As an extension of Appendix 3 to the DoD 8570.01-Manual, the following certifications have been approved as IA baseline certifications for the IA Workforce. Personnel performing IA functions must obtain one of the certifications required for their position category or specialty and level. Refer to Appendix 3 of 8570.01-M for further implementation guidance.

Approved Baseline Certifications

IAT Level I2
IAT Level II2
IAT Level III
A+ CE
CCNA-Security
CND
Network+ CE
SSCP
CCNA-Security
CySA+ **
GICSP
GSEC
Security+ CE
CND
SSCP
CASP+ CE
CCNP Security
CISA
CISSP (or Associate)
GCED
GCIH
CCSP
IAM Level I
IAM Level II
IAM Level III
CAP
CND
Cloud+
GSLC
Security+ CE
HCISPP
CAP
CASP+ CE
CISM
CISSP (or Associate)
GSLC
CCISO
HCISPP
CISM
CISSP (or Associate)
GSLC
CCISO
IASAE I
IASAE II
IASAE III
CASP+ CE
CISSP (or Associate)
CSSLP
CASP+ CE
CISSP (or Associate)
CSSLP
CISSP-ISSAP
CISSP-ISSEP
CCSP
CSSP Analyst1, 2
CSSP Infrastructure Support1
CSSP Incident Responder1, 2
CEH
CFR
CCNA Cyber Ops
CCNA-Security
CySA+ **
GCIA
GCIH
GICSP
Cloud+
SCYBER
PenTest+
CEH
CySA+ **
GICSP
SSCP
CHFI
CFR
Cloud+
CND
CEH
CFR
CCNA Cyber Ops
CCNA-Security
CHFI
CySA+ **
GCFA
GCIH
SCYBER
PenTest+
CSSP Auditor1
CSSP Manager1
CEH
CySA+ **
CISA
GSNA
CFR
PenTest
CISM
CISSP-ISSMP
CCISO

The above table provides a list of DoD approved IA baseline certifications aligned to each category and level of the IA Workforce. Personnel performing IA functions must obtain one of the certifications required for their position, category/specialty and level to fulfill the IA baseline certification requirement. Most IA levels within a category or specialty have more than one approved certification and a certification may apply to more than one level.

An individual needs to obtain only one of the “approved certifications”; for his or her IA category or specialty and level to meet the minimum requirement. For example, an individual in an IAT Level II position could obtain any one of the four certifications listed in the IAT Level II cell.

Higher level IAT and IAM certifications satisfy lower level requirements. Certifications listed in Level II or III cells can be used to qualify for Level I. However, Level I certifications cannot be used for Level II or III unless the certification is also listed in the Level II or III cell. For example:

  • The A+ or Network+ certification qualify only for Technical Level I and cannot be used for Technical Level II positions.
  • The System Security Certified Practitioner (SSCP) certification qualifies for both Technical Level I and Technical Level II. If the individual holding this certification moved from an IAT Level I to an IAT Level II position, he or she would not have to take a new certification.

Higher level CCSP and IASAE certifications do not satisfy lower level requirements

1. This category is equivalent to the CND-SP CATEGORY cited in the DoD 8570.01-M. The name was changed from CND-SP to CSSP to reflect current terminology in the DoD Instruction 8530.01 “Cybersecurity Activities Support to DoD Information Network Operations.

2. CCNA-Security was retired by Cisco, modified, and rebranded as simply β€œCCNA.” If you possessed the CCNA-Security and were in a position that required that certification when it was retired, you may be eligible for a waiver to cite the rebranded CCNA as a qualifying baseline certification. See the DoD CIO CCNA Security Waiver on the DoD Cyber Workforce Documents website for additional information.

The table below lists the Certification Providers associated with each approved certification.

