December 2025 Cyber AB Town Hall Recap: ISACA Named New CAICO
Just one month after CMMC enforcement officially began, the Cyber AB convened an unplanned December Town Hall to deliver a major update: The Cybersecurity Assessor and Instructor Certification Organization (CAICO) is now under the authority of ISACA.
While certification numbers continued their upward trend, the spotlight was on this transition and what it means for assessors, instructors, training partners, and the broader CMMC ecosystem. Here’s what we learned.
ISACA is now the official CAICO for the CMMC Program
Effective immediately, the Cyber AB has transferred the designation, authorization, and stewardship of the CAICO to ISACA, a global professional association known for managing high-stakes certification programs like CISA, CISM, and CRISC. The move marks a significant evolution in the CMMC ecosystem, and one the Cyber AB says has been in the works for some time.
While the transfer is now official, a formal transition period will continue through March 31, 2026. During that time, the Cyber AB and ISACA will work closely to ensure continuity of operations. No immediate changes are expected to certification processes, exams, or training requirements during this period.
Matt Travis framed the shift as both strategic and necessary. The original vision for the CMMC ecosystem included a separate CAICO entity from the start, but staffing and resourcing constraints made that difficult to achieve until now. With thousands of assessors and instructors entering the pipeline, the need for a larger, dedicated credentialing body became increasingly clear.
What will ISACA manage and what stays with the Cyber AB?
This transition does not affect the Cyber AB’s role as the official accreditation body for CMMC. The Cyber AB will continue to oversee C3PAOs, the marketplace, and the RP/RPA/RPO programs.
ISACA will now serve as the CAICO, responsible for:
- Credentialing CMMC Certified Professionals (CCPs)
- Credentialing Certified Assessors (CCAs)
- Credentialing Lead CCAs (LCCAs)
- Credentialing Certified Instructors (CCIs)
Tier 3 background checks, the Registered Practitioner program, and the CMMC Marketplace will continue to be owned and operated by the Cyber AB.
ISACA’s new CAICO program will be led by Todd Gagnon, a retired Navy Captain and cybersecurity expert with extensive experience in information warfare and defense contracting. “My goal is to be the bridge between the DIB, the DoD, and the CAICO,” Gagnon said. “We want this transition to be as seamless as possible.”
What this transition means for assessors, instructors, and training partners
In short, no immediate changes. The transition of CAICO oversight to ISACA won’t impact certification processes in the near term, and existing timelines, requirements, and procedures remain in place. But this leadership change signals a new chapter for the ecosystem’s compliance infrastructure, and contractors should be aware of what will be shifting behind the scenes over the next few months. Here’s what was confirmed during the meeting.
- CCPs, CCAs, and LCCAs do not need to take action. Legacy badges will continue to be valid through the transition. ISACA will issue new badge designs once they’ve been finalized in collaboration with the CMMC PMO.
- Exams will continue to be administered through Measured Learning for now. If you’re scheduled for an exam, nothing changes. Future exams will transition to ISACA’s systems beginning April 1.
- Applications for CCP/CCA credentials will remain on the Cyber AB site through March. Starting April 1, all new applications will route through ISACA.
- Approved Training Providers (ATPs) and Approved Publishing Partners (APPs) will continue operating as-is. No changes to scheduling or course delivery during the transition.
- Fee structure remains unchanged for now. ISACA indicated it may review membership and credentialing fees in the future but will provide advance notice of any updates.
- ISACA membership will not be mandatory for anyone seeking CMMC-related certifications. All credentialing activities (applications, renewals, validations, etc.) will remain open to non-members.
“The goal is no disruption,” Gagnon reiterated. “We want existing credential holders and ATPs to continue operations without missing a beat.”
How the CAICO transition will unfold
Now that the CAICO transition has been announced, the Cyber AB and ISACA are entering a formal 90-day transition period that will run through March 31, 2026. During this time, the two organizations will work in tandem to migrate credentialing systems, integrate support processes, and ensure a seamless experience for assessors, instructors, and training partners. Behind the scenes, efforts are already underway to transfer certification data and align workflows between the Cyber AB’s existing infrastructure and ISACA’s global credentialing platform.
Starting April 1, 2026, ISACA will become the sole managing body for all CMMC professional certifications, including CMMC CCP (Certified Professional), Certified CMMC Assessor (CCA), Lead Certified CMMC Assessor (LCCA), and Certified CMMC Instructor (CCI) credentials. At that point, new applications will route directly through ISACA’s platform, and all certification exams will be delivered via ISACA’s established exam delivery systems. Credential badges will also transition to a new ISACA design, though existing badges issued by the Cyber AB will remain valid through the transition.
While the Cyber AB will no longer manage assessor certifications, it will continue to serve as the official accreditation body for the broader CMMC ecosystem. That means it will retain authority over the CMMC Marketplace, Tier 3 background checks, and all Registered Practitioner programs. Those responsibilities are not affected by the CAICO handoff.
For most stakeholders, there’s no action needed right now. The goal is continuity. Credential holders can continue operating as usual during the transition period, and more detailed instructions will be shared ahead of the April handover.
CMMC L2 certification numbers continue to climb
Beyond the CAICO announcement, the Cyber AB also shared the latest certification and ecosystem growth figures, with the trend continuing upward. A total of 559 organizations have now received final Level 2 certification, up 58 from November. Another 29 organizations now hold conditional certifications, and 115 more are currently undergoing assessments.
Ecosystem participation is also accelerating. The number of authorized C3PAOs increased to 93, while Certified CMMC Assessors rose to 635. The number of Certified CMMC Professionals saw a healthy 9% month-over-month increase, rising to 1,372. Registered Practitioners and RPAs saw modest gains as well, and the number of Approved Training Providers (ATPs) and Approved Publishing Partners (APPs) both increased by around 10%.
One data point did reflect a small dip: the number of Lead CCAs dropped slightly to 377. However, the Cyber AB attributed this to temporary Marketplace renewal glitches, which they say have now been resolved. Taken as a whole, the growth indicators point to a strong, expanding ecosystem that’s steadily preparing to meet the demands of full-scale CMMC enforcement.
What to watch for in early 2026
Looking ahead, both the Cyber AB and ISACA are planning several key initiatives in early 2026. A refresh of CCP and CCA training materials will launch in the first half of the year, incorporating updates aligned with the 32 CFR rule and phasing out the current training model. These updates are expected to improve clarity, reduce duplication, and ensure that all new credential holders are trained on the most current CMMC guidance.
Meanwhile, a full overhaul of the Registered Practitioner (RP) program is slated for mid-2026. While details are still emerging, the Cyber AB confirmed that revised RP training content is in development and will include new structure and instructional materials.
We’ll continue to track updates and insights from each CyberAB Town Hall. For ongoing coverage, check out past recaps in the CMMC.com newsroom: