Adam Kangiser, Iviry’s Compliance Analyst
The landscape of cybersecurity compliance within the defense sector is evolving once again with the return of Katie Arrington to the Department of Defense (DoD). Having been named the acting Chief Information Officer (CIO) of the DoD, Arrington’s leadership signals a renewed commitment to strengthening cybersecurity across the defense industrial base (DIB). Given her instrumental role in the creation of the Cybersecurity Maturity Model Certification (CMMC), her influence is expected to drive further enforcement and refinements of the program.
Arrington’s Expanded Role at the DoD
Mere weeks after being appointed as the Chief Information Security Officer (CISO) for the DoD, Arrington was named the acting CIO by Secretary of Defense Pete Hegseth. This move places her in a key position as the primary advisor to the Secretary of Defense on information management, IT, cybersecurity, and critical communication infrastructure. With her expanded responsibilities, Arrington is expected to bring further clarity and enforcement to cybersecurity policies, including the CMMC framework.
The Reality of CMMC Compliance
As discussed in Arrington’s recent LinkedIn post, there remains a fundamental truth about cybersecurity in the defense sector: self-attestation does not work. This is precisely why CMMC exists—to ensure that contractors handling Controlled Unclassified Information (CUI) have implemented the necessary security controls.
With Arrington at the helm, several key takeaways emerge for defense contractors:
1. CMMC Compliance Is Here to Stay
Despite delays and revisions, the CMMC program is not going anywhere. If anything, its implementation and oversight may accelerate. Contractors who have been hesitant to take compliance seriously can no longer afford to wait.
2. Increased Enforcement Is Likely
Expect heightened scrutiny regarding cybersecurity requirements in DoD contracts. Compliance will no longer be an optional checkbox but a critical prerequisite for securing defense work. Companies should anticipate more rigorous audits and accountability measures.
3. Potential Refinements to CMMC Framework
Arrington’s leadership could lead to refinements in the certification process, potentially streamlining adoption while maintaining effectiveness. Adjustments may be made to address industry concerns and improve efficiency, but the core goal—ensuring cybersecurity within the DIB—will remain unchanged.
The Time to Act Is Now
For defense contractors, proactive preparation is key. Strengthening cybersecurity posture, conducting gap assessments, and working toward full compliance should be immediate priorities. As the DoD sharpens its focus on cybersecurity, non-compliance will result in lost opportunities and exclusion from critical contracts.
Katie Arrington’s return reinforces the necessity of CMMC and the broader effort to secure the defense supply chain. Defense contractors who prioritize cybersecurity and take decisive action now will be best positioned for success in this evolving regulatory landscape.
How Iviry Can Help
As the regulatory environment shifts, companies need expert guidance to navigate CMMC compliance efficiently. Iviry specializes in helping defense contractors achieve and maintain cybersecurity readiness. From conducting gap assessments to implementing necessary security controls, Iviry ensures that businesses remain compliant and competitive in the DoD contracting space.
With a deep understanding of DFARS, NIST 800-171, and CMMC frameworks, Iviry provides tailored solutions to streamline compliance efforts, reduce risks, and strengthen overall security posture. Now more than ever, partnering with a trusted cybersecurity advisor like Iviry can make the difference between securing DoD contracts and being left behind.
