If you’ve been waiting for a clear sign that CMMC is moving forward at full speed, this is it. The Department of Defense (DoD) has named Katie Arrington as Acting Chief Information Officer (CIO)—a move that should eliminate any remaining doubts about the future of Cybersecurity Maturity Model Certification (CMMC).
This appointment is not just another leadership shift inside the Pentagon. It’s a clear message: CMMC is happening, and the time to prepare is now. If your company does business with the DoD, this means your cybersecurity posture is no longer a secondary concern—it’s a mission-critical priority.
Katie Arrington has been the face of CMMC since its inception, and for good reason. As the former Chief Information Security Officer (CISO) for Acquisition and Sustainment at the DoD, she was the principal architect behind CMMC. Her work was driven by a simple but urgent truth: self-attestation was failing, and America’s defense supply chain was dangerously vulnerable to cyber threats.
For years, DoD contractors only had to promise they were following security best practices—without independent verification. The result? Massive data breaches, intellectual property theft, and nation-state cyber intrusions that cost billions and compromised national security.
Arrington was one of the few leaders willing to push back against complacency, insisting that contractors must prove their cybersecurity readiness through independent assessments. Her stance was clear:
“If you want to work with the Department of Defense, you have to prove you can protect our data. Period.”
That philosophy became the backbone of CMMC. When she left the DoD in 2021, some in the industry speculated that CMMC might be watered down or even abandoned. But her return to the Pentagon as Deputy CIO for Cybersecurity, and now Acting CIO, makes one thing abundantly clear: CMMC is moving ahead, full force.
As a business leader, I understand why some companies have been slow to act on CMMC. The program has seen delays, updates, and changes, leading many to take a "wait and see" approach. But with Arrington back in the driver’s seat, that window of hesitation has closed.
CMMC has undergone refinements, but its core objective remains unchanged: ensuring contractors implement and verify cybersecurity best practices. Arrington herself has made this crystal clear:
“The executive order pulling back regulations, this does not apply to the CMMC.”
“The CMMC is going to stay in place. There’s no question about that.”
If you’ve been waiting for more certainty before investing in compliance, this is it. CMMC isn’t going away, and companies that fail to comply will lose out on DoD contracts—plain and simple.
Gone are the days of self-attestation. Under Arrington’s watch, the DoD is doubling down on third-party verification. Contractors must demonstrate compliance through independent assessments by Certified Third-Party Assessment Organizations (C3PAOs)—no exceptions.
The "trust but verify" model is officially here:
“The President is a ‘trust but verify’ kind of guy, so don’t think he’s going to walk this back.”
For companies that have not yet started preparing, this means urgent action is required. The backlog for assessments will grow quickly, and those who wait too long may find themselves locked out of the DoD supply chain.
Beyond compliance, CMMC presents a strategic opportunity. Companies that proactively achieve certification will gain a competitive edge, securing contracts while others scramble to catch up. DoD procurement officers will prioritize vendors that demonstrate a strong security posture—those who delay will find themselves at a serious disadvantage relative to their competitors and the overall market.
If your organization handles Controlled Unclassified Information (CUI) or works within the DoD supply chain, waiting is no longer an option. CMMC compliance must be a boardroom priority—delay means lost contracts. Here’s what executives must do immediately:
1. Make Cybersecurity a Leadership Mandate
2. Conduct a CMMC Readiness Audit
3. Engage a C3PAO Now
4. Harden Your Supply Chain Security
5. Strengthen Documentation and Monitoring
6. Stay Ahead of Policy Shifts
Katie Arrington’s appointment removes all doubt about the direction of CMMC. It’s mandatory, it’s moving forward, and contractors who fail to comply will be left behind.
The defense supply chain is under constant cyber threat, and the DoD is making clear that only secure companies will remain in the ecosystem. If CMMC isn’t on your boardroom agenda, you are already behind.
At Coalfire Federal, we help defense contractors navigate CMMC compliance with expert guidance and strategic insight. Whether you need an initial gap analysis or full-scale compliance assistance, we are here to ensure your business is secure, compliant, and positioned for long-term success.
Protect the mission. Secure your future. Let’s talk today.
Bill Malone has been serving as an accomplished executive for over 30 years, and has been celebrated for his leadership qualities and business experience; most recently being named a 2024 Top Cyber Exec to watch by WashingtonExec. As President of Coalfire Federal, Mr. Malone leads through thoughtful policy, mission expertise, and knowing the ins and outs of cutting-edge technology. Keep up to date with him on LinkedIn and learn more about the Coalfire Federal mission.
