Pentagon Acting Chief Information Officer Katie Arrington delivered a blunt message to defense contractors on June 5: stop complaining that the agency’s Cybersecurity Maturity Model Certification (CMMC) is too difficult.
During an Intelligence and National Security Alliance Coffee Series webinar, Arrington criticized industry grumbling about the Defense Department’s (DoD) cybersecurity standards, arguing that those complaints send the wrong message to both government partners and foreign adversaries.
“Complaining to the world that the CMMC is too hard … you’re – and I want to say [with] the most respect I can to anybody – you’re foolish in what your statement is,” Arrington said. “What you’re saying is you’re noncompliant.”
The CMMC program, finalized by the Pentagon in October 2024, is designed to ensure contractors across the Defense Industrial Base (DIB) meet minimum cybersecurity requirements to protect sensitive government data. The rule mandates that contractors implement protections for Federal Contract Information and Controlled Unclassified Information, particularly for high-priority programs.
Arrington, who originally led the CMMC program under the first Trump administration, warned that public complaints about the program’s difficulty can serve as a roadmap for adversaries like China, Russia, and North Korea.
“You are out there openly saying to the world you are not compliant,” she said. “Stop doing that. Number one, it doesn’t help our national security at all.”
Since its inception, CMMC has faced pushback from industry groups and lawmakers, particularly over its cost and complexity. Smaller companies have argued the requirements are a disproportionate burden on their limited resources. Arrington acknowledged these challenges but remained firm in her stance.
She pointed to government resources like MxD, the National Center for Cybersecurity in Manufacturing, and Project Spectrum as valuable tools for smaller businesses struggling to meet standards.
“There’s a ton of capability out there, you just have to look for it,” Arrington said. “Most of the time, people don’t want to go and put the time in to go look for the resources.”
“There’s only so much money that we, in [DoD], resource wise, I can’t handhold you to go find that. It’s your business. You’ve got to take ownership of it,” she said.
Although Arrington emphasized the urgency of compliance, CMMC has not yet been fully implemented into DoD contracts. After multiple revisions and delays, enforcement is now expected by mid-2025. However, the program still faces regulatory hurdles amid the President’s ongoing deregulatory initiatives.
Despite these delays, DoD officials insist the program’s implementation is a matter of national security, and not if, but when.