ISACA becomes globally responsible for the certification of professionals who, in turn, may evaluate organizations for compliance with the U.S. CMMC guidelines. Companies supplying the U.S. Department of Defense must comply with these guidelines.
ISACA is now responsible for the global training, examination and certification of professionals who assess organizations according to the U.S. CMMC cybersecurity framework. This certification is becoming mandatory for all companies wishing to supply the U.S. Department of Defense (officially not yet the Department of War, even though Trump would like it to be), which has implications for more than 200,000 organizations worldwide.
Protection of sensitive data
The Cybersecurity Maturity Model Certification (CMMC) program was developed by the U.S. Department of Defense to protect sensitive, but unclassified, information within the department’s global supply chain.
The implementation of the framework runs from 2025 to 2028. Companies that process data such as Controlled Unclassified Information or Federal Contract Information, or that work with prime contractors in defense projects, will need CMMC certification.
read also
ISACA: “AI-driven Cyber Threats Biggest Concern for 2026”
Within the CMMC ecosystem, ISACA becomes the exclusive CMMC Assessor and Instructor Certification Organization (CAICO). In this role, the organization trains and certifies professionals, auditors and instructors who are responsible for assessing CMMC compliance at companies. The official accreditation body for the CMMC program remains The Cyber AB.
European relevance
For European organizations, especially in sectors such as defense, aviation and engineering, the emergence of CMMC is an additional catalyst to examine their cyber maturity. The increasing threat of complex cyberattacks – similar to techniques from military contexts – means that companies are increasingly focusing on structured and verifiable cybersecurity processes.
ISACA’s role aligns with broader international trends. Requirements around cybersecurity are also increasing within Europe, including through regulations such as NIS2 and DORA. By offering certifications such as CMMC Certified Professional (CCP), CMMC Certified Assessor (CCA) and CMMC Certified Instructor (CCI), ISACA supports companies that want to maintain or strengthen their position within international supply chains. In that regard, the CMMC framework and the role that ISACA takes on are complementary to security trends that are playing out in Europe.
According to ISACA, there is a global shortage of qualified cybersecurity auditors. By taking on this task, the organization aims to contribute to a reliable and professional evaluation of cyber resilience within companies. This step should also ensure greater uniformity in the assessment of cyber risks, which is becoming increasingly important for governments and partners.