ISACA Is Now the Official CAICO for the US DoW’s CMMC Program

ISACA has been authorized as the CMMC Assessor & Instructor Certification Organization (CAICO) and is now managing the training, examination and professional certification for individuals within the Cybersecurity Maturity Model Certification (CMMC) ecosystem. The credentials ISACA will administer for the US Department of War (DoW) CMMC program are the CMMC Certified Assessor (CCA), Lead CMMC Certified Assessor (LCCA), CMMC Certified Professional (CCP) and CMMC Certified Instructor (CCI).

The Cybersecurity Maturity Model Certification (CMMC) is an assessment framework and assessor certification program intended to increase the trust in measures of compliance to a variety of standards published by the National Institute of Standards and Technology (NIST). The purpose of the CMMC is to verify that the information systems used by DoD contractors to process, transmit or store sensitive data are compliant with the mandatory information security requirements. CyberAB is the accreditation body of the CMMC Program.

The goal is to ensure appropriate protection of Controlled Unclassified Information (CUI) and federal contract information that is stored and processed by partner or vendor. Any organization that wants to do business with the DoW must must meet the required CMMC level, which verifies that its cybersecurity practices adequately protect federal information. The CMMC framework defines three levels on increasing security requirements:

CMMC Level 1 (Foundational) — Focuses on basic safeguarding of Federal Contract Information (FCI) through essential cybersecurity hygiene practices. Organizations must demonstrate they can protect routine government data in day-to-day operations.

CMMC Level 2 (Advanced) — Requires implementation of the full NIST SP 800-171 controls to protect Controlled Unclassified Information (CUI). This level ensures organizations have mature, reliable security practices appropriate for handling sensitive government information.

CMMC Level 3 (Expert) — Centers on advanced, proactive cybersecurity focused on defending CUI against sophisticated adversaries. This level requires robust capabilities aligned with NIST SP 800-172 to counter advanced persistent threats (APTs).

Formal implementation of the CMMC began 10 November 2025, with requirements increasing for each of the following three years to full implementation by November 2028. The program impacts more than 200,000 organizations.

CMMC will soon be the largest cybersecurity certification program in the world. It requires high levels of reliability, trust, consistency, rigor and customer support, as well as high levels of expertise in the cybersecurity maturity space. ISACA has a global footprint, unmatched certification infrastructure, strong customer experience and support capability around the world, and rigorous and globally respected certifications in audit and cybersecurity. It also has deep maturity expertise through CMMI. The CMMC program directly reflects our cybersecurity and assurance roots and capitalizes on ISACA’s global leadership in cybersecurity maturity, training, credentialing, assessment and certification to assist the DoW in meeting the challenge of protecting its sensitive information.

ISACA was authorized by Cyber AB, which remains the accreditation body of the CMMC program, authorizing organizations that operate in the CMMC ecosystem.

The CCP is a foundational certification within the CMMC ecosystem and is designed for professionals who want to:

• Support organizations with pre-assessments or work on an assessment with a CCA/C3PAO
• Join CMMC assessment teams under a CMMC Certified Assessor (CCA)
• Eventually become a CCA themselves

A CCP is responsible for helping organizations prepare for CMMC certification and participating as a team member on formal assessments. They help with gap analysis, evidence collection, validation, and audit preparation. The CMMC core content covers CMMC governance and model structure, risk-based cybersecurity practices, and compliance with NIST, ISO and other frameworks. CCPs utilize compliance checklists prescribed by the CMMC standard to control scope and ensure fairness in applied criteria. CCPs may work for a CMMC Third-Party Assessor Organization (C3PAO).

CCPs holding a favorable Tier 3 determination can participate on a CMMC Level 2 Assessment, only to verify Level 1 practices. CCPs cannot make final determinations on a CMMC assessment. Those final determinations are made by a CCA or a Lead CCA.

A CCP is eligible to become a CMMC Certified Assessor (CCA), participates up to CMMC Level 2 assessments, and holds a valuable credential reflecting the training to understand the CMMC requirements for a Defense supplier.

The CCA is a mid-to-advanced level certification within the CMMC framework. It qualifies professionals to: 

• Conduct Level 2 CMMC assessments for defense contractors 
• Serve as part of a Certified Third-Party Assessment Organization (C3PAO) team 
• Make final determinations on compliance, unlike CCPs who can only verify Level 1 practices 

Upon passing the CCP examination, an individual can begin the CCA process. The candidate will need to take training with an Approved Training Provider (ATP) and pass the CCA exam. Once a candidate becomes a certified CCA, that individual is qualified to work on CMMC Level 2 assessments as part of a Certified Third-Party Assessment Organization (C3PAO) assessment team. The C3PAOs employ Assessors who are responsible for conducting the assessments for the Organizations Seeking Certification (OSC).

CCAs may choose to pursue a Lead CCA designation as a next step.

CMMC certifications will require an individual have a tier 3 determination from the Department of War to complete the certification requirements.  Tier 3 requires a background investigation and makes the individual eligible for a secret clearance.  

Yes. There are only education and experience requirements needed to satisfy the baseline certification requirement for CCP eligibility. For CCA eligibility candidates must fulfill a baseline certification requirement under DoD 8140.03's Work Role 612 (Security Control Assessor) at the Intermediate or Advanced proficiency levels. ISACA’s CISA and CISM are two certifications that candidates can choose from among the prerequisites. Additional CCA requirements are CCP certification, experience, training, exam and security clearance. Additional credentials are also relevant for this requirement; view full list.

No, any organization in any country that is eligible and wants to do business with the US Department of War must be CMMC-compliant based on the staging and rules set by the Federal Acquisition Regulations.

Yes, these certifications are a great complement to other industry credentials and can greatly increase a cybersecurity professional’s or team’s technical depth, even if the organization is not aligned to the defense industrial base.

Todd Gagnon, a career Naval officer, who has been at the forefront of the US cyber apparatus, will be leading this program for ISACA. Todd also has worked closely with industry supporting the defense industrial base, so he has had substantial experience in both industry and government.

There are no changes for anyone renewing before 31 March 2026. ISACA will communicate any changes well in advance for those renewing 1 April or later.

Available in early 2026—the CMMC Certified Instructor (CCI) signifies someone has the proven level of knowledge, experience and training rigor to properly train on the CMMC ecosystem.

CMMC is a federal cybersecurity compliance standard with specific controls. CMMI is a maturity and capability framework that helps organizations improve governance, repeatability and sustainability.  

Within that scope, the two communities are complementary, and each framework provides unique value to organizations that adopt it. 

CMMC is a government-mandated program impacting tens of thousands of suppliers who must demonstrate cybersecurity maturity—many of whom need help institutionalizing processes, closing capability gaps and preparing for assessments.

CMMI targets broader business improvement with a focus on software development and services.

• For enterprises already using CMMI, it provides a natural maturity-based pathway toward CMMC readiness using concepts and practices they already understand.
• For enterprises planning to use or already using CMMC, CMMI can extend their capability into more domains on top of the cybersecurity domain covered by CMMC.

Overall, this news expands the CMMI community’s role in a high-visibility, mission-critical cybersecurity domain.

We expect there to be significant opportunity for you in the coming months, and we will be in touch as soon as we have more information for you. 

Thank you for your work on this important program! An ISACA representative will be in touch with you within 30 days. Additionally, you can reach that team at atp@isaca.org. There are no changes to communicate at this time.