ISACA to take over CMMC authorization program

ISACA, the global professional association focused on IT governance and certification programs, is taking over the responsibility of authorizing organizations that will assess contractors for the Defense Department’s new cyber and supply chain security standard.

The organization's new official title is Cybersecurity Assessor and Instructor Certification Organization, which puts it at the center of the Cybersecurity Maturity Model Certification program. All companies that want to conduct business with DOD must hold some level of CMMC certification, which is scheduled to be fully implemented by November 2028.

The CAICO was operated by The Cyber AB, the official CMMC accreditation body, and all parties involved said Tuesday they expect the full transition of services to wrap up by April 1.

“ISACA’s role as the CAICO gives us the opportunity to take a leading role in addressing the cybersecurity skills gap and creating the workforce needed for elevating the cybersecurity posture of the DIB (defense industrial base),” Chris Dimitriadis, chief global strategy officer for ISACA, said in a release.

“CMMC will benefit enormously from ISACA’s operation of the CAICO, which will directly contribute to building greater trust and confidence in the quality of CMMC assessors and in the program overall,” added Matt Travis, chief executive of The Cyber AB.

Todd Gagnon, a retired Navy information warfare officer and three-decade cyber veteran, will lead the program on behalf of ISACA.

Enforcement activities for CMMC got underway on Nov. 10 with an initial focus on requiring Level 1 certifications, which only requires a self-assessment for ensuring compliance with government standards on how companies protect controlled unclassified information.

In November 2026, DOD will start to require Level 2 certifications on contracts involving information that is more sensitive. This requires a third-party assessment of compliance with all 110 controls in SP 800-171, the National Institute of Standards & Technology's standard that is the foundation for CMMC.

Level 2 is where much of the hold-up in getting evaluated and certified is likely to happen, given as many as 70,000 companies will need to be evaluated.

Only about 450 companies had the Level 2 certification and close to 85 third-party assessment organizations were in place, as of when CMMC enforcement began.