For decision-makers · Government & defense workforce officer

Staff your workforce against the baseline — with the source it came from

You credential a public-sector or defense workforce against mandates you do not get to interpret loosely. What you need is not a vendor’s catalog — it is which certifications map to which baseline work roles, where that mapping is published, and the discipline to confirm it at the source before it reaches a billet. That is this page, with per-seat costs from official vendor pages and the funding channels your contracting office already uses. We sell no training and take no referral placement.

The mandate

A staffing map, not a compliance verdict

Every figure below traces to a vendor’s official page, cited and dated on the linked certification pages, and every baseline mapping points back to the public qualification tables it came from. What this page will never do is tell you a certification “satisfies” a requirement — that determination belongs to the current DoD Cyber Exchange tables and your contracting officer, not to us. We give you the cited candidacy and the honest sequencing; the compliance judgment stays where the authority sits.

Compliance centerpiece

DoD 8140/8570: where these credentials appear in public baseline tables

For a workforce officer, certification selection is not preference — it is a qualification matrix tied to each person’s assigned work role. The signals below are repeated from each certification’s own page, where they trace to public baseline tables. Read them as candidacy against a published table, not as clearance: the same credential can satisfy one work role and fall short for another, and only the authoritative source settles which.

CompTIA Cloud+

Candidate DoD 8570/8140 baseline mapping: DoD 8140 IAT Level II. Confirm this mapping at the official DoD Cyber Exchange before using it for compliance planning.

CompTIA Security+

Candidate DoD 8570/8140 baseline mapping: DoD 8140 IAT Level II. Confirm this mapping at the official DoD Cyber Exchange before using it for compliance planning.

Candidate DoD 8570/8140 baseline mapping: DoD 8140 IAM Level I. Confirm this mapping at the official DoD Cyber Exchange before using it for compliance planning.

CompTIA CySA+

Candidate DoD 8570/8140 baseline mapping: DoD 8140 IAT Level II. Confirm this mapping at the official DoD Cyber Exchange before using it for compliance planning.

Candidate DoD 8570/8140 baseline mapping: DoD 8140 CSSP Analyst. Confirm this mapping at the official DoD Cyber Exchange before using it for compliance planning.

Candidate DoD 8570/8140 baseline mapping: DoD 8140 CSSP Incident Responder. Confirm this mapping at the official DoD Cyber Exchange before using it for compliance planning.

CompTIA PenTest+

Candidate DoD 8570/8140 baseline mapping: DoD 8140 IAT Level II. Confirm this mapping at the official DoD Cyber Exchange before using it for compliance planning.

Candidate DoD 8570/8140 baseline mapping: DoD 8140 CSSP Analyst. Confirm this mapping at the official DoD Cyber Exchange before using it for compliance planning.

Candidate DoD 8570/8140 baseline mapping: DoD 8140 CSSP Incident Responder. Confirm this mapping at the official DoD Cyber Exchange before using it for compliance planning.

CISSP - Certified Information Systems Security Professional

Candidate DoD 8570/8140 baseline mapping: DoD 8140 IAT Level III. Confirm this mapping at the official DoD Cyber Exchange before using it for compliance planning.

Candidate DoD 8570/8140 baseline mapping: DoD 8140 IAM Level II. Confirm this mapping at the official DoD Cyber Exchange before using it for compliance planning.

Candidate DoD 8570/8140 baseline mapping: DoD 8140 IAM Level III. Confirm this mapping at the official DoD Cyber Exchange before using it for compliance planning.

Candidate DoD 8570/8140 baseline mapping: DoD 8140 IASAE Level I. Confirm this mapping at the official DoD Cyber Exchange before using it for compliance planning.

CISM - Certified Information Security Manager

Candidate DoD 8570/8140 baseline mapping: DoD 8140 IAM Level II. Confirm this mapping at the official DoD Cyber Exchange before using it for compliance planning.

Candidate DoD 8570/8140 baseline mapping: DoD 8140 IAM Level III. Confirm this mapping at the official DoD Cyber Exchange before using it for compliance planning.

Confirm every mapping against the official DoD Cyber Exchange qualification tables before you staff against it. The tables are revised, work-role requirements differ, and your contracting officer’s interpretation of the contract governs what actually satisfies a billet — this is planning context, never a compliance guarantee.

