My CompTIA Security+ CE expired in September 2018. Every recruiter who reviews my resume notices it. It is listed under certifications with the note “expired Sep 2018; renewal priority #1” — which is honest, but which also raises an obvious question: why did an active Information System Security Manager (ISSM) let his foundational DoD 8570/8140 certification lapse for seven years?
The answer is not flattering. And I think it is worth writing down, because the same failure pattern I let happen to my own certification is the same one I identify and correct in every command I assess.
How It Happened
In 2018, I was a few months into a new assignment on USS Annapolis. The ship was going through a homeport change — Groton to San Diego, then San Diego to Pearl Harbor. The Systems Administrator workload was significant. I had a renewal window, I knew about it, I meant to schedule the exam, and then one operational priority after another pushed it back until the window closed.
That is it. No dramatic reason. I let a deadline slide because the operational work was always more urgent.
What happened next is the part that matters: nothing. My command did not flag it immediately. My annual review did not center on it. The DoD 8570/8140 workforce compliance tracking at my level was managed by the command I was assigned to, and the transition period created enough administrative confusion that the gap was not caught until I caught it myself months later — by which point the practical cost of renewal had already escalated.
This is the exact failure mode I identify in every workforce compliance audit I run. The tracking exists. The deadline was known. The responsible party had every intention of complying. Operational tempo provided a steady supply of reasons to defer. Nobody caught it until it was a problem.
Why I Did Not Just Renew It Then
Once the certification expired, I had a choice: re-test immediately at the standard rate, or submit for continuing education credits through the existing eMASS and workforce tracking systems to demonstrate equivalent knowledge.
The honest answer is that I deprioritized it. I was holding an ISSM billet without the certification because my command needed me in that role and granted a temporary authorization pending renewal. That authorization kept getting extended. The operational need was real, the renewal kept sliding, and I fell into the same trap I identify in every shop that has a Plan of Action and Milestones (POA&M) entry with a scheduled completion date that has passed two quarters in a row.
I was the engineer with the unsatisfactory security finding who had been marking it “in progress” for longer than I should have.
Coming Back to It
In 2025, I enrolled in the Purdue Global B.S. Information Technology program. Finishing that degree — Summa Cum Laude, December 2025 — gave me a structured academic environment for the first time in years, and reactivated learning habits that operational assignments had pushed to the background.
Starting Security+ renewal alongside the degree made sense. The academic framework and the certification framework reinforce each other — the theoretical models in the courseware matched the operational experience I already had, and studying for the exam has been faster and more coherent than I expected.
What surprised me was how much I did not know I knew, and how much had changed.
What Eight Years in the Field Taught Me That the Exam Does Not Cover
The Security+ examination measures whether you can apply frameworks correctly on paper. It does not measure whether you can get a command to care about them. It does not measure how to brief a Commanding Officer on risk acceptance when his operational timeline conflicts with your remediation schedule. It does not measure how to write a POA&M entry that an Authorizing Official will actually act on rather than defer.
Eight years of holding ISSM billets taught me all of that. The examination is the floor. Operational experience is everything above it.
What the Exam Covers That I Had Drifted From
The Security+ examination covers a broader attack surface than my daily operational focus. Submarine network environments are classified, air-gapped, highly controlled, and relatively stable compared to enterprise environments. The threats I assess daily are insider risk, configuration drift, and maintenance of accreditation — not external phishing, cloud misconfigurations, or zero-day exploitation chains.
Studying for the renewal reminded me that the commercial cybersecurity landscape had continued evolving while I was focused on a specific operational domain. That recalibration is valuable precisely because I am preparing for a transition to civilian employment — where the threat models, compliance frameworks, and tool ecosystems will be different from what I have managed for the past decade.
The certification is not the point. The discipline of returning to foundational material after years of specialization — and honestly assessing where you have drifted — is the point.
What This Actually Means for Hiring Managers
If you are reading this because you reviewed my resume and wondered about the expired certification: I understand the concern. DoD 8570/8140 compliance is a hard requirement for many ISSM billets, and a gap in the ISSM’s own certification record is a reasonable thing to question.
What I can tell you is this: the lapse was a failure of personal discipline, not a failure of technical knowledge. I have held ISSM billets continuously since 2012. I have executed full RMF/ATO lifecycles across seven operational submarines. I have led commands to the highest cyber inspection scores in Fleet Cyber Command history. The certification expired. The competency did not.
And I am correcting the lapse before transition, not after — because the discipline of finishing what I started matters more than it would if I were renewing under pressure from an employer.
Target completion: Q4 2026. I will update this page when it is done.
— Travis D. Butera