ISACA has taken on one of the most consequential mandates in cybersecurity: serving as the official CMMC Assessor and Instructor Certification Organization for the U.S. Department of War's CMMC program. In this Brand Spotlight recorded live at RSAC Conference 2026, Todd Gagnon -- a career naval officer now leading the CAICO for ISACA -- breaks down what it takes to certify the assessor workforce the Defense Industrial Base needs.
ISACA has stepped into a defining role in the CMMC ecosystem, taking over as the CMMC Assessor and Instructor Certification Organization -- the CAICO -- for the U.S. Department of War's Cybersecurity Maturity Model Certification program. Recorded live at RSAC Conference 2026, this conversation with Todd Gagnon, the Director of the CAICO at ISACA, gets right to the heart of what that means for cybersecurity professionals, defense contractors, and anyone thinking about where their career intersects with the defense industrial base.
The CMMC program exists to solve a persistent problem: too many companies doing business with the federal government had failed to properly implement required cybersecurity controls. Built around NIST 800-171's 110 security requirements, CMMC demands third-party, independent verification -- and that means a large, trained, credentialed assessor workforce. ISACA's role is to build and certify exactly that. Todd Gagnon walks through the two foundational credentials at the center of this effort: the CMMC Certified Professional (CCP) as the entry point, and the CMMC Certified Assessor (CCA) as the operational core. With roughly 800 credentialed professionals in the current ecosystem against a need measured in thousands, the stakes and the urgency are clear.
What makes this conversation practically useful is the range of people it speaks to. Gagnon lays out who should be thinking about a CCP -- including professionals early in their careers and organizations that want internal staff who truly understand the CMMC framework, not just outside consultants. He explains the C3PAO model, how subcontractor compliance flows through the ecosystem, and why NIST 800-171 is a strong cybersecurity foundation regardless of whether an organization ever touches a government contract. The certification pathway is open to non-ISACA members, the CCP is designed to be accessible, and the knowledge transfers well beyond the federal contracting context.
ISACA is also moving ahead of the curve: with NIST having released Revision 3 of 800-171, ISACA is already developing training content for the transition -- targeting late 2025 delivery so that a wave of Revision 3-ready professionals will be in place when the Department of War makes the regulatory shift. Todd Gagnon closes with a candid ask for patience as the April 1st transition from Cyber AB to ISACA takes effect, along with a clear statement of intent: the credentials issued under ISACA's watch should stand for something.
This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight
GUEST
Todd Gagnon, Director, CMMC Assessor & Instructor Certification Organization (CAICO) at ISACA
LinkedIn: https://www.linkedin.com/in/todd-gagnon-90b8a6264/
RESOURCES
ISACA CMMC Certification Hub: https://www.isaca.org/cmmc
ISACA Official Website: https://www.isaca.org
KEYWORDS
Todd Gagnon, ISACA, Sean Martin, Marco Ciappelli, CMMC, Cybersecurity Maturity Model Certification, CAICO, CCP, CCA, NIST 800-171, Defense Industrial Base, cybersecurity certification, DoD compliance, government contractors, brand spotlight, brand story, brand marketing, marketing podcast, RSAC Conference 2026
ISACA Takes the Helm of CMMC Certification: Building the Assessor Workforce the Defense Industrial Base Needs | A Brand Spotlight at RSAC Conference 2026 with Todd Gagnon, Director, CMMC Assessor & Instructor Certification Organization (CAICO) at ISACA
[00:00:10] Sean Martin: Here we are. We're at RSAC Conference. Todd Gagnon, how are you?
[00:00:15] Todd Gagnon: Good. Doing well, Sean. Thanks.
[00:00:17] Sean Martin: Good to see you. Good to see you in the ISACA booth.
[00:00:19] Todd Gagnon: Yep.
[00:00:20] Sean Martin: Glad to have a good chat with the ISACA team. You guys do so much for the community, cybersecurity, and the professionals that work within it. And we're going to talk about some new stuff that is coming out, some exciting new stuff.
[00:00:32] Todd Gagnon: Some exciting new stuff.
[00:00:33] Sean Martin: Coming out and available, right?
[00:00:35] Todd Gagnon: Yep.
[00:00:35] Sean Martin: So first let's start with a few words about your role within ISACA, and maybe a bigger picture surrounding that as well.
