DOD’s Katie Arrington shows no mercy to CMMC complainers

Katie Arrington, the Defense Department’s acting chief information officer, has little sympathy for contractors complaining about the Cybersecurity Maturity Model Certification.

After all, she was the lead ambassador for the launch of the defense industrial base's new cyber and supply chain security standard during the first Trump administration.

The Biden Administration made changes in the approach for CMMC, but the requirement is essentially the same – contractors need to certify how they are following a set of standards for securing government information on their systems.

That mostly refers to 800-171 from the National Institute of Standards and Technology on controlled unclassified information.

Arrington is now back at DOD following Trump’s election in November and CMMC is her responsibility again.

“If you go on LinkedIn one more time and tell me how hard CMMC is, I’m going to beat you,” she said Wednesday at an AFCEA DC luncheon. “That ship sailed in 2014.”

Contractors have been required for more than a decade to comply with NIST Standard 800-171, which has 110 controls for protecting CUI. Contractors have been self-certifying their compliance during that time.

But with CMMC now final, companies must now go through a third-party audit.

“You are telling me over 11 years later how hard it is?” she said.

Complaining now only puts a target on the backs of companies for the Defense Contract Management Agency to come in and audit their cyber posture, Arrington said.

“Do you think the government isn’t watching?” she said. “Do you think China’s is backing off?”

CMMC and zero trust architectures are part of a culture shift at DOD toward a trust but verify posture, Arrington said.

“It’s not a framework. It never was," she added.

Every system DOD fields must start with security and that starts with the acquisition process, she said.

On acquiring software, Arrington said she is developing a software fast-track process to be called SWIFT. The intent is to speed up the authority-to-operate process.

A request for information will be released to look for third-party vendors that can help in risk assessment, she said.

Software will be assessed on 12 characteristics of risk such as financial, foreign ownership and cyber. Arrington also wants artificial intelligence to help review the findings instead of waiting for a human to do it.

“I’m blowing up the risk management assessment framework. I’m blowing up the ATOs,” she said. “I only have five things I really care about: How do you develop what you’re doing that’s secure by design? How do I validate that? Are you working with Zero Trust? How do I validate that? What’s more important – an ATO or continuous monitoring? Continuous monitoring. How do I do that?”

She is planning a meeting for May that will have all of DOD’s component CIOs to work on a plan going forward.

“We have to get away from the way we’ve done business to the way we need to do business,” Arrington said.