The US Department of Defense (DoD) has designated ISACA as the global credentialing authority for the Cybersecurity Maturity Model Certification (CMMC) program. This designation seeks to ensure that defense contractors meet strict cybersecurity standards.
The CMMC program, introduced by DoD in 2020, requires contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) to implement appropriate cybersecurity practices to protect the defense industrial base.
Impact and Implementation Deadlines
On September 10, 2025, DoD published its CMMC final rule in the Federal Register, effective November 10, 2025. This marks the official start of a three-year rollout of cybersecurity requirements in DoD contracts.
More than 200,000 organizations are expected to be affected by the CMMC by 2028. This includes not only US companies, but also European organizations that manage CUI or FCI or support certain prime contractors. By 2028, all organizations that supply or work for the DoD will be required to have a CMMC credential.
ISACA: Certification Authority for Advisors and Instructors (CAICO)
ISACA has been named the exclusive CMMC Advisor and Instructor Certification Organization (CAICO). In this role, ISACA is responsible for training, vetting and certifying professionals, advisors and instructors across the CMMC ecosystem.
Christos Dimitriadis, global strategy director at ISACA, highlighted that the CMMC framework aligns closely with the direction European regulators are taking under NIS2 and DORA. These frameworks are also making independently verifiable cyber maturity and supply chain security essential requirements.
Importance of Cyber Maturity and Workforce Challenge
Dimitriadis also noted that there is a global shortage of qualified cybersecurity advisors. By leading the CMMC credential program, ISACA seeks to help build a trusted workforce capable of supporting organizations as they strengthen their cyber resilience.
The primary goal of CMMC and cyber maturity efforts in Europe is not just compliance, but protecting organizations against increasingly advanced threats, ensuring continuity, resilience and trust.
Conclusion
ISACA’s designation as a CAICO for the CMMC program is a significant step in standardizing cybersecurity requirements for the defense supply chain. This move will not only impact US contractors, but also sets a global precedent for cyber maturity, aligning with regulatory trends in Europe and emphasizing the need for a qualified security workforce.
References
*DoD Cybersecurity Maturity Model Certification (CMMC) Program
- NIS2 and DORA Regulations (Directive on Network and Information Systems Security, and Digital Operational Resilience Act)
- The Cyber AB (CMMC official Accreditation Body)