The hiring of Katie Arrington as the new DOD chief information security officer will bring a renewed focus on getting the Pentagon’s Cybersecurity Maturity Model Certification program fully realized, according to stakeholders who highlighted rulemaking efforts in the final stages and the official launch of the initiative.
“We’re so excited to have her back and energized to get it over the finish line and roll it out,” Stacy Bostjanick told Inside Cybersecurity on the second CMMC rulemaking that will kick off the implementation of a four-phase rollout of requirements in Defense Department solicitations.
Bostjanick is chief of defense industrial base cybersecurity at the DOD Office of the CIO where she leads efforts to implement the CMMC program.
Arrington’s initial stint at DOD was in the office of the under secretary of defense for acquisition and sustainment, where she served as the public face of the CMMC initiative when the program was in its early stages. The CMMC Program Management Office was originally based at A&S.
Under Arrington’s tenure, the CMMC model was finalized and DOD issued an interim final rule in 2020 to implement CMMC through amending the Defense Federal Acquisition Regulation Supplement. Arrington was hired as an appointee at A&S under the first Trump administration.
The CMMC program was paused in early 2021 under the direction of then-Defense Deputy Secretary Kathleen Hicks who came in at the start of the Biden administration. Arrington was put on suspension in the summer of 2021 over her alleged sharing of classified information outside of DOD.
Arrington officially resigned in February 2022 from DOD to run for Congress and lost to incumbent Rep. Nancy Mace (R-SC) in the 2022 primary. She joined supply chain firm Exiger in January 2024 as vice president of government affairs.
Arrington announced her new DOD CISO job in a LinkedIn post. Inside Cybersecurity confirmed her first day in the role was Feb. 18.
Professional Services Council president and CEO David Berteau praised Arrington’s work to launch CMMC in 2019, which involved getting feedback from stakeholders on the CMMC model before version 1.0 was finalized in early 2020.
CMMC 2.0 was announced in November 2021 following an internal review, with an announcement of major changes and details on two upcoming rulemakings to implement the revamped program.
“There’s nothing wrong with the way CMMC 2.0 was done," Berteau said. "It’s not inconsistent with the Administrative Procedure Act but it was dramatically less engagement than there was for CMMC 1.0.”
CMMC 2.0 was partially hamstrung by the rulemaking process which took a little over two years to produce the first proposed rulemaking for public comment. The process to develop the 234-page proposed rulemaking involved getting extensive input from DOD agencies and the military services before the interagency review process began at OMB’s Office of Information and Regulatory Affairs.
While DOD officials shared details on the rulemaking at public events before it was sent to OIRA, the proposed rule itself was kept under wraps until it was published in December 2023.
DOD had planned to hold a public meeting after the first proposed rule was released but instead opted to post an “informational” video where officials at the DOD CIO office provided an overview of the rulemaking.
Berteau noted DOD also compressed the timeframe for stakeholders to provide final feedback on the second CMMC rulemaking. DOD published the final version of the first CMMC rulemaking days before the second CMMC rulemaking was made public as a proposed rule through the Federal Register.
“There is nothing that stops the government from having an ongoing conversation,” Berteau said.
Further, the final version of the first CMMC rulemaking responded to public comments on the December 2023 proposed rule. Berteau said many of PSC’s comments were considered “out of scope” of the rulemaking and not addressed in the final rule.
PSC raised concerns over the ambiguity around controlled unclassified information, the possibility of contracting officers picking the highest tier of CMMC as a default, and the cost of compliance for the defense industrial base and companies who also serve civilian agencies.
Berteau said their comments should be considered in scope for DOD’s future work on cybersecurity.
“It’s clear to us that there’s an opportunity for success with more engagement,” Berteau said.
Arrington was a key voice in getting the first iteration of CMMC across the finish line, speaking at industry events, engaging with stakeholders and setting an ambitious timeframe to get the rulemaking process completed under CMMC 1.0.
There was still criticism on the rollout under Arrington. The rulemaking was issued as an interim final rule which limited industry’s ability to provide input before it went into effect. The rulemaking also contained two new clauses for the DFARS regarding NIST Special Publication 800-171 that were not anticipated at the time.
Alliance for Digital Innovation Executive Director Ross Nodurft reflected on what Arrington brings to the CMMC program under its latest iteration.
Nodurft told Inside Cybersecurity in a statement: "Katie Arrington understands the importance of protecting the supply chain from our adversaries while also bringing a perspective from industry on the importance of harmonizing requirements.”
“We look forward to working with her in her new role to make sure that the requirements that underpin the CMMC, the Cloud Computing Security Requirements Guide, and the Zero Trust Maturity Model speak to each other in a way that drives security outcomes while promoting reciprocity,” Nodurft said.