Certification guide for cleared IA candidates

DoD 8140 and 8570 Certifications: The Ultimate Guide for Cleared Security Engineers

Most certification advice gives you a shopping list. Cleared candidates need a role map.

By GS Consulting Recruiting Team · Updated June 2026

View Information Assurance Roles

If you are trying to become an ISSO, ISSE, ISSM, security engineer, cyber compliance analyst, or RMF professional, the real question is simple: which certification helps you qualify for the role you actually want?

A certification can help clear a contract requirement, help a recruiter move your resume, and help a hiring manager trust your baseline knowledge. The wrong certification can also waste months and thousands of dollars.

Do not ask which cert is most impressive. Ask which cert matches your target role, contract requirement, labor category, and next career step.

DoD 8140 vs 8570: What Changed?

DoD 8570 was the old language most cleared candidates still recognize. It used broad categories like IAT, IAM, IASAE, and CSSP, and it was heavily certification driven.

DoD 8140 is the current framework. DoDM 8140.03 was issued in February 2023 and incorporates and cancels DoD 8570.01 Manual. It created a cyberspace workforce qualification model built around DCWF work roles, proficiency levels, foundational qualifications, resident qualifications, and continuous professional development.

The practical difference is this: DoD 8570 worked like a certification checklist. DoD 8140 works more like a work role qualification model.

Why You Still See DoD 8570 in Contractor Job Posts

Cleared contractor job postings still use 8570 language because contracts, labor categories, and hiring habits do not update overnight. Acquisition.gov still lists DFARS 252.239 7001 with contractor training and certification language tied to DoD 8570.01 Manual. The DoD Cyber Exchange transition guidance also says contractors remain under DoD 8570 policy until DFARS authorizes DoD 8140 implementation for contractor personnel.

That means candidates should understand both systems. If a posting says DoD 8570 compliant, ask which category and level. If a posting says DoD 8140, ask which DCWF work role and proficiency level.

The Baseline Matrix Explained

The old baseline matrix centered on role type and level. Candidates in information assurance usually see three categories most often.

CategoryPractical meaningCommon role fit
IATInformation Assurance Technical. The technical operator lane.System administrator, network administrator, ISSO, security analyst, technical IA support.
IAMInformation Assurance Management. The program, oversight, risk, and leadership lane.ISSM, senior ISSO, IA lead, cyber compliance manager, security program manager.
IASAEInformation Assurance System Architect and Engineer. The architecture and engineering lane.ISSE, security architect, systems security engineer, cloud security engineer.

IAT Levels I to III: The Technical Path

IAT is the technical path. It often fits staff with technical security responsibilities for information systems, including privileged access, system administration, network operations, cyber support, or hands on IA duties.

  1. IAT Level I. Entry technical IA. Useful for junior system support, help desk with security duties, and early cleared IT roles. Do not stop here if you are aiming for serious ISSO, ISSE, or security engineering work.
  2. IAT Level II. The level many cleared IA candidates hear about first. Security+ is the common baseline move for many ISSO, system administrator, RMF support, and technical IA roles.
  3. IAT Level III. Advanced technical IA. CASP+ or SecurityX, CISSP, CISA, GCIH, GCED, and similar senior credentials may appear depending on the contract and accepted matrix.

IAM Levels I to III: The Management Path

IAM is the management path. It usually maps to roles responsible for security programs, policy, risk, compliance, oversight, and leadership.

  1. IAM Level I. Junior or limited scope management. Security+ may help, but candidates moving toward ISSM work should start thinking about CGRC, CISM, or CISSP.
  2. IAM Level II. A common home for serious ISSM, senior ISSO, IA lead, RMF lead, and cyber compliance manager roles. CISSP, CISM, CGRC, CASP+ or SecurityX, and GSLC style credentials may matter here.
  3. IAM Level III. Senior management and enterprise risk. Do not think only about the cert. You need leadership evidence, customer communication, audit readiness, and risk ownership.

IASAE Levels I to III: The Engineering Path

IASAE is the architecture and engineering path. This is the lane most closely tied to ISSE work and secure system design.

  1. IASAE Level I. Entry architecture and security engineering support. This lane is not just RMF paperwork; it is about building security requirements into systems.
  2. IASAE Level II. Stronger engineering responsibility. CISSP, CASP+ or SecurityX, CSSLP, cloud certs, and platform certs can matter depending on the system.
  3. IASAE Level III. Senior architecture and engineering. CISSP ISSEP, CISSP ISSAP, CCSP, and deep architecture evidence can support the story, but interviews will expose whether you can think architecturally.

CISSP vs CASP+ vs CISM

CertificationBest signalBest fit
CISSPBroad senior security knowledge and market recognition.Senior ISSO, ISSE, ISSM, security architect, IA lead, management growth.
CASP+ or SecurityXAdvanced technical practitioner credibility.IAT Level III style roles, IASAE Level I or II style roles, senior technical IA roles.
CISMSecurity management, governance, risk, and program leadership.ISSM, security manager, cyber governance, IA program lead.

CASP+ or SecurityX is not better than CISSP. CISSP is not automatically better than CASP+ or SecurityX. They solve different problems. If the contract names a certification, take that requirement seriously. If the contract allows several options, choose the one that matches the career lane you want.