Workforce seat · Foundational IT & entry cyber

The entry tier your qualification pipeline starts from

Before anyone maps to a cyber work role, the foundational tier establishes the general IT and security literacy the qualification framework assumes. These are the credentials new civilian, military, and contractor personnel commonly acquire first — open to candidates with no prior certification and inexpensive to fund at scale.

CompTIA A+ exam $548 · 3-yr renewal $75 · Difficulty 30/100 (Foundational)

The vendor-neutral IT-support baseline — hardware, operating systems, and troubleshooting breadth for entry technicians.

CC - Certified in Cybersecurity exam $199 · 3-yr renewal $150 · Difficulty 25/100 (Foundational)

An at-cost security-foundations credential for personnel moving toward a cyber work role but not yet certified.

Workforce seat · Network & infrastructure

The infrastructure seats that keep the environment accredited

Network and infrastructure personnel carry their own qualification expectations, and the ladder here moves from vendor-neutral fundamentals to the platform your enclave actually runs. Sequence the vendor-specific rung to the equipment in your environment rather than certifying broadly across platforms you do not operate.

CompTIA Network+ exam $399 · 3-yr renewal $150 · Difficulty 35/100 (Moderate)

Vendor-neutral networking fundamentals — the common entry rung for infrastructure personnel.

Cisco Certified Network Associate exam $300 · Difficulty 50/100 (Moderate)

The associate standard where your network runs on Cisco. Most infrastructure seats stop here productively.

CompTIA Cloud+ exam $399 · 3-yr renewal $150 · Difficulty 60/100 (Hard)

Vendor-neutral cloud infrastructure for hybrid enclaves moving workloads off premises.

Workforce seat · Cyber defense analyst

The defensive-operations tier the baselines lean on most

This is the seat where the qualification tables and your staffing plan overlap the most, because defensive analysis is the work most cyber contracts require. The baseline credential anchors the tier; the advancement rung adds the detection-and-response depth a working defensive analyst needs.

CompTIA Security+ exam $439 · 3-yr renewal $150 · Difficulty 45/100 (Moderate)

The defensible defensive baseline, and the credential public qualification tables most frequently anchor to.

CompTIA CySA+ exam $439 · 3-yr renewal $150 · Difficulty 75/100 (Hard)

The working-analyst advancement rung: continuous monitoring, detection, and incident response.

Workforce seat · Security operations & testing

The offensive-and-assessment seats, staffed deliberately

Penetration testing and vulnerability assessment are specialized work roles with their own qualification expectations — smaller in headcount but distinct in the baselines. Fund this rung for the assessment seats your contract actually scopes, not as a general upskilling reward.

CompTIA PenTest+ exam $439 · 3-yr renewal $150 · Difficulty 65/100 (Hard)

A vendor-neutral penetration-testing and vulnerability-assessment credential for the offensive-security seats your scope defines.

Workforce seat · Security management & architecture

The leadership tier — and the experience gate you cannot staff around

Management and architecture work roles sit at the top of the qualification framework, and their flagship credentials are experience-gated by the certifying body. That gate is not a formality you can waive with training budget — it governs who is even eligible. Plan this tier for the seats already carrying the required years, and build the pipeline below it for everyone else.

CISSP - Certified Information Systems Security Professional exam $749 · 3-yr renewal $405 · Difficulty 80/100 (Expert)

The management-and-architecture flagship the senior baselines reference — experience-gated, which governs eligibility before any exam.

The vendor’s gate, not ours: full certification requires 5 years of relevant paid experience — a hard eligibility condition training budget cannot waive. Staff this rung only against seats that already meet it.

CISM - Certified Information Security Manager exam $575 · 3-yr renewal $45 · Difficulty 80/100 (Expert)

The information-security-management flagship for governance-heavy seats; likewise experience-gated by the vendor.

The vendor’s gate, not ours: full certification requires 5 years of relevant paid experience — a hard eligibility condition training budget cannot waive. Staff this rung only against seats that already meet it.

