ISACA, a key player in cybersecurity, audit, and digital trust, has stepped into a pivotal role for the U.S. Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program. The organization now serves as the exclusive CMMC Assessor and Instructor Certification Organization (CAICO), handling the training, testing, and certification of professionals who evaluate compliance. This move addresses a worldwide shortage of skilled assessors as cyber threats intensify and supply chains demand verifiable security standards.
The CMMC framework, designed to safeguard sensitive unclassified data in the DoD’s supply chain, will roll out across U.S. procurement contracts from 2025 to 2028. It affects more than 200,000 organizations globally that supply the DoD, including many in Europe involved in defense, aerospace, engineering, and high-tech sectors. Companies dealing with Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) must achieve certification to bid on or support these contracts.
The Cyber AB retains its position as the program’s accreditation body, overseeing the broader CMMC ecosystem, including third-party organizations like CAICOs.
Rising Stakes for Supply Chain Security
Cyber risks have evolved dramatically, with nation-state actors and criminal groups deploying advanced tactics once limited to military targets. Supply-chain compromises, such as those seen in recent European incidents, expose how a single weak link can halt operations, leak data, and erode trust. The CMMC program imposes tiered maturity levels—from basic hygiene to advanced practices—requiring organizations to demonstrate consistent processes and technical controls.
For European firms, this means navigating not just U.S. rules but also regional mandates like the NIS2 Directive and Digital Operational Resilience Act (DORA). These frameworks push for robust governance, incident reporting, and third-party risk management, creating convergence with CMMC principles. A DoD supplier in Germany building avionics, for instance, might need CMMC Level 2 certification to protect CUI while aligning with NIS2’s supply-chain oversight requirements.
This alignment fosters a unified approach to cyber readiness. Organizations gain a structured path to maturity, backed by standardized assessments that reduce ambiguity in compliance audits.
ISACA’s Expanded Mandate in Professional Certification
ISACA’s CAICO designation equips it to issue credentials like CMMC Certified Professional (CCP), CMMC Certified Assessor (CCA), Lead CCA, and CMMC Certified Instructor (CCI). These build on ISACA’s decades of experience in IT certifications, such as Certified Information Systems Auditor (CISA) and Certified in Risk and Information Systems Control (CRISC), which have trained professionals worldwide.
The transition from the Cyber AB to ISACA ensures continuity while scaling capacity. Professionals can still pursue or renew credentials via the Cyber AB site until the handover completes. ISACA’s global reach—spanning chapters in over 180 countries—positions it to train assessors for international supply chains.
Addressing the Assessor Shortage
A critical bottleneck in cybersecurity is the lack of qualified evaluators. Demand surges as regulations proliferate, but supply lags due to the specialized skills needed: deep knowledge of frameworks like NIST SP 800-171, risk assessment, and evidence collection. ISACA’s involvement aims to professionalize this workforce, standardizing training to produce consistent, high-quality assessments.
Christos Dimitriadis, ISACA’s Chief Global Strategy Officer, highlighted the shift: “Organizations across Europe are adopting structured cyber maturity practices, especially in cross-border defense and high-tech chains. There’s a global assessor shortage, and ISACA’s leadership in CMMC credentialing will help build a reliable talent pool to bolster resilience.”
He added that while compliance drives adoption, the real imperative is countering sophisticated threats to ensure business continuity.
ISACA CEO Erik Prusch emphasized the strategic fit: “Cyber maturity and supply-chain resilience are table stakes for defense and critical infrastructure worldwide. We’re proud to leverage our credentialing expertise to elevate the CMMC ecosystem and prepare professionals for transatlantic demands.”
Matthew Travis, Cyber AB CEO, endorsed the handoff: “ISACA’s credibility and certification management prowess will enhance trust in CMMC assessors and the program itself.”
Broader Implications for Global Cyber Maturity
This appointment underscores a trend toward harmonized standards. In Europe, NIS2 mandates risk management for essential entities, while DORA targets financial services with resilience testing. Nationally, strategies like the EU’s Cyber Resilience Act propose baseline security for digital products. CMMC complements these by offering a maturity model tailored to defense supply chains, potentially influencing adaptations in civilian sectors.
Opportunities and Challenges for Organizations
Adopting CMMC yields benefits beyond DoD contracts. Certified processes improve overall security posture, aiding compliance with ISO 27001 or SOC 2 and mitigating breach costs, which averaged $4.88 million globally in 2024 per IBM reports. Training under ISACA also upskills internal teams, fostering a culture of continuous improvement.
Challenges persist, however. Small suppliers face resource strains for assessments, which can cost tens of thousands depending on scope. Phased implementation—starting with Level 1 self-assessments and progressing to third-party audits—eases entry, but organizations must prioritize gap analyses early.
ISACA plans rigorous exam development, drawing from psychometrics to ensure credential validity. This includes scenario-based testing on real-world supply-chain risks, like ransomware propagation or insider threats.
About ISACA
ISACA® (www.isaca.org) champions the global workforce advancing trust in technology. For more than 55 years, ISACA has empowered its community of 190,000+ members with the knowledge, credentials, training and network they need to thrive in fields like information security, governance, assurance, risk management, data privacy and emerging tech. With a presence in more than 190 countries and with nearly 230 chapters worldwide, ISACA offers resources tailored to every stage of members’ careers—helping them to thrive in a rapidly changing digital landscape, drive trusted innovation and ensure a more secure digital world. Through the ISACA Foundation, ISACA also expands IT and education career pathways, fostering opportunities to grow the next generation of technology professionals.