[00:00:43] Todd Gagnon: Sure. So what's new for ISACA is we took on a new role within the CMMC system, which is a Department of War program for cybersecurity assurance for all companies who do business with the DoD. My role is the Director of the CAICO, and I'll talk about that in a second. I came in to help with that transition -- ISACA taking on these new important certifications. The CMMC program, for those who aren't familiar, is a Department of War program that started about 2019, 2020. The department found that a lot of the companies who did business with them hadn't properly implemented all the right security controls on their IT systems. So the CMMC program is an assessment program that allows them to have a higher level of assurance that these companies have implemented the necessary security controls.
[00:01:41] Sean Martin: And CMMC is Cybersecurity Maturity Model...
[00:01:45] Todd Gagnon: Certification.
[00:01:47] Sean Martin: Yes. We like to throw those acronyms around. So for organizations that may not be familiar -- probably most are if they're working in the government space -- what's the objective with the CMMC certification?
[00:02:10] Todd Gagnon: The certification for CMMC applies to companies doing business with the government, and this is a global issue. The department estimates over 200,000 companies do business with them. Any company that does business with the Department of War will have to have some level of certification under CMMC, depending on the information they handle and the sensitivity of that information. About 120,000 will require what we call a third-party independent assessment -- a commercial company with certified assessors who will come in and do that independent verification. The program is aligned around NIST 800-171, which contains 110 security requirements. A company has to implement all 110 security requirements completely in order to be certified and then be eligible to take on a DoD contract.
[00:03:16] Sean Martin: Got it. So government certification. What's ISACA's role in all this?
[00:03:26] Todd Gagnon: ISACA's role is to train and certify all of those assessors. These independent companies have to hire assessors to go in and do the assessments.
[00:03:39] Sean Martin: And it's strictly the professionals in the assessing organization?
[00:03:44] Todd Gagnon: That's correct. And there are two certifications associated with that profession in this work. The first one is CCP, which is the foundational certification. It stands for CMMC Certified Professional. A CCP starts out with foundational knowledge of what the CMMC program is, what NIST 800-171 is, and all the regulatory requirements of the program. Once they are in the CMMC world for a while and gain experience, they can then apply to become an actual assessor -- that's a CCA, a CMMC Certified Assessor. The CCA is the one responsible for actually doing the assessment.
[00:04:28] Sean Martin: Okay.
[00:04:28] Todd Gagnon: When they go into a company that does business with the government, with the Department of War, they're the ones responsible for looking at how the company has implemented all 110 security requirements from NIST. Each one has several objectives underneath. They have to inspect every single objective to every single requirement -- collect evidence, do interviews, whatever they need to verify the company has implemented these controls. The CCA certification really is the heart of the CMMC.
[00:05:03] Sean Martin: Got it. So the progression is CCP, then CCA. And who would be interested in the CCP? Do they have to be ISACA members?
[00:05:18] Todd Gagnon: No, that's a great point. You don't have to be an ISACA member to get an account, apply for the certification, and go through the training. It's an independent program because it is sponsored by the Department of War. ISACA membership is not required. There are benefits, of course, if you are an ISACA member -- we really commit to our members for lifelong career progression and continuing education. But you don't need that. You do have to be a CCP if you eventually want to become a CCA, because federal regulation requires you to start out with that foundational knowledge, gain experience, and then apply for a CCA to become an assessor.
[00:06:16] Sean Martin: What are the prerequisites? What knowledge, skills, or timeframe of working in an area does it take to start that program?
[00:06:35] Todd Gagnon: Each certification has a different level of experience requirements. CCP, because it's foundational, is really an entry-level position. What we're looking for is minimum education -- two years of college -- and some minimal cybersecurity experience. It's meant to be an open door for somebody who's early in their career trying to get into cybersecurity. Once they gain that certification, they gain some experience, and then they can apply for CCA. CCA is where things escalate. It's in the federal regulation that specifies how much experience they have to have -- three years of experience in cybersecurity and audit. They also have to have a foundational certification. The Department of War has specified certain cyber force work roles, and there is a category for cybersecurity professional. For ISACA certs, CISM and CISA are qualifying under DoW 8140. But it does not have to be an ISACA cert.