Per-seat budgeting

Budget the renewal, not just the exam

The exam fee acquires a credential; the renewal and continuing-education cycle keeps a workforce continuously qualified, which is the figure that recurs against your appropriation year over year. Each certification above lists its cited three-year renewal cost where the vendor publishes one — multiply by the billets you staff, not by headcount you might. Where a figure reads “pending,” the vendor page did not state it and we do not estimate; the linked cost pages carry the full breakdown, sources, and dates. Every number is the vendor’s published list price — planning context, not a promise of your GSA-schedule or volume pricing.

Funding levers

The public-funding channels your contracting office already runs

Two levers cover most public-sector certification programs. The GSA Multiple Award Schedule: training and exam vouchers can often be procured through pre-competed schedule vehicles, which keeps purchasing inside an approved, auditable channel your contracting office already uses. WIOA employer partnerships and state ETPL programs: workforce boards subsidize training for eligible personnel, and many certifications sit on state Eligible Training Provider Lists. Which channel fits a cohort depends on appropriation type, contract terms, and eligibility rules — this is planning context, not procurement or legal advice; your contracting and grants officers confirm what each source permits.

Choosing training

Official-first, and neutral on providers

Every certification above has a free-study page collecting the vendor’s own objectives and no-cost materials — the zero-dollar baseline any procured training should have to beat. Where a cohort needs structured, proctored, or lab-based instruction, route it through your approved acquisition channel rather than a single preferred vendor. One durable screen: certifying bodies do not publish pass rates or post-certification salaries, so any provider quoting either is quoting a number with no source — a useful disqualifier during evaluation.

Common questions

Workforce compliance and funding, answered honestly

What are the DoD 8140 approved certifications for our workforce?
There is no single approved list that fits every seat — approval is per assigned work role in your organization’s 8140 implementation, not a blanket catalog. Where a certification appears in the public baseline tables, the certification pages here say so with the source. Treat every mapping as planning context and confirm current status against the official DoD Cyber Exchange qualification tables before you staff against it: the tables are revised, work-role requirements differ, and your contracting officer’s interpretation governs what satisfies a given billet.
Is DoD 8570 still in effect, or has 8140 replaced it for workforce training?
8140 is the successor framework to the older 8570.01-M baseline model, but the transition is not uniform across every contract and command. Many active contracts and position descriptions still reference 8570 baseline tables during the migration, so the practical answer for a workforce officer is to confirm which framework and which baseline table your specific contract cites, rather than assuming one has fully retired the other. The certification mappings here note the baseline candidacy where public tables show it; the authoritative status always lives at the DoD Cyber Exchange.
How do we fund workforce certification training with public dollars?
Two channels cover most public-sector programs. Training and exam vouchers can often be procured through the GSA Multiple Award Schedule, which routes purchasing through pre-negotiated, competed vehicles your contracting office already uses. Separately, WIOA employer partnerships and state Eligible Training Provider List programs can subsidize training for eligible personnel. Which channel fits a given cohort depends on appropriation type, contract terms, and eligibility rules — this is planning context, not procurement or legal advice; your contracting and grants officers confirm what each funding source permits.
Can these certifications count for college credit or apprenticeship hours?
Sometimes. Several certifications carry American Council on Education credit recommendations, and where that evaluation exists it is cited on the certification page rather than asserted here. Registered apprenticeship programs can also credit related instruction toward structured cyber and IT pipelines. Both are worth confirming at the source — the ACE evaluation and your apprenticeship sponsor’s standards — because credit recommendations change and the receiving institution or program makes the final determination.
Does holding an approved certification satisfy our contract’s compliance requirement?
A certification is one input to compliance, not a guarantee of it. Meeting a baseline requirement typically also depends on the assigned work role, continuing-education status, background and eligibility conditions, and the specific language of your contract. The honest posture for a workforce officer is that the credential demonstrates candidacy against a published table, while your contracting officer’s interpretation of the contract governs whether a billet is actually satisfied. Confirm the current requirement at the DoD Cyber Exchange before treating any certification as sufficient on its own.

Need this baseline data inside your own workforce systems?

The dataset behind this page — cited certification costs, renewal economics, difficulty profiles, baseline candidacy signals, and role mappings across hundreds of credentials — is maintained continuously and licensed as planning-grade data into workforce-planning, HR, and training-management systems. How we make money is public, and licensing is the entire model: we are paid by the organizations that use the data, never by training vendors placing products.