, Cisco publishes a work-role table, ISC2 and ISACA issued announcements, GIAC and EC-Council maintain dedicated pages. If a certification is missing from the list below, either its vendor publishes no verifiable 8140 claim or it is not approved. OffSec’s OSCP is the instructive example: plenty of forum posts assert it qualifies, but no OffSec or DoD primary source confirms a matrix listing, so it is not on this list.

CompTIA: eight approved certifications

CompTIA states that eight of its certifications are approved under 8140, covering 31 work roles between them, and it is the only vendor with an approved option at almost every price point and career stage. CompTIA A+ costs $548 because it is two required exams at $274 each; CompTIA’s alignment materials map it to support-side roles including Technical Support Specialist, System Administrator, and Cyber Defense Infrastructure Support Specialist. CompTIA Network+ is $399 and maps to Network Operations Specialist, System Administrator, and Technical Support Specialist. CompTIA Security+ is $439 and maps to one of the widest work-role sets of any certification in the matrix, which is exactly why it was the default answer under 8570 and remains the default answer now. CompTIA Linux+ is $399 and maps to System Administrator. CompTIA Cloud+ is $399, the rare cloud certification that qualifies at all, though CompTIA publishes no per-role list for it.

Higher up the ladder, CompTIA CySA+ is $439 and maps to Cyber Defense Analyst, Cyber Defense Incident Responder, and Vulnerability Assessment Analyst, the defensive-operations core of the DCWF. CompTIA PenTest+ is $439 and maps to Vulnerability Assessment Analyst. CompTIA SecurityX (formerly CASP+) is $529 and its own certification page names Security Architect, Systems Requirements Planner, Security Control Assessor, and Research and Development Specialist. Note that all these prices reflect CompTIA’s May 2026 increase; older articles quoting $370 or $390 are out of date.

Cisco: two approved certifications

Cisco’s DoD 8140 page publishes an exact work-role table. Cisco CCNA, $300, is listed in the Cyberspace IT workforce element for the Technical Support Specialist work role. Cisco CyberOps Associate, also $300 and renamed CCNA Cybersecurity in early 2026 (the exam is still 200-201), sits in the Cybersecurity element covering defensive roles that trace back to the old CSSP analyst and incident-responder categories; Cisco does not publish the exact DCWF codes in a form we can verify, so check your posting’s work role against the matrix directly. Cisco also notes that CCNP Security and CyberOps Professional are in the approval pipeline but not yet approved, a useful reminder that “in process” and “approved” are different claims.

ISC2: three on this registry

ISC2 announced on November 12, 2024 that all nine of its certifications and their official training courses are approved under 8140, and says they qualify for 87 percent of the work roles in the DoD marketplace. Three of the nine live on this registry. ISC2 Certified in Cybersecurity at $199 is the cheapest qualifying certification on this entire page; note that ISC2’s free-exam program for it closed to new enrollment in May 2026, so $199 is the real number now. ISC2 CCSP is $599 and ISC2 CISSP is $749, both with 5-year experience requirements that make them mid-career credentials rather than entry tickets. Every ISC2 certification also carries a mandatory Annual Maintenance Fee ($50 per year holding only CC, $135 per year for CISSP or CCSP), a recurring cost the exam price hides; the renewal costs guide prices that out over nine years.

ISACA: two approved certifications

ISACA announced on May 21, 2024 that CISA and CISM are approved qualifications for the DoD cyber workforce under 8140.03. The announcement itself names no work roles and defers to the DoD marketplace for mappings; ISACA CISA is commonly mapped to Security Control Assessor and ISACA CISM to Information Systems Security Manager, so confirm your specific role against the matrix rather than the press release. Both exams cost $575 for ISACA members and $760 for nonmembers, and both require five years of documented experience to actually certify, so these are options for auditors and security managers moving into DoD work, not for first-cert candidates. If you are choosing between them, CISA vs CISM covers the split.

GIAC: one on this registry

GIAC’s DoD 8140 page lists its approved certifications by focus area, and GIAC GSEC appears under Cyber Defense. The exam alone is $999, and GIAC’s open page lists no per-certification DCWF roles (a form-gated guide advertises a work-role mapping), so verifying GSEC against your specific work role means checking the matrix itself. GSEC’s honest economics matter here: it competes directly with Security+ for the same general-security lane at more than twice the exam price, and the SANS course usually marketed alongside it costs several thousand dollars more. It earns its price in some hiring contexts, but as a pure 8140 checkbox it is the expensive route.

EC-Council: one on this registry

EC-Council’s certifications are approved across 31 DCWF job roles, per its August 2023 announcement, and EC-Council CEH is the one carried here. The cost is layered: the exam voucher is $950 through EC-Council’s own exam center or $1,199 through Pearson VUE, and self-study candidates pay a $100 non-refundable eligibility application on top. CEH survives on DoD-adjacent job requirements more than technical reputation, and if the posting names a vulnerability-assessment work role rather than CEH specifically, CEH vs PenTest+ shows how to qualify for hundreds of dollars less.

How to read a posting and verify your work role

Defense job language is currently a mix of two eras, and the contracting rules explain why: DFARS clause 252.239-7001, still in force and still written into contracts, requires contractor personnel to hold certifications per DoD 8570.01-M, the cancelled manual. So you will see postings demanding “IAT Level II” (8570 language) next to postings citing “DCWF 511 at Intermediate” (8140 language), sometimes from the same employer. Neither phrasing changes what to do.

First, get the work role. If the posting names a DCWF work role and code, you have it. If it only says “8140 compliant” or quotes IAT levels, ask the recruiter or contracting officer which DCWF work role and proficiency level the position is coded to; every covered position has this coding, and it is the single fact that determines which certifications qualify. Second, check the vendor’s own 8140 page for a certification-to-role mapping, which is exactly the evidence standard this page is built on. Third, confirm against the matrix itself: through a DoD login on cyber.mil if you or a colleague has one, or through the publicly released copy of qualification matrix v2.1 that the DoD cleared for open publication (linked in the sources below), which requires no sign-in. Remember the waterfall when you read it: a certification listed at a higher proficiency level than yours still qualifies you.

The cost-efficient paths

If you need any qualifying certification and the work role is flexible, the floor is ISC2 CC at $199, with the caveat that its $50-a-year maintenance fee makes it $649 over nine years. If you want one certification that covers the most work roles per dollar, that is Security+ at $439, the same verdict the DoD workforce reached at scale under 8570. If the billet is network-coded, CCNA at $300 is the cheapest role-matched option on this page, and if it is coded to a cyber-defense role, CyberOps Associate at $300 undercuts CySA+ by $139 for overlapping coverage.

The general rule: match the role first, then minimize cost, not the reverse. A $199 certification that qualifies for the wrong work role is $199 wasted, and two certifications a few hundred dollars apart at the register can be over a thousand dollars apart across nine years of renewal fees. The renewal costs guide covers that second number, and the find-your-cert tool has a dedicated DoD 8140 filter that applies both screens to this registry at once. One more screen applies if you are a veteran with a service-connected disability rating: VA’s Veteran Readiness and Employment program (VR&E, Chapter 31) can pay for certifications for eligible veterans, which is worth checking before you spend anything on this list.

The traps

Four failure modes account for most wasted money in this space. The first is the stale 8570 list: any table organized by IAT or IAM levels predates February 2023, and certifications have entered and left the qualification landscape since. The second is the unverifiable approval claim: training resellers routinely stamp “DoD 8140 approved” on courses and certifications with no vendor or DoD source behind it; if the certification vendor itself does not publish the approval, treat the claim as marketing. The third is the retiring certification: Microsoft’s AZ-500 retires on August 31, 2026, and it was never in the 8140 matrix to begin with, which makes it the perfect double trap for anyone told to “get an Azure security cert” for a DoD cloud role. The fourth is mistaking vendor approval for personal qualification: your certification must match your specific work role at the required proficiency level, your component can layer residential requirements on top, and you have 9 months from assignment to close the foundational gap. Verify the role before you schedule the exam, and this list gives you 17 ways to pass.

Salary figures are U.S. Bureau of Labor Statistics medians for the occupation shown, not a measured premium for holding this certification. No one publishes causal cert premiums; anyone quoting one is guessing.

General information, not career or financial advice

CertiGuard documents costs, exam mechanics, and public salary data. Whether a certification pays off for you depends on your market, employer, and experience. Treat this as a starting point, not a promise.

Official sources

Cite this page