ISACA to Oversee DoD’s CMMC Cybersecurity Credentialing
▼ Summary
– ISACA has been appointed by the U.S. Department of Defense as the exclusive global credentialing authority for the Cybersecurity Maturity Model Certification (CMMC) program.
– The CMMC program, with a final rule effective November 2025, requires defense contractors to implement cybersecurity practices to protect sensitive government information.
– By 2028, all organizations working with the DoD will need a CMMC credential, impacting an estimated 200,000 global contractors, including many in Europe.
– ISACA, as the CMMC Assessor and Instructor Certification Organization, is responsible for training and certifying the professionals needed to implement the framework.
– The CMMC framework aligns with European regulatory trends, aiming to strengthen cyber resilience against advanced threats beyond mere compliance.
The Cybersecurity Maturity Model Certification (CMMC) program now has a new global credentialing authority. The U.S. Department of Defense has officially appointed ISACA to oversee the training, examination, and certification of all professionals within the CMMC ecosystem. This pivotal move solidifies the framework designed to ensure defense contractors robustly protect sensitive government data. With the final CMMC rule taking effect in late 2025, a structured three-year rollout is underway, mandating that all organizations working with the DoD achieve the required certification by 2028.
Established in 2020, the CMMC program mandates that contractors implement specific cybersecurity practices to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The goal is to strengthen the cybersecurity posture of the entire defense industrial base. ISACA’s new role designates it as the exclusive CMMC Assessor and Instructor Certification Organization (CAICO). This responsibility encompasses certifying the assessors who evaluate organizations and the instructors who train the workforce, creating a standardized and trusted credentialing process worldwide.
The scale of this initiative is substantial. Industry estimates suggest the phased implementation of CMMC into U.S. defense procurement will impact over 200,000 organizations globally by the 2028 deadline. This extensive reach includes a significant number of European companies that handle protected U.S. data or function as suppliers within defense supply chains. These firms will also need to obtain CMMC certification to maintain their business relationships with the DoD and its prime contractors.
According to Christos Dimitriadis of ISACA, European organizations are increasingly adopting structured and verifiable cybersecurity practices. This trend is especially pronounced for those involved in international defense projects and complex technology supply chains. He points out that a worldwide shortage of qualified cybersecurity assessors makes ISACA’s leadership in this credentialing program critical for building a capable workforce that can help organizations enhance their cyber resilience.
The CMMC framework’s emphasis on verified security maturity aligns with the regulatory direction in Europe, including legislation like NIS2 and DORA. These regulations are making independently audited cyber maturity and supply chain security fundamental business requirements. While achieving compliance is a clear objective, the core motivation behind these efforts on both sides of the Atlantic is more profound. Organizations are driven by the urgent need to defend against increasingly sophisticated cyber threats. Strengthening cybersecurity maturity has become an essential strategy for ensuring operational continuity, building resilience, and maintaining trust in a connected digital economy. The CAICO role was previously managed by The Cyber AB, which continues to serve as the official accreditation body for the overall CMMC program.
(Source: InfoSecurity Magazine)
