Today marks a major milestone for ISACA and our global community: ISACA has been authorized as the CMMC Assessor & Instructor Certification Organization (CAICO) for the world’s largest cybersecurity certification program—the US Department of War’s (DoW’s) Cybersecurity Maturity Model Certification (CMMC). In other words, ISACA will manage the training, examination and professional certification for individuals within the CMMC ecosystem.
This recognition elevates ISACA’s critical role in the global security landscape. Not only is CMMC the largest cybersecurity certification program in the world, it is a program that sets a unified cybersecurity standard for hundreds of thousands of organizations in the Defense Industrial Base (DIB), with resulting impact on international security, supply chains and the global economy. It speaks volumes that ISACA is the organization that has been trusted to ensure its success going forward. This is a proud moment for our global community to celebrate.
This new role is in full alignment with our mission and vision, as it will enable ISACA to offer new career paths and journeys in the cybersecurity and assurance space as we continue to champion a workforce committed to advancing trust in technology. For more than 55 years, ISACA’s global community has helped individuals and organizations across both the public and private sectors to operate more securely in an increasingly technology-driven world. Building on this history by applying our expertise to the world’s largest cybersecurity certification program is a terrific opportunity to grow our global impact in a way that is a natural extension of the work we have done for decades.
Why is this such a logical fit? CMMC requires high levels of reliability, trust, consistency, rigor and customer support. ISACA has the global footprint, unmatched certification infrastructure, strong customer experience capability around the world, and rigorous and globally respected certifications in assessment and audit. We also have deep expertise and pedigree in the DoW’s digital technology and services maturity assessments space via CMMI.
In this new role, ISACA will administer credential programs for CMMC Certified Professional (CCP), CMMC Certified Assessor (CCA), and CMMC Certified Instructor (CCI) as well as Lead CCA designation. You can learn more about each of these credentials here.
This transition comes at a pivotal period for CMMC. Formal implementation of CMMC began 10 November 2025, with requirements to increase each of the following three years toward full implementation by November 2028.
Given ISACA’s worldwide scope, it is important to note that CMMC’s relevance is global, no different than the DoW and the supply chain supporting it and its partners on common platforms and systems. Any organization in any country that conducts business with the US DoW must be CMMC-compliant where required contractually.
Previously, the CAICO was operated by the Cyber AB, which will continue to provide transition services to ISACA through 31 March 2026. When it fully transitions to ISACA on 1 April, the CMMC program will benefit from the expertise of Todd Gagnon, a career US Naval officer who has been at the forefront of the US cyber apparatus. He will be leading this program and has worked closely with both the defense industrial base and the joint environment across DoW, bringing substantial experience in both industry and government.
One significant, existing connection to CMMC for current ISACA certification-holders is that both the Certified Information Security Manager (CISM) and Certified Information Systems Auditor (CISA) certifications satisfy the baseline certification requirement for CCA eligibility under DoW 8140.03's Work Role 612 (Security Control Assessor) at the Intermediate or Advanced proficiency levels. This means if you hold either CISM or CISA, you meet one of the critical certification prerequisites for becoming a CMMC Certified Assessor, provided you also meet the other requirements (CCP certification, experience, training, exam and required background check). I look forward to CCAs and CCPs learning more about ISACA and all the ways in which we are ready to support their career journeys in the coming months, as well as ISACA members gaining more familiarity with the CMMC ecosystem.
If your organization has already integrated CMMI into its contract work for the DoW, you’re not just prepared—you’re ahead of the game for meeting CMMC requirements. Pair this advantage with the prestige of CISM and CISA certifications, our robust ATO network, and the thriving community of CMMI adopters and partners, and you’ll find countless ways to engage and excel within the ISACA ecosystem. Don’t miss your chance—become involved today and help shape the future of cybersecurity.
I invite each of you to learn more about CMMC and share this great news with others throughout the ISACA community. As much as this is a milestone to celebrate, we now focus on the work ahead—and we are ready for it. We look forward to applying our decades of experience as a trusted certification leader with award-winning credentials and our robust infrastructure to deliver a streamlined, world-class experience that takes the CMMC program to even greater heights.
We will share more updates about this program in the months to come. In the meantime, I wish everyone a happy and healthy festive season, and am excited for all that we will achieve together in the new year.