[00:07:49] Sean Martin: So you have to have the CCP -- and another one or two to get to CCA. How much CMMC experience does one need? Or is it more about understanding the controls that happen to be part of CMMC?
[00:08:11] Todd Gagnon: It's about understanding the controls, but also the assessment process. It is a specific assessment process developed by Cyber AB. They are the accredited accrediting body for the Department of War for CMMC, and we are authorized under Cyber AB to be the CAICO. They established the assessment process -- we call it the CAP, the CMMC Assessment Process. That defines every step that an individual has to know very well to go in and do the assessment. The CCP gets the basics of that. It's the CCA who really learns the assessment process, because they're the ones who will implement it.
[00:08:54] Sean Martin: Right. So clearly the certification follows the professional. But let's talk a little bit about organizations that have one or more CCAs to serve the businesses that are serving the government. What does that look like?
[00:09:13] Todd Gagnon: A company that does those assessments -- we call them the C3PAO, a CMMC Third Party Assessment Organization. When I say third-party assessors, those are the companies that conduct the assessments. They will hire as many CCAs as they need to conduct assessments for companies that need certification. I mentioned 120,000 earlier -- that's a lot. You can imagine we have to scale this ecosystem up really fast.
[00:09:49] Sean Martin: Right.
[00:09:49] Todd Gagnon: One company may have dozens of CCAs so they can do multiple assessments at the same time.
[00:09:57] Sean Martin: So what are the timeframes for some of these things to actually lock in? And how many professionals with the CCP versus CCA do you think we need, by when, and how?
[00:10:10] Todd Gagnon: It's a good question and it's not simple math, even though it seems like it should be. It's really hard to estimate how many assessors we will need to get to that 120,000 assessments across the DIB. But it's thousands. Right now in our ecosystem, we have about 300 CCAs.
[00:10:28] Todd Gagnon: There is one more step up I didn't mention -- that's a Lead CCA. Once you've been in the CCA market doing assessments for years and gained even more experience, you can apply to be the Lead CCA. They're the ones who actually lead the team that does the full assessment. They take on more of a management and leadership role but also have greater depth of experience to apply to the assessment. We have about 500 of those. So about 800 total.
[00:10:59] Sean Martin: And you need several thousand.
[00:11:00] Todd Gagnon: We need several thousand. And it takes a while to go through the training. There's mandatory training you have to take. You have to pass an exam. Scaling that up is the challenge.
[00:11:11] Sean Martin: Where does the training come from?
[00:11:13] Todd Gagnon: Right now we have other companies that have produced the content -- before we came on board, we call them Approved Publishing Partners. They produced the content and it was approved by Cyber AB, the former CAICO. All training organizations have to use that approved content. The course is usually about a week long.
[00:11:37] Sean Martin: Okay. An intense course.
[00:11:39] Todd Gagnon: Yeah, it's an intense course. And then typically a professional will need more time to study and be ready for the exam. You have to pass the exam -- and if you don't pass, you have to wait a while and retake it.
[00:11:52] Sean Martin: It's a timed exam, I imagine?
[00:11:54] Todd Gagnon: It is, yes. It's timed, it's proctored, closed book. It's a formal ISO-accredited certification, so it's a pretty intense exam.
[00:12:10] Sean Martin: Having that certification clearly unlocks a lot of opportunities -- certainly for doing work in assessing organizations for the government. But I would imagine there's a lot of other learning that comes with it that could be applied to other things. Is there carryover from a CCP and a CCA to perhaps some other certifications?
[00:12:35] Todd Gagnon: Definitely. The framework that CMMC is built around -- NIST 800-171 -- is considered a pretty comprehensive cybersecurity framework. Any company, whether they do business with the Department of War or not, if they implement NIST 800-171 in its complete form, they'll have a really secure network and their systems will be pretty well protected. So even if you aren't going to work for a company associated with the Department of War, having a CCP or CCA certification can really do a lot for your career and it can help companies just be more secure.
[00:13:17] Sean Martin: You've mentioned NIST a couple of times, primarily from the frameworks and requirements angle. What's the relationship with NIST and ISACA, and maybe some changes pending on that front?
[00:13:34] Todd Gagnon: NIST is the National Institute of Standards and Technology. They established a lot of the standards and the framework. The Department of War aligns CMMC to NIST 800-171. We're currently on Revision 2 -- that's what the CMMC program is running on. NIST has actually come out with Revision 3. So we know the department will eventually transition to Revision 3.
