ISACA has been appointed by the US Department of Defense (DoD) as the global credentialing authority for the Cybersecurity Maturity Model Certification (CMMC) program, ensuring defense contractors meet strict cybersecurity standards.
The DoD introduced CMMC in 2020 to make sure companies protect sensitive information when working on government contracts.
The program requires contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) to implement adequate cybersecurity practices to protect the defense industrial base.
On September 10, 2025, the DoD published its final CMMC rule in the Federal Register, which took effect on November 10, 2025, officially launching a three-year rollout of cybersecurity requirements across DoD contracts.
By 2028, all organizations supplying or working into the DoD will need to be equipped with a CMMC credential delivered by ISACA.
ISACA is now the exclusive CMMC Assessor and Instructor Certification Organization (CAICO), responsible for training, examining and certifying professionals, assessors, and instructors across the CMMC ecosystem.
CMMC Rules to Impact 200,000 Global Contractors by 2028
As the CMMC framework is phased into US procurement from 2025 to 2028, over 200,000 organizations are expected to be impacted, according to ISACA.
This includes many European organizations that handle CUI or FCI, or that support certain prime contractors, which will also need to be CMMC certified.
“Across Europe, organizations are moving toward more structured, verifiable cyber maturity practices, particularly those engaged in cross-border defense and high-tech supply chains,” said Christos Dimitriadis, chief global strategy officer at ISACA.
“There is a global shortage of qualified cybersecurity assessors. By leading the CMMC credentialing program, ISACA is helping build a trusted workforce capable of supporting organizations as they strengthen their cyber resilience.”
ISACA argued that the CMMC framework aligns closely with the direction European regulators are taking under NIS2 and DORA, where independently verifiable cyber maturity and supply chain security are becoming essential requirements for businesses.
“While compliance is important, the underlying driver for CMMC and for cyber maturity efforts across Europe is the need to protect organizations against increasingly advanced threats. Strengthening cyber maturity is now fundamental to safeguarding continuity, resilience and trust,” he added.
The CAICO role was previously performed by The Cyber AB which remains the official accreditation body for the CMMC program.
