Katie Arrington’s appointment as Chief Information Security Officer (CISO) of the U.S. Department of Defense (DoD) marks a pivotal moment for the Defense Industrial Base (DIB). A trusted Trump appointee and former DoD CISO for Acquisition, Arrington was the driving force behind the creation of the Cybersecurity Maturity Model Certification (CMMC) program. During her first tenure, she took CMMC from concept to rulemaking at record speed—a testament to her dedication and sheer force of will.
But more than her role as CMMC’s architect, Arrington’s commitment to the program stems from a deeply personal mission: to secure the DIB from cyber threats that jeopardize national security. With her elevation to DoD CISO, her leadership ensures that CMMC will remain a centerpiece of the strategy to secure the DIB.
CMMC Will Be a Cornerstone of DIB Cybersecurity
Arrington’s recent public statements leave no doubt about the future of CMMC:
CMMC is not pausing… CMMC is going to stay in place; there’s no question about that.
The CMMC started in the Trump administration… Nothing is going to change.
The President is serious about cybersecurity—always has been.
Organizations that have taken a ‘wait and watch’ approach should recognize that non-compliance is not a viable path forward. Without CMMC certification, companies will be unable to win DoD contracts—a reality underscored by Matt Travis, CEO of the Cyber AB, the organization overseeing CMMC assessments:
If you haven’t started getting engaged in CMMC, now is the time to do so. It was probably the time in early 2024, but now the light is flashing red.
Accountability Under DFARS 7012 Is Non-Negotiable
Arrington has consistently pointed out that CMMC is not introducing new requirements—it is simply enforcing existing ones. Organizations handling Controlled Unclassified Information (CUI) have already signed contracts containing the DFARS 7012 clause, which mandates compliance with the 110 controls of NIST SP 800-171.
You have been required by law since 2017 to [implement the NIST standard]. This is just a check. And the President is a ‘trust but verify’ kind of guy, so don’t think he’s going to walk that back.
With Arrington at the helm, the DoD will hold contractors accountable for their existing commitments under DFARS 7012, using enforcement mechanisms established under DFARS 7019 and 7020—policies she personally helped implement.
Prepare Now: Secure Systems, Documentation, and SPRS Scores
To remain in the DIB, organizations must act immediately by implementing IT systems to protect CUI in accordance with NIST 800-171. This includes secure email and file-sharing solutions—the most common locations for CUI—as well as the documentation necessary to calculate and report their SPRS score.
The SPRS system itself was another innovation championed by Arrington, designed to ensure that contractors not only claim compliance but can prove it. Organizations should be prepared to defend their SPRS score to DIBCAC assessors and primes evaluating supplier readiness for CMMC.
Timing Your CMMC Assessment vs. Meeting DFARS 7012 Obligations
While organizations can strategically time their CMMC assessment based on when they bid on contracts or choose to demonstrate compliance as a competitive advantage, non-compliance with DFARS 7012 remains a material business risk. The DoD has deemed failure to meet DFARS 7012 a breach of contract, exposing organizations to significant legal and financial penalties.
To clarify: DFARS 7012 and CMMC both require adherence to the same NIST 800-171 controls—the difference lies in the proof of compliance. CMMC mandates third-party assessments, while DFARS 7012 allows self-assessments, provided they are accurate and defensible.
One Team, One Fight: The Path Forward
Arrington’s leadership reinforces the DoD’s unwavering commitment to CMMC as a cornerstone of DIB cybersecurity. As she often says: “One team, one fight.”
For defense contractors, the message is clear—compliance is no longer optional, and the time to act is now.