Best Certifications for ISSO, ISSE, and ISSM Roles

  • For ISSO roles. Start with baseline compliance and RMF credibility. Security+, CySA+, CGRC, CASP+ or SecurityX, and CISSP can all make sense depending on seniority.
  • For ISSE roles. Focus on engineering and architecture credibility. CASP+ or SecurityX, CISSP, CISSP ISSEP, CSSLP, CCSP, cloud security certs, Linux certs, and GIAC certs may support the story.
  • For ISSM roles. Focus on management, governance, and risk. CISSP, CISM, CGRC, GSLC, CASP+ or SecurityX, and CISSP ISSMP may matter depending on the program.

Open Roles by Certification Level

Use certifications to aim at roles, not just to decorate your resume. Here is the practical career mapping cleared candidates should consider.

If you haveLook at roles like
Security+Junior ISSO, ISSO, cyber compliance analyst, system administrator with IA duties, RMF support analyst, security analyst.
CySA+ or CGRCISSO, RMF analyst, control evidence analyst, cyber compliance specialist, assessment support, security operations analyst.
CASP+ or SecurityXSenior ISSO, ISSE, security engineer, IAT Level III style roles, IASAE Level I or II style roles, senior technical IA.
CISSPSenior ISSO, ISSE, ISSM, security architect, cybersecurity manager, IAM Level II or III style roles, senior IA lead.
CISMISSM, security manager, cyber governance, risk manager, IA program lead.
ISSEP, ISSAP, CCSP, or CSSLPSenior ISSE, security architect, cloud security architect, secure systems engineer, software security architect.

The Advice Candidates Usually Need

  1. If you have no certifications, get Security+ first.
  2. If you want ISSO work, add RMF depth and consider CGRC.
  3. If you want ISSE work, build technical architecture depth and consider CASP+ or SecurityX, CISSP, or ISSEP depending on the role.
  4. If you want ISSM work, build leadership and risk experience, then look hard at CISSP, CISM, or CGRC.
  5. If you want to stay technical, do not chase only management certs.
  6. If you want to manage, do not hide behind technical certs.
  7. If the job posting names a cert, take it seriously.
  8. If the posting says DoD 8570 compliant, ask which category and level.
  9. If the posting says DoD 8140, ask which work role and proficiency level.
One recruiter question can save you a lot of money: "Which certification category, level, work role, or customer requirement does this role actually need?"

Related IA Career Guides and Roles

Review the role lane before paying for another exam. The right certification depends on whether you are trying to execute RMF, engineer secure architecture, or lead the IA program.

GuideISSO vs ISSE vs ISSM Roles ComparedChoose the right IA lane before choosing the next examGuideA Cleared Professional's Guide to RMF and NIST 800 53Build the RMF knowledge behind the certificationHubInformation Assurance & Security EngineeringOpen cleared IA, ISSO, ISSE, ISSM, and security engineering roles

The Bottom Line

DoD 8140 replaced DoD 8570 for the current DoD cyber workforce qualification model, but cleared contractor job postings still use IAT, IAM, IASAE, and 8570 language because contracts and hiring habits do not change overnight.

Security+ is still the common baseline move. CASP+ or SecurityX is a strong advanced technical practitioner signal. CISSP is the broad senior security credential. CISM is strongest for management and governance. CGRC is useful for RMF and authorization work. The best certification is the one that matches the role, contract, labor category, and next step.

Sources

Frequently Asked Questions

Did DoD 8140 replace DoD 8570?

Yes. DoDM 8140.03 incorporates and cancels DoD 8570.01 Manual, but contractor job postings and contract language may still use 8570 terms such as IAT, IAM, and IASAE.

What is the difference between IAT, IAM, and IASAE?

IAT is the technical information assurance lane, IAM is the management and program lane, and IASAE is the architecture and engineering lane. Candidates should match certification choices to the role lane they are targeting.

What certification should an ISSO get first?

For many early ISSO candidates, Security+ is the practical first move because it is commonly recognized in baseline cleared IA requirements. Candidates moving deeper into RMF may also consider CGRC, CySA+, CASP+ or SecurityX, or CISSP depending on the role.

Do you need CISSP to become an ISSE?

Not always. Some ISSE roles require CISSP, some accept CASP+ or SecurityX, and some care more about architecture, engineering, cloud, software, Linux, or customer specific experience. Senior ISSE candidates should still consider CISSP or CISSP ISSEP when it matches the target role.

Is CASP+ the same as SecurityX?

SecurityX is CompTIA's current name for the advanced security practitioner certification that many cleared job postings still call CASP+. Candidates should read the contract or job posting language carefully because market terminology can lag behind vendor naming.

What should I ask when a job posting says DoD 8570 compliant?

Ask which category and level the role requires, such as IAT Level II, IAT Level III, IAM Level II, or IASAE Level II. If the posting says DoD 8140, ask which DCWF work role and proficiency level applies.

Ready to use your IA certifications in cleared mission work?

Send your resume and include your clearance status, certifications, RMF experience, security engineering background, and the IA role you are targeting.

View IA RolesEmail Your Resume