Critical Update: Why the Pentagon’s Cybersecurity Certification Program Inspires Hope and Fear


The Defense Department’s Katie Arrington, and representatives from across the federal contracting community share perspectives on a new era dawning in U.S. cybersecurity policy.

The implications of the Defense Department’s plan to subject its suppliers to independent cybersecurity audits, a program known as Cybersecurity Maturity Model Certification, apply far beyond the defense industrial base. Contractors of all shapes and sizes are in a tizzy. 

Before the end of the year, the Defense Department intends to finalize a rule change that will require any contractor it engages with to have obtained a certification of its cybersecurity practices from an approved external auditor. The new rule will end the department’s current practice of taking companies at their word on this. 

And Katie Arrington, chief information security officer for DOD’s acquisition office and the woman heading up the program, likes to remind those who might be running scared of a certain fact: There’s no escaping CMMC, its adoption or replication across the federal government and the broader U.S. economy is inevitable.

“It’s not DOD, that’s one thing I want to make clear,” Arrington says. “This isn’t just DOD.” 

As ambitious as the CMMC seems—the program looks to eventually cover 300,000 contractors and subcontractors—it’s still just a small part of the equation in emerging U.S. cyber policy.

Consumers—most notably the federal government, but across the board—have a crucial role to play but haven’t had reliable access to the information they need to drive the market toward more secure products and systems, esteemed cyber policy thinkers now largely agree. In an ecosystem where independent validators can attest a level of cybersecurity, entities that invest in implementing the appropriate controls have a better chance of recouping their costs. 

Many of the small businesses members of the National Defense Industrial Association are counting on the CMMC to level the playing field in this regard. But they, along with big tech companies represented by the Information Technology Industry Council and the diverse membership of the Professional Services Council, are all crossing their fingers and hoping that a host of considerations—such as what kind of data merits which level of protection, for example—will fall into place for the program’s success.

You can listen to the full episode below or download and subscribe to Critical Update in Apple Podcasts or Google Play.