ISACA takes responsibility of training, credentialing CMMC assessors
Information technology firm ISACA has been chosen to lead the training and certification of assessors within the Pentagon’s Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) program.
ISACA officially assumed responsibility as Cybersecurity Assessor and Instructor Certification Organization (CAICO) on Tuesday, according to the company. Moving forward, it will be charged with administering training, examinations and professional certification for individual assessors within the program — including CMMC certified professionals, CMMC certified assessors and CMMC certified instructors.
The company will transition into its role over the next few months, and expects to reach full capacity by April 2026.
“We look forward to leveraging our deep cybersecurity and assurance roots and our global leadership in cybersecurity maturity, training, credentialing and assessment to serve as the CAICO and help the [Department of War] meet the challenge of protecting its sensitive information,” ISACA CEO Erik Prusch said in a statement, using a secondary name authorized by the Trump administration to refer to the Department of Defense.
CMMC is a tiered cybersecurity framework that requires defense contractors working with federal contract information (FCI) or controlled unclassified information (CUI) to have proper security controls based on how sensitive the data they’re handling is. After a lengthy and controversial approval process, the Pentagon established the program as federal law in 2024 and began a phased implementation plan to include CMMC requirements in contracts. An enforcement effort went into effect last month.
Most Defense Department contracts currently only require vendors to complete a self-assessment of their CMMC compliance. But beginning in November 2026, contractors handling more sensitive information classified as CMMC Level 2 must have their cybersecurity posture validated by a certified third-party assessor organization (C3PAO).
However, the number and availability of C3PAOs — as well as the CMMC certified assessors and professionals they employ — has been a key concern among the defense industrial base and the Pentagon, as it’s estimated that over 100,000 companies will eventually require Level 2 certification, according to Todd Gagnon, head of the CAICO program at ISACA.
“The number of professionals is nowhere near adequate right now, and there is no plan to scale under its existing status,” Gagnon told DefenseScoop in an interview. “ISACA is going to try to take that on.”
Cyber AB — the official CMMC accreditation body — previously served as CAICO before Tuesday. Gagnon explained that the small organization would have been challenged to maintain the role, especially as the demand for approving additional certified assessors and professions is expected to increase throughout 2026.
Over the next few months, ISACA will work to build out its IT infrastructure and certification process to support its new role as CAICO. Chris Demitriatis, the company’s chief global strategy officer, told DefenseScoop that the firm’s experience in managing technology credentialing programs will allow the business to easily scale its operations for CMMC.
“The intention of Cyber AB was always to be the accreditation body and the ecosystem owner of CMMC,” he said. “There has always been a need for an established training and credentialing organization in order to take over this accountability. We have very high confidence and a very experienced team in place, structure, a network of partners and IT systems that can very easily handle this.”
