SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Secure eu digital supply chain isometric network with central lock
#
Data Protection
#
Supply Chain
#
Risk & Compliance

ISACA to lead CMMC credentials, reshaping defence cyber

Fri, 19th Dec 2025
Author image
By Sean Mitchell, Publisher

ISACA has been appointed as the global credentialing authority for the US Department of Defence's Cybersecurity Maturity Model Certification programme, a move that is set to reshape cyber assessment requirements for defence and technology suppliers worldwide.

The association will act as the exclusive CMMC Assessor and Instructor Certification Organisation. It will train, examine and certify professionals, assessors and instructors who work within the CMMC ecosystem.

The Cyber AB remains the official accreditation body for the CMMC programme. It has authorised ISACA in the credentialing role and will continue to oversee accreditation of the wider ecosystem.

Global supply chain impact

CMMC was developed by the US Department of Defence to protect sensitive unclassified information across its supply chain. The framework sets out graduated requirements for contractors that handle Controlled Unclassified Information and Federal Contract Information.

The US defence department plans to phase CMMC requirements into its procurement processes between 2025 and 2028. The change will affect organisations that contract directly with the department and those that support prime contractors.

ISACA said the appointment will impact more than 200,000 organisations that supply into US defence programmes. Many of these organisations sit outside the US, including in Europe's defence, aerospace, engineering and technology sectors.

The association will administer CMMC credentials including CMMC Certified Professional, CMMC Certified Assessor and CMMC Certified Instructor. It will use its existing global certification infrastructure and networks.

European exposure

Thousands of European firms in defence, aerospace and cyber already participate in transatlantic programmes that involve US defence contracts. Many of these firms will encounter CMMC requirements through their US partnerships and subcontracting roles.

European regulators are also raising expectations around operational resilience and supply chain security. NIS2 and the Digital Operational Resilience Act introduce stricter rules on incident reporting, governance and third-party risk management across the European Union.

ISACA stated that CMMC aligns with this direction because it focuses on independently verifiable cyber maturity and supply chain security in regulated environments. It said demand for consistent standards is increasing as supply chain cyberattacks hit private companies and public sector bodies.

Christos Dimitriadis, Chief Global Strategy Officer at ISACA, said organisations are changing how they manage cyber risk. "Across Europe, organisations are moving toward more structured, verifiable cyber maturity practices, particularly those engaged in cross-border defence and high-tech supply chains," said Dimitriadis. "There is a global shortage of qualified cybersecurity assessors. By leading the CMMC credentialing programme, ISACA is helping build a trusted workforce capable of supporting organisations as they strengthen their cyber resilience."

European companies have faced a series of high-profile supply chain incidents in recent years. These incidents have exposed weaknesses in vendor oversight and third-party access to critical systems.

Rising threat levels

ISACA said that European organisations now encounter cyber techniques that previously sat mainly within military or intelligence operations. It highlighted an increase in sophisticated attacks that target suppliers as entry points into larger networks.

The association characterised CMMC as a source of structured training and assessment standards that organisations can use when they handle sensitive information for US defence contracts. It said this can contribute to resilience, data protection and operational risk management.

"While compliance is important, the underlying driver for CMMC and for cyber maturity efforts across Europe is the need to protect organisations against increasingly advanced threats. Strengthening cyber maturity is now fundamental to safeguarding continuity, resilience and trust," said Dimitriadis.

ISACA's appointment comes as governments seek clearer assurance around cyber readiness. Many national cyber strategies now reference supply chain risk, third-party oversight and the need for better-qualified assessors.

ISACA described its new role as an extension of its long-running involvement in cybersecurity assurance and digital trust. The group has built a portfolio of certifications and training programmes for professionals in information security, audit, risk and governance.

Shift in accreditation role

The CAICO function was previously performed by The Cyber AB, which developed the early credential structures for CMMC. That organisation will continue as the accreditation body for the programme while ceding the credentialing authority role to ISACA.

Matthew Travis, Chief Executive of The Cyber AB, said the transition aimed to strengthen assurance in the programme. "We are thrilled to transition the CAICO and the stewardship of its critical mission to ISACA," remarked Travis. "ISACA brings unsurpassed credibility and experience to the CMMC program, along with its world-class quality management of professional IT certifications. CMMC will benefit enormously from ISACA's operation of the CAICO, which will directly contribute to building greater trust and confidence in the quality of CMMC assessors and in the program overall."

ISACA said the change would support an expansion of the global cybersecurity assessment workforce. It pointed to a shortage of qualified assessors at a time when both public and private sectors demand more frequent and rigorous evaluations.

Erik Prusch, Chief Executive of ISACA, said growing regulatory and contractual expectations were driving interest in structured cyber maturity frameworks. "Cyber maturity and supply-chain resilience are now essential requirements for defence and critical-infrastructure organisations globally," added Prusch. "We are honoured to support the CMMC ecosystem through our globally recognised credentialing capabilities and to help professionals prepare for rising expectations across transatlantic supply chains."

Individuals who plan to pursue or renew CMMC credentials can continue using existing channels during the transition. ISACA will assume full responsibility for the credentialing programme as CMMC adoption progresses across the US defence supply chain and its international partners.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Deepfake boom fuels relentless wave of celebrity scams
Visionplatform.ai adds AI agents to Milestone XProtect
Ofcom probes X over Grok deepfake sexual imagery risk
European privacy teams warn of cuts amid rising risks
Phishing services drive 389% surge in account breaches

Top stories

Executive-level CISO titles surge amid rising scope strain
UK unveils Software Security Ambassadors to push new code
Dun & Bradstreet outlines seven key compliance trends
Asimily boosts Cisco ISE with new device microsegmentation
Cyb3r Operations raises $5.4m to tackle cyber risk