IA Workforce Certification Providers

Certification ProviderCertification Name
CertNexus *CyberSec First Responder (CFR)
Cisco *Cisco Certified Network Associate-Security (CCNA-Security)​
Cisco *Cisco Certified Network Professional-Security (CCNP-Security)​
Cisco *Cybersecurity Specialty Certification (SCYBER)​
Computing Technology Industry Association (CompTIA) *A+ Continuing Education (CE)
CompTIA *Cloud Plus (Cloud+)
CompTIA *Security+ Continuing Education (CE)
CompTIA *CompTIA Advanced Security Practitioner (CASP) Continuing Education (CE)
CompTIA *Network+ Continuing Education (CE)
CompTIA *Cybersecurity Analyst (CySA+ **)​
CompTIA * PenTest+
EC-Council *Certified Ethical Hacker (CEH)
EC-Council *Certified Chief Information Security Officer (CCISO)
EC-Council *Computer Hacking Forensics Investigator (CHFI)
EC-Council *Certified Network Defender (CND)
International Information Systems Security Certifications Consortium (ISC)2 *Certified Information Systems Security Professional (CISSP) (or Associate - this means the individual has qualified for the certification except for the number of years experience)
(ISC)2 *Certified Secure Software Lifecycle Professional (CSSLP)​
(ISC)2 *Certification Authorization Professional (CAP)
(ISC)2 *Information Systems Security Architecture Professional (ISSAP)
(ISC)2 *Information Systems Security Engineering Professional (ISSEP)
(ISC)2 *Information Systems Security Management Professional (ISSMP)
(ISC)2 *System Security Certified Practitioner (SSCP)
(ISC)2 *Certified Cloud Security Professional (CCSP)
(ISC)2 *Health Care Information Security and Privacy Practitioner (HCISPP)
Information Systems Audit and Control Association (ISACA) *Certified Information Security Manager (CISM)
ISACA *Certified Information Systems Auditor (CISA)
Global Information Assurance Certification (GIAC) *GIAC Certified Intrusion Analyst (GCIA)
GIAC *GIAC Certified Enterprise Defender (GCED)
GIAC *GIAC Certified Forensic Analyst (GCFA)
GIAC *GIAC Certified Incident Handler (GCIH)
GIAC *GIAC Global Industrial Cyber Security Professional (GICSP)​
GIAC *GIAC Security Essentials Certification (GSEC)
GIAC *GIAC Security Leadership Certificate (GSLC)
GIAC *GIAC Systems and Network Auditor (GSNA)
Logical Operations, Inc. *CyberSec First Responder (CFR)​

The GIAC GSE and GISF were removed from the approved list on 25 January 2013. Individuals holding one of these certifications to qualify for their current IA position will remain qualified. However, a different certification may be required once the GIAC GSE or GISF expires or if the individual changes positions requiring a different certification.

* This organization is the sole propriety owner of the memberships, site licenses, preassessments, test vouchers, and all other materials related to this certification and their association.

** CySA+ is a CompTIA certification formerly listed as CSA+. The exam and the official name of the certification remain the same, only the acronym has changed.

Steps to Obtain a DoD 8570 Baseline Certification

STEP 1. CONTACT your Information Assurance Manager and follow your Component’s procedures to IDENTIFY your position, level and certification requirements within the IA Workforce. (If you do not know who your IA Manager is contact your Component’s OPR POC directly.)

Reference chapters 3, 4, 5, 10 and 11 in the Manual for detailed position descriptions
Reference “How to identify IAM/IAT workforce” FAQs posted under “Policies and References”

All IA Workforce personnel must obtain one of the certifications required for their position category or specialty and level.

For a list of DoD approved certification providers, click here.

STEP 2. OBTAIN training for the IA baseline certification you wish to take. (Note: you must follow established procedures at your organization to request and/or obtain training, but at a minimum your IA Manager must approve any training or certification you wish to take).

The OSD IA WIP program does not endorse specific training vendors, only IA baseline certification vendors. Training towards the 8570 IA baseline certifications can be obtained from any vendor. Individuals or Components who are interested in receiving training for any approved IA baseline certification are encouraged (but not limited) to work through the approved IA baseline certification vendors to identify appropriate training vendors. Additionally, training for many of the IA baseline certifications is available for free via the Virtual Training Environment (VTE)

STEP 3. REQUEST a certification exam voucher from your IAM.

STEP 4. NOTIFY your IA Manager once you have completed all your training and received your certification. In some cases individual Components have other requirements or databases for recording and managing the certifications of its IA personnel.