On April 22, ISC2 announced that its One Million Certified in Cybersecurity program will stop accepting new participants on May 20, 2026. After nearly four years of handing out free cybersecurity training and exam vouchers to anyone willing to take them, the organization passed its enrollment goal and is closing the door on new signups.
If you’ve been sitting on the fence about whether to grab a free CC voucher, you have about a week. After May 20, the entry-level Certified in Cybersecurity (CC) credential goes back to standard pricing along with every other ISC2 exam and course.
What Actually Changes on May 20
The wind-down has three phases, and ISC2 made the schedule pretty clear in its April 22 announcement.
Starting May 20, 2026, no new participants get into the program. People who already have an unexpired exam code can still schedule and sit for the CC exam through December 31, 2026. Anyone whose course access has not expired can keep working through the training during their access window.
The course itself isn’t going anywhere. ISC2 confirmed that after the program ends, the CC exam and education will still be available for purchase like any other ISC2 product. What goes away is the free path.
The Final Scorecard
ISC2 kicked off the program in August 2022 with a stated goal of providing one million people with free access to the CC course and exam. They beat the timeline. When the curtain comes down on May 20, the totals look like this:
| Program Outcome | Total (since August 2022) |
|---|---|
| People enrolled in free CC course | More than 1,000,000 across 178 countries |
| Completed the foundational course | 570,000+ participants |
| Passed exam and earned CC certification | 65,000+ certified holders |
| Progressed to a second, advanced ISC2 cert | Nearly 9,000 (SSCP, CCSP, CISSP, others) |
That last number is the one worth watching. Nearly 9,000 people who started with the free CC program have already moved up to more advanced ISC2 credentials. That confirms the program produced an upward pipeline rather than a static pool of CC holders. Some of those 9,000 are working toward CISSP right now.
Why ISC2 Built This in the First Place
The workforce gap is the unavoidable backdrop. ISC2’s 2025 Cybersecurity Workforce Study, released December 4, 2025, surveyed 16,029 cybersecurity professionals and found 88% of them reporting concrete consequences from skills shortages at their organizations. The estimated global gap in unfilled cybersecurity positions sits near 4.8 million.
CC was designed to widen the funnel at the bottom. The certification validates foundational concepts: security principles, business continuity, access controls, network security, and security operations. No work experience is required to sit for the exam, which is what made the free program valuable to a specific population. Students, career switchers, IT helpdesk and sysadmin staff curious about security, and people working in adjacent roles all had a low-friction way to test whether cybersecurity made sense as a career direction.
For people aiming at CISSP, CC is two or three rungs below where they need to be. But for someone deciding whether to even take their first step, the program offered a path that didn’t cost them anything beyond time.
Scott Beale, who took over as ISC2 CEO in January 2026, framed the wrap-up like this in the April announcement: “Whether we’re talking about skills needs, economic constraints, geopolitical threats or uncertainty around AI, quantum and other emerging technologies, the cybersecurity workforce faces serious challenges. Serious challenges require big, bold initiatives. One Million Certified in Cybersecurity embodies ISC2’s purpose-driven mission to strengthen the cybersecurity field.”
Why This Matters if You’re Aiming at CISSP
For someone already deep in CISSP prep, this announcement might feel like background noise. That would be a mistake.
The CC program produced a vetted pool of foundational cybersecurity professionals who passed an actual ISC2 exam. Many of them are now working entry-level security jobs and accumulating the work experience that CISSP requires. Some of them will be your future colleagues, direct reports, or competition for senior roles a few years out.
There’s a second angle worth thinking about, which is what ISC2 builds next. The April press release pointed to “big, bold initiatives” as the way to address workforce challenges, which strongly hints that something else is in development. Nothing specific has been announced yet, but anyone watching the cybersecurity workforce pipeline should keep an eye on ISC2’s announcements through the rest of 2026.
For hiring managers reading this, candidates with CC plus a couple years of practical experience are now a real population in the market. They’re not the same as someone with a bootcamp certificate or a self-study claim. They sat for an ISC2 exam and passed it.
The Three Groups Affected by the May 20 Deadline
The Person Still Considering CC
If you haven’t enrolled yet and want the free CC course and exam, the deadline is firm. Head to ISC2’s program page at www.isc2.org/1mcc and sign up before May 20, 2026. Registration takes a few minutes. After May 20, the same course and exam will cost what ISC2 charges everyone else for an entry-level certification, so the window for free access closes hard.
The Person Already Enrolled but Hasn’t Taken the Exam
Check the expiration date on your exam voucher and your course access right now, before May 20 hits. If your code is unexpired when the program closes, you can still schedule and sit for the exam through December 31, 2026. If your course window is still open, you can finish the training during that window. After December 31, expired codes are gone with no extensions.
The Associate of ISC2 Holder
If you already hold Associate of ISC2 status from passing CISSP or another higher-level exam without yet meeting the experience requirement, none of this changes anything for you. Your endorsement path is separate, your associate status is not connected to the CC program in any way, and your six-year window to complete experience requirements continues normally.
The Bigger Question Hanging Over This
The ISC2 program ran on a specific hypothesis: that financial barriers were a meaningful obstacle keeping people out of cybersecurity. The data from the closure announcement tells a mixed story about that hypothesis.
One million enrollments and 65,000 certified holders confirms the barrier-removal worked at the top of the funnel. People who would not have paid the exam fee did sign up, and a chunk of them earned a credential. That’s a meaningful outcome.
But the same 2025 Workforce Study that motivated the program also showed that financial barriers are not the dominant problem right now. What’s keeping organizations short-staffed is the experience gap between certified beginners and the senior practitioners they actually need. CISSP, with its five-year experience requirement, sits squarely on the wrong side of that gap from a hiring perspective. You cannot fix that by giving away CC vouchers, no matter how many you hand out.
Whatever ISC2 announces next, the One Million CC program leaves behind something useful. Tens of thousands of people who would not have entered cybersecurity without it, several thousand who have already moved up the ladder, and proof that the workforce pipeline does respond when barriers come down. The harder problem, getting those people from foundational certifications to senior practitioner roles, is the one ISC2 still has to solve. That problem is not going away in 2026.