ISACA has been appointed as the exclusive CMMC Assessor and Instructor Certification Organisation (CAICO) for the United States Department of War’s Cybersecurity Maturity Model Certification (CMMC) program, a move expected to have significant implications for defence and critical-infrastructure suppliers across Australia and New Zealand.
Under the appointment, ISACA will oversee the global training, examination and certification of CMMC professionals, assessors and instructors. Once fully implemented, CMMC is expected to become one of the world’s largest cybersecurity certification programs, underpinning cyber assurance across the U.S. Defence Industrial Base and its international partners.
CMMC is designed to safeguard sensitive defence information, including Controlled Unclassified Information and Federal Contract Information, across supply chains supporting U.S. defence programs. Phased implementation is scheduled to begin in November 2025 and continue through to November 2028, with compliance requirements progressively embedded into U.S. defence contracts worldwide.
The appointment has growing relevance for Australian and New Zealand organisations, given the region’s deep integration with U.S. defence, intelligence and technology ecosystems. AUKUS Pillar II, joint research and development initiatives, and long-standing relationships with U.S. prime contractors mean many ANZ businesses in defence, aerospace, advanced manufacturing, cybersecurity and cloud services will be required to demonstrate CMMC compliance when supporting U.S. partners.
The announcement comes as both countries continue to strengthen domestic cyber frameworks. In Australia, Essential Eight maturity expectations, SOCI Act reforms and Defence supply-chain assurance initiatives are raising the bar for verifiable cyber practices, while New Zealand’s Cyber Security Strategy reflects similar alignment with allied defence and cloud environments.
As CAICO, ISACA will administer the full suite of CMMC credentials, including CMMC Certified Professional, CMMC Certified Assessor and Lead CMMC Certified Assessor, as well as CMMC Certified Instructor qualifications. The credentials are intended to support consistent, high-assurance assessments and improve cyber maturity across defence-linked supply chains.
ISACA CEO Erik Prusch said the organisation was proud to be entrusted with the role, noting its longstanding experience in cybersecurity training, credentialing and maturity frameworks. He said ISACA would support the Department of War in strengthening protection of sensitive information through globally consistent certification standards.
Jamie Norton, vice chair of the ISACA Board and an Australian-based cybersecurity leader, said CMMC is likely to become a defining reference point for cyber resilience in the region. He said the framework will increasingly shape how Australian and New Zealand organisations demonstrate trustworthiness when handling sensitive defence information and participating in international programs.
The CAICO role was previously held by The Cyber AB, which remains the accreditation body for the CMMC ecosystem. The Cyber AB CEO Matthew Travis welcomed the transition, saying ISACA’s global credibility and experience would strengthen confidence in the quality and consistency of CMMC assessments.
ISACA’s CAICO responsibilities take effect immediately, with the full transition expected to be completed by 1 April 2026. The role adds to ISACA’s existing portfolio of global certifications, including CISA, CISM, CRISC and CDPSE, as well as its expanding suite of AI-related credentials.