In an era of persistent cyber competition, the Department of Defense faces a dual challenge: raising cybersecurity standards across the defense industrial base (DIB) while ensuring those standards can be implemented at scale. The Cybersecurity Maturity Model Certification (CMMC) program addresses the first challenge. Successfully executing it will determine whether the second can be met.
CMMC is not a pilot effort or a niche compliance regime. More than 200,000 organizations—domestic and international—support the Department of Defense, and once the program is fully operational, nearly 120,000 contractors will require Level 2 certification. Because certifications must be renewed every three years, roughly 40,000 third-party assessments will be required annually. Without a sufficiently large, trained, and trusted assessor workforce, CMMC risks becoming a bottleneck rather than an enabler of cyber resilience.
That reality places workforce development—not policy design—at the center of CMMC’s long-term success. The decision to designate ISACA as the CMMC Assessor and Instructor Certification Organization (CAICO) reflects a recognition that scaling cybersecurity oversight requires more than good intent. It requires institutional capacity, operational discipline, and experience managing large, credential-based professional ecosystems.
ISACA brings more than 55 years of experience in cybersecurity training, certification, and workforce development. As a global professional association supporting 185,000 cybersecurity professionals, ISACA has demonstrated the ability to administer rigorous certification programs at scale. In 2025 alone, ISACA delivered more than 45,000 certification exams. That operational maturity is essential for ensuring that CMMC assessments are conducted consistently, ethically, and with technical rigor across a highly diverse industrial base.
Continuity during transition is equally important. ISACA is working closely with CyberAB to support professionals already moving through certification pathways and to preserve confidence across the ecosystem. Stability, transparency, and predictability are critical as CMMC shifts from phased rollout to sustained execution.
I assume the role as CAICO Director after a career as a naval information warfare officer, where I worked extensively with defense contractors to integrate industry-provided capabilities into operational missions. That experience reinforced a simple truth: cybersecurity frameworks only strengthen national defense if they are executable, trusted, and aligned with real-world operational demands.
To better understand the challenges facing candidates entering the CMMC ecosystem, I completed CCP training and certification prior to joining ISACA. Experiencing the process firsthand reinforced both the rigor required and the importance of clarity, consistency, and communication. That perspective will inform how we evolve training, certification pathways, and candidate support as the ecosystem scales.
CMMC represents one of the most ambitious cybersecurity verification efforts ever attempted, and its success will depend on the professionalism and integrity of the people who carry it out. With ISACA serving as CAICO, the focus will remain on developing a trusted, ethical, and highly capable assessor workforce—one that strengthens the DIB, supports national security objectives, and helps ensure the United States maintains its technological edge in an increasingly contested digital environment.
Todd Gagnon, Director, CMMC Assessor & Instructor Certification Organization (CAICO) at ISACA.