CMMC Champion Arrington Heads Back to Pentagon as New CISO

Former defense cybersecurity official Katie Arrington returns to the Pentagon as department CISO, she announced in a LinkedIn post Tuesday night.

Arrington previously served as the CISO for Acquisition and Sustainment from 2019 to 2022, where she played a pivotal role in the development of the Cybersecurity Maturity Model Certification (CMMC) program. After she left the Pentagon in 2022, she ran an unsuccessful bid for Congress and later joined Exiger as vice president of Government Affairs.

As CISO for Acquisition and Sustainment, Arrington stewarded CMMC. She was one of the CMMC architects during the pandemic lockdowns and its aftermath.

“World War II changed the way we build things,” Arrington said in May 2020. “9/11 changed the way we moved. COVID has changed the way we interact with one another … cyber has allowed us to [flourish] in the past seven or eight weeks.”

Arrington, whose first time at DOD began during President Donald Trump’s first term, continues to defend CMMC against industry criticism.  In a video posted to LinkedIn earlier this month, she defended Pentagon staff working on the regulations amid the presidential transition, complimenting Stacy Bostjanick, Randy Resnick, David McKeown and others. She added that she was “fighting an uphill battle about CMMC” when she was CISO for Acquisition and Sustainment.

In a video posted to LinkedIn in January, Arrington said that the defense industrial base needs CMMC to strengthen its cybersecurity posture and defended CMMC’s rules.

“The auditing capability is needed and necessary, because we can’t trust self-attestation we’ve lost,” Arrington said. “That’s why we’re losing over $180 million a day in the defense industrial base.”

Arrington also said that CMMC is not among the targets of the White House’s executive order to eliminate excessive regulations, adding that the Trump administration is dedicated to cybersecurity.

“He is serious about cybersecurity. Always has been. Don’t pay attention to the people that have been hating on the CMMC for years,” she said in the January LinkedIn video. “We have a very poor national security posture within the industrial base that needs to be cleaned up.”

Before her resignation in 2022, DOD placed Arrington on administrative leave in 2021 because of allegations of disclosing classified information. In her resignation letter, she claimed that her suspension was “politically influenced” and maintained her innocence.