Training, Security Staff Acquisition & Development

ISACA assumes CMMC assessor certification role

The word "Training" is seen on a blue button on a white computer keyboard

DefenseScoop reports that ISACA, an information technology group, has taken over the responsibility for training and giving credentials to assessors under the Pentagon's Cybersecurity Maturity Model Certification 2.0 program amid concerns about a shortage of qualified third-party evaluators.

The organization formally became the Cybersecurity Assessor and Instructor Certification Organization and will oversee training, exams, and certification for CMMC assessors, professionals, and instructors, with full operational capacity expected by April 2026. CMMC is a tiered cybersecurity framework requiring defense contractors handling federal contract information or controlled unclassified information to meet security standards based on data sensitivity.

While most Defense Department contracts currently rely on self-assessments, contractors managing CMMC Level 2 data will need validation from certified third-party assessor organizations starting in November 2026. Concerns over assessor availability have intensified, as more than 100,000 companies are expected to require Level 2 certification, according to Todd Gagnon, who leads ISACA's CAICO program. Cyber AB previously served in the role but was expected to face scaling challenges as demand increases.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds