The cybersecurity threat landscape continues to accelerate, with artificial intelligence-fueled attacks making an already difficult job all the more challenging for cybersecurity practitioners. According to the World Economic Forum, two-thirds of organizations report a moderate-to-critical skills gap in cybersecurity, and ISACA’s State of Cybersecurity 2025 research shows that only 41% of global cybersecurity professionals are confident in their team’s incident response capabilities.

These skills and capabilities challenge poses potentially serious economic consequences for companies that are absorbing financial and reputational damage from cybersecurity incidents, and the repercussions can be even more dire from a national security perspective. Robust cybersecurity capabilities are essential throughout the Defense Industrial Base (DIB), the network of organizations that produce the defense-related materials, products, and services that underpin national defense capabilities. Given both the importance and complexity of securing the DIB, it is essential that consistent and rigorous cybersecurity standards are applied to the hundreds of thousands of organizations that comprise this ecosystem.

Fortunately, there is encouraging momentum on that front in the US Department of War’s (DoW’s) Cybersecurity Maturity Model Certification (CMMC) – the world’s largest cybersecurity certification program, and one that will be increasingly impactful in the coming years. CMMC assesses defense contractor compliance in safeguarding requirements for federal contract information and controlled unclassified information. Formal implementation of CMMC began on November 10, 2025, with requirements to increase each of the following three years toward full implementation by November 2028.

CMMC aligns with National Institute of Standards (NIST) security requirements to maximize efficiency and risk mitigation. This includes CMMC Level 2 aligning with NIST SP 800-171 Rev. 2 and CMMC Level 3 including NIST SP 800-172. These alignments help to ensure consistent safeguards for protecting Controlled Unclassified Information (CUI) and countering Advanced Persistent Threats (APTs).

CMMC’s Global Reach

CMMC’s reach is global. It sets a unified cybersecurity standard across the DIB, as well as in other industries that are willing to adopt Pentagon-level cybersecurity posture. Any organization in any country that conducts business with the US DoW must be CMMC-compliant as contractually required. This is critically important, given the interconnectedness of global supply chains and economic markets.

ISACA recently was authorized as the CMMC Assessor and Instructor Certification Organization (CAICO), meaning ISACA will manage the training, examination and professional certification for individuals within the CMMC ecosystem. This is truly one of the most exciting developments for our global community, as it solidifies ISACA – well-known for its maturity expertise via CMMI and its certifications in cybersecurity and other digital trust fields – as the global leader in cybersecurity workforce development.

Let’s take a closer look at two of the key credential programs ISACA will administer: CMMC Certified Professional (CCP) and CMMC Certified Assessor (CCA):

CMMC Certified Practitioner (CCP)

A CMMC Certified Professional (CCP) completes rigorous training on CMMC and the assessment process to provide advice, consulting, and recommendations to those organizations who are implementing the CMMC program. CCPs utilize compliance checklists prescribed by the CMMC standard to control scope and ensure fairness in applied criteria.

CCPs holding a favorable Tier 3 determination can participateon a CMMC Level 2 Assessment, only to verify Level 1 practices. CCPs cannot make final determinations on a CMMC assessment. Those final determinations are made by a CCA or a Lead CCA.

A CCP is eligible to become a CMMC Certified Assessor (CCA), participates up to CMMC Level 2 assessments, and holds a valuable credential reflecting the training to understand the CMMC requirements for a Defense supplier.

CMMC Certified Assessor (CCA)

Upon passing the CCP examination, an individual can begin the CCA process. The candidate will need to find an Approved Training Provider (ATP). Once a candidate becomes a certified CCA, that individual is qualified to work on CMMC Level 2 assessments as part of a Certified Third-Party Assessment Organization (C3PAO) assessment team. The C3PAOs employ Assessors who are responsible for conducting the assessments for the Organizations Seeking Certification (OSC). ISACA’s CISA and CISM certifications are among the options that fulfill the mandatory certification requirement for CCAs.

Raising the Bar – A Security Imperative

As we move forward toward full implementation in the coming years, the CMMC program will have the dual benefits of strengthening the cybersecurity workforce and elevating cybersecurity standards across the critically important DIB, as well as to other organizations who want to adopt Pentagon-level cybersecurity capability. A program of this caliber fills a crucial need at a time when the AI-escalated threat landscape is increasingly challenging for all enterprises, and especially organizations that are high-profile targets for attackers such as those that are part of the DIB.

The global cybersecurity community urgently needs more well-trained professionals and trustworthy, unified standards. The CMMC workforce will play a leading role in making both happen.