Gatekeepers of the Cyber Defense: ISACA’s New Role in Policing the Pentagon’s Security Standards
Subtitle: ISACA’s takeover of CMMC assessor and instructor certification signals a seismic shift in global defense cybersecurity oversight.
When the world’s largest cybersecurity certification program needed a new steward, the US Department of War didn’t turn to a defense contractor or a shadowy government agency-they turned to ISACA, a 55-year-old professional association better known for shaping auditors and IT managers than for running the front lines of cyber warfare. This unexpected move could redraw not only the cybersecurity map for America’s military-industrial complex, but also for global supply chains and every foreign company vying for Pentagon contracts.
The Cybersecurity Maturity Model Certification-or CMMC-has become the gold standard for defense contractors hoping to do business with the US military. Until recently, oversight of the CMMC’s vital assessor and instructor ecosystem was handled by the Cyber AB, a specialized accreditation body. But as of April 2026, ISACA will take the reins, managing the training, exams, and credentials of professionals who verify compliance across a sprawling global supply chain.
The stakes are enormous. CMMC isn’t just a bureaucratic hurdle; it’s a “unified cybersecurity standard” governing hundreds of thousands of businesses worldwide, from small US subcontractors to multinational giants. Any organization-regardless of nationality-that touches Pentagon data must play by CMMC rules. ISACA’s CEO, Erik Prusch, called the appointment a “proud moment” that cements the group’s influence on international security and the global economy.
ISACA’s new authority extends to credentialing roles such as CMMC Certified Professional (CCP), Certified Assessor (CCA), and Certified Instructor (CCI), with a new “Lead CCA” designation for seasoned experts. Notably, ISACA’s own certifications-like the Certified Information Security Manager (CISM) and Certified Information Systems Auditor (CISA)-now count toward the baseline requirements for CMMC assessors under the DoW’s rigorous 8140.03 framework. In plain English: ISACA members are suddenly fast-tracked for some of the most sensitive cybersecurity jobs in the defense world.
The transition is hardly cosmetic. Todd Gagnon, a former US Naval officer with deep ties to both the defense industrial base and government cyber operations, will lead ISACA’s CMMC program. The move comes as CMMC enters a critical phase: mandatory requirements begin ramping up in late 2025, reaching full force by November 2028. For organizations already using ISACA’s CMMI framework, the shift offers a head start; for others, it’s a wake-up call to get compliant or risk being locked out of lucrative defense contracts.
Yet, even as ISACA tightens the screws on defense supply chain security, the horizon holds new threats. The organization’s own research highlights how quantum computing could soon shatter current encryption methods-yet only a tiny fraction of enterprises are preparing for the fallout. As ISACA steps into its new role as the Pentagon’s cybersecurity gatekeeper, the question looms: Can the world’s supply chains keep pace with the evolving threats-and the ever-higher bar set by CMMC?
As the CMMC program matures under ISACA’s watch, the transformation will ripple far beyond US borders. For cybersecurity professionals, the message is clear: the future of defense-and perhaps global digital trust-may well be certified in ISACA’s exam rooms.
WIKICROOK
- CMMC (Cybersecurity Maturity Model Certification): CMMC is a cybersecurity standard that measures and certifies how well organizations, especially government contractors, protect sensitive data.
- ISACA: ISACA is a global association providing IT governance, risk, and cybersecurity certifications, frameworks, and resources for professionals and enterprises.
- CISM (Certified Information Security Manager): CISM is a leading certification for professionals overseeing enterprise information security, focusing on governance, risk management, and security program development.
- CISA (Certified Information Systems Auditor): CISA certifies professionals in auditing, controlling, and assuring information systems, validating expertise in IT governance, risk, and compliance.
- Quantum Computing: Quantum computing uses quantum physics to solve complex problems much faster than traditional computers, thanks to special units called qubits.