[00:14:08] Sean Martin: Got it.
[00:14:08] Todd Gagnon: What ISACA decided to do, when we came in, was look at where the current training and exam for the certification was. We decided to start developing content to transition the community to Revision 3. We think it's important because that's the future of the framework. And it does take time to develop content -- about nine months. So by the time we produce it and have it on the street and start training individuals, we expect the department will be about ready to transition. They haven't put a timeline to when they'll transition, but they have acknowledged they are going to do that. They have to go through a formal update to the federal regulation -- CFR 32 -- which governs it. But we will have this content on the street by the end of this year.
[00:15:01] Sean Martin: Okay.
[00:15:01] Todd Gagnon: So going into 2027, we will have certified individuals who are trained on Revision 3, and as the department transitions, they'll be ready.
[00:15:12] Sean Martin: And I would imagine -- even if you're not an assessor organization -- there's probably value to having people on staff within the organization who have a CCP even if they're not interested in being an assessor. Great opportunity for organizations to get their staff certified.
[00:15:39] Todd Gagnon: You're exactly right. A lot of companies are really working hard to get to the compliance level they need in order to gain a government contract. Right now they're trying a lot of different options -- hiring consulting firms, doing mock assessments, different techniques. But one simple path is to get your staff certified as a CCP. Somebody who really knows the framework and knows the assessment process. Any company, whether or not they are doing business with the Department of War, having one or more of their staff certified as a CCP will do a lot to help them secure their efforts.
[00:16:22] Sean Martin: You mentioned third parties as well -- I'm sure that's baked in, because organizations have other organizations they work with. Do you find there'll be value in partnering with other organizations who have CCPs on staff?
[00:16:40] Todd Gagnon: I think so. A company that wants to do business with the government has to be certified, but if they want to reach out and pull somebody in to help them with a contract as a subcontractor, that subcontractor has to be certified. So there are definitely a lot of reasons why being fully compliant with what we've defined in the CMMC framework can really help a company gain additional business.
[00:17:11] Sean Martin: Yeah.
[00:17:12] Todd Gagnon: And additional opportunities -- if you're working with a different company, whether it's government or not, and they are CMMC level certified, that says a lot about their security.
[00:17:25] Sean Martin: So big picture for ISACA and this certification program -- obviously Revision 3 is a big effort coming this year. Where do you see things heading, and what do you want to tell the professional community?
[00:17:45] Todd Gagnon: I hope that the reason ISACA came on -- and I hope we prove this -- is that we are founded on 50-plus years of experience in cybersecurity audit, compliance, and governance. We've been doing this a long time. Now that the government has formally directed the implementation of CMMC, it's important to increase the standards and the rigor behind the CMMC certifications. The individuals and professionals we put out there with our training, curriculum, and certifications really should stand for a lot. And it really should help the CMMC ecosystem and the government understand that there's a high level of assurance -- that once an assessment is done by our certified professionals, it stands for something.
[00:18:41] Sean Martin: Yeah. And it doesn't get much more direct than tying yourself to NIST and all those controls. What a great thing to have a CCP or a CCA as a professional. I'm excited. I'm excited for you as well. And we wish the team the best to reach those thousands of practitioners -- people looking at the controls, auditing the controls, people operating the business. Todd, final word to folks as we wrap here.
[00:19:18] Todd Gagnon: One thing I would ask is that this transition is going to happen effective April 1st, in just a week or so. Hopefully we will not break anything and it'll be a seamless transition from Cyber AB to us as far as taking care of the professionals in the ecosystem. We hope that the value we bring to each individual who is certified and who comes into the CMMC world -- they will see the value we can add to their professional career, that mentorship and lifelong career pathway management. So be patient with us in case things aren't quite as smooth as we want. But we hope you see some value.
[00:20:00] Sean Martin: Yeah, I can see the value for sure. And Todd, it's a pleasure chatting with you today.
[00:20:05] Todd Gagnon: Same here, Sean.
[00:20:06] Sean Martin: Congratulations. Thank you very much for your time. Thanks everybody for staying tuned. Connect with Todd and the ISACA team, and get your CCP and your CCA. Let's bring resilience to our infrastructure and our government. All right, thanks everybody.