Katie Arrington has returned to the Pentagon as the Department of Defense's (DoD) Chief Information Security Officer (CISO), confirmed through a LinkedIn post made by Arrington on Tuesday, February 18th. Arrington served as CISO for Acquisition and Sustainment from 2019 to 2022 and is returning to serve under the second Trump administration. Arrington has been outspoken about the need to increase our nation's cybersecurity posture. She led the initial development of the Cybersecurity Maturity Model Certification (CMMC), a program intended to protect Controlled Unclassified Information (CUI) entrusted to defense contractors.
Arrington told Federal News Network:
“I’m excited to serve the 47th president of the United States and to do as all government people should do, I will serve at the pleasure of the president in whatever role they see fit. I am just grateful I have an opportunity to make some positive changes within the DoD that will not only create lethality and resilience but also save the taxpayers money.”
Arrington has underscored the importance of CMMC and its role in the Defense Industrial Base (DIB), stating that the U.S. loses $600 billion a year to our adversaries in exfiltration, data rights, and R&D loss.
Things will begin to move faster, not slower. The CFR 32 rule has been published, and Certified Third-Party Assessor Organizations (C3PAOs) have already begun their audits. Organizations must be prepared for when CMMC requirements begin to show up in contracts at the end of this year. With Arrington back in a leadership role, there is strong reason to believe that the DoD will accelerate the implementation and enforcement of CMMC.
Arrington’s return to the DoD is being met with a mix of anticipation and urgency within the defense contracting community. Many cybersecurity experts believe that her leadership will drive a renewed emphasis on compliance, enforcement, and cybersecurity readiness across the supply chain. However, some small and mid-sized contractors remain concerned about the costs and logistical challenges of meeting CMMC requirements, particularly as final rules approach enforcement.
CMMC in Contracts: The integration of CMMC requirements into defense contracts is expected by the end of the year, reinforcing the need for defense contractors to act swiftly in ensuring compliance.
Accelerated Audits: With C3PAOs actively conducting assessments, companies should engage with their consultants and ensure their cybersecurity measures align with 32 CFR requirements.
Ongoing Developments: Arrington’s influence may lead to refinements in CMMC policies, including clarifications on assessment procedures and potential incentives for early adopters.
Historical Context & Policy Direction
During her previous tenure, Arrington played a pivotal role in the initial framework of CMMC, emphasizing the necessity of protecting sensitive defense data. Her return suggests a continuation of her original vision but with an enhanced focus on enforcement. Industry leaders anticipate that her leadership will drive a more structured, urgent approach to cybersecurity compliance within the DoD and defense contracting community.
Statement from CorpInfoTech Founder & President, Lawrence Cruciana
Regarding Katie Arrington's return to DoD, Lawrence Cruciana, founder and president of CorpInfoTech, stated:
"Katie Arrington is a force of nature—an inspired visionary and tenacious leader who deeply understands how crucial cybersecurity is to safeguarding the American defense industrial base. As one of the original architects of CMMC, her return to the DoD’s top cybersecurity office signals a renewed, intensified commitment across the entire supply chain. With 32 CFR finalized and 48 CFR on the brink of enactment, her experience, professionalism, and unrelenting drive will only amplify the momentum behind CMMC. Every defense contractor—from prime to subcontractor—should pay close attention as this pivotal moment demands thorough preparation and swift action."
Arrington’s return to the Pentagon signifies a pivotal moment in the cybersecurity landscape for the Defense Industrial Base. With CMMC enforcement on the horizon, now is the time for defense contractors to solidify their cybersecurity postures and ensure compliance with the DoD’s evolving requirements.
CorpInfoTech is a CMMC Level 2 (C3PAO) certified MSP that has passed our audit with a perfect 110, making us one of the first MSPs to achieve level 2 compliance. We have been through the process; we can help you through the pathway to achieving CMMC Compliance - Reach Out Today