‘Stop doing that’: Arrington pleads to industry to quit ‘complaining’ about CMMC

Then-Chief Information Security Officer for Acquisitions Katie Arrington delivers a keynote speech during the Military Satellite Communications Digital Week, the Pentagon, Washington, D.C., Dec. 8, 2020. (DoD photo by Lisa Ferdinando)

WASHINGTON — Katie Arrington, who is performing the duties of the Pentagon’s chief information officer, told industry to stop “complaining” that the Cybersecurity Maturity Model Certification (CMMC) program is “too hard.” 

Arrington, who was the lead creator of the CMMC program during the first Trump administration, said that by communicating to the world that the program is too difficult, companies are not only admitting to the Pentagon and other customers that they are not compliant, but are also making themselves a target to China, Russia and other adversaries. 

“Going on LinkedIn and complaining to the world that the CMMC is too hard … you’re — and I want to say [with] the most respect I can to anybody — you’re foolish in what your statement is, because your company has been contracted since 2014 to institute the 110 requirements of the NIST 171. What you’re saying is you’re noncompliant,” Arrington said during an INSA Coffee Series webinar on Thursday. 

“You are out there openly saying to the world, you are not compliant. Stop doing that. Number one, it doesn’t help our national security at all. I don’t need China, Russia, Iran, Afghanistan, North Korea, knowing any more about us than they already do.” 

CMMC, which officially launched in January 2020, is a program that sets new standards and procedures for contractors who handle controlled unclassified information (CUI). But even before its release, companies were still on the hook for following the 2014 National Institute of Standards and Technology (NIST) CUI standards that are dependent on the level of CUI companies handle. For example, there are 110 security requirements in NIST SP 800-171 for level 2 companies and 24 identified requirements in NIST SP 800-172 for level 3 companies. 

Arrington and her team, however, determined that not enough companies were implementing the NIST standards, so they created CMMC to not only to further enforce the NIST standards but also mandate companies maintain third party audits depending on the level of CUI a company handles. 

Arrington did acknowledge that smaller businesses may have a harder time adhering to CMMC, but pointed to government resources such as MxD, the National Center for Cybersecurity in Manufacturing that helps equip companies with tools that can bolster their cyber defenses, as well as Project Spectrum that provides resources and tools to help small businesses adopt cybersecurity best practices. 

“There’s a ton of capability out there, you just have to look for it,” she said. “We found most of the time, people don’t want to go and put the time in to go look for the resources, and there’s only so much money that we, in the Department of Defense, resource wise, I can’t handhold you to go find that. It’s your business. You’ve got to take ownership of it.” 

Stacy Bostjanick, the chief of defense industrial base cybersecurity in the DoD’s Office of the Chief Information Officer, also acknowledged during a Professional Service Council event on Thursday that CMMC can be burdensome on small businesses. 

“You’ve got to recognize the importance to our nation to become cyber secure. Now we also recognize, we did hear you that, ‘Hey, it’s not easy to become cyber secure and meet those requirements.’ We’ve been working with the cloud service providers and managed service providers to beg them to help us come up with a capability that would allow companies to kind of have the easy button,” she said. 

The “easy button” Bostjanick is referring to is a path some companies can take to have a cloud service provider, like Amazon Web Services, Oracle, Microsoft, Google and more, to come in and quickly get a company compliant with CMMC. 

As an example, Bostjanick said that some larger cloud service providers like those listed above have been able to get a company that was compliant with zero NIST standards to all 110 within two months. 

“If you’re a small company and haven’t really thought about getting cyber secure, but now, all of a sudden, it’s hitting you like a ton of bricks, like, ‘Oh my, I’m not going to be able to get that contract because I’m not cyber secure,’ reach out and look at Amazon, Google, their offerings.” 

In wrapping up her keynote, Arrington repeated one of her common phrases “one team, one fight,” pointing to the fact that the entire defense industrial base needs to be cyber secure as adversaries are only getting stronger. 

“You’re not going to get a lot of warm and fuzzies from me,” she said. “I need you to do better, and you know, why I need you to do better is because the adversary is already in your network. That’s a guarantee.”