Katherine “Katie” Arrington,  Chief Information Security Officer for Assistant Secretary for Defense Acquisition, gets down to the nitty gritty of CMMC, Part 1 of 2 episodes.

Episode Table of Contents

• [01:31] Time is of the Essence
• [06:10] Beating the Timeline
• [11:21] Risk Control
• [17:47] The Cyber Realm
• About Our Guest

Time is of the Essence

Arika:​ We have a great guest this week to start and kick off our new year. We have Katie Arrington who is the CISO for the Assistant Secretary of Defense Acquisition. That's a mouthful, Katie. Thank you so much for being on the podcast.

Katie:​ Thank you. I appreciate that. You know in the DOD, we love a good acronym.

Arika:​ Oh, definitely, we know that.

Arika:​ So Katie, you've been in your position right about a year, is that right?

Katie:​ Today is my anniversary.

Arika:​ Oh wow, happy anniversary.

Katie:​ Thank you. They brought me in and said, take six weeks to figure out what you need to do. After the sixth day I said, can I tell you now? Because I'm ready. Time is of the essence. It's been a crazy year. But where there's a will, there's a way, and there's definitely a way to get this done.

Eric:​ And there's a need also, I can't think of a more critical project in the government.

Katie:​ Well thank you. I appreciate that.

Arika:​ We know one of your primary focus areas is to develop new site cybersecurity standards for contractors. And we know, especially in the defense world, there are a lot of contractors, large and small. Tell us just a little bit more about how does one even take on such an endeavor as large as that?

Katie:​ Understanding how big the need is makes it really easy for me. Our adversaries and we can start with China, then we have North Korea, Russia, obviously Iran right now, their whole job is to have us not exist.

The Amazing Work of NIST

Katie: And the easiest way to do that has been through our supply chain. It's the easiest way to get access to us, because we haven't had any real, and I say real, NIST is amazing. I can't say enough about the people that work at NIST.

Eric:​ The cybersecurity framework and the work they're doing is that what you're referencing?

Katie:​ It really is. The National Institute of Science and Technology. They have done the Lord's work and getting controls out there. The problem is President Obama back in 2014 actually signed an executive order putting the NIST 171 to life, which is the basis for our cybersecurity. And that went into most contracts for the DOD, and we had to have it implemented by 2017. Well, most people don't even understand what we're talking about. It was all on self-attestation, and when I go out and I speak publicly about this, I make a joke about it, but no one thinks when they look in the mirror they look bad, right? We all think, when we do a self-assessment, we think we're doing the best.

Katie:​ But really we all look fantastic. But what has happened is we've realized we're losing how we know it's a real thing. How we know we're not as beautiful as we think we are when we look in the mirror. We're losing 600 billion dollars a year in the US to our adversaries.

Katie: The defense budget this year was 738 billion. You are losing almost the defense budget, which is our largest spend every year, to exfil IPbacked data loss. So we had to do something, so the self attestation wasn't working.

The Birth of Cybersecurity Maturity Model Certification
 

Katie

: I'm a firm believer that more eyes on a problem can find a solution. We needed to set up away for companies to get assessed and to be able to say, listen, I think that you're doing a wonderful job, but you missed X, Y, and Z. We need to close those gaps up and get you as secure as possible.

Katie:​ So we created the CMMC, the Cybersecurity Maturity Model Certification. We are turning it over to the accreditation board actually this month in January. It will start showing up in RFIs and contracts in the June timeframe, and it will be in RFPs in the fall of 2020. Not all. It takes five years to get through our acquisition cycle.

Katie: So as new contracts come, we're going to start putting the CMMC requirement in. And the big thing that I can say is because we are making it a requirement, security is now an allowable cost. So what we'reasking companies to do to protect the data is something that the government is going to be willing to pay for.

Katie: Moreover, and this is really what I want to get into a discussion with you guys, why are we doing this now? What's the critical need today? And I'll put it out to you guys. What does Quantum do? What's the number one thing Quantum computing can do?

Arika:​ Congratulations. Because in such a short timeframe, it’s going to be already out in RFPs this fall. That is a crazy timeline, especially on the government timeline. So wow, that's really extraordinary. I think obviously it reiterates the need for something like this, how quickly you were able to roll this out.

Beating the Timeline

Katie:​ I'm sitting here at my desk right now and I'm looking at my timeline, and I get a lot of feedback. I read a lot of news articles and periodicals, that we're moving too fast.

Katie: ​If I don't do it now, we don't get something in place by 2025, because as I mentioned earlier, it's a five-year acquisition cycle. Most contracts are three plus two option years. So I can't put the CMMC on a contract that's already existing. Because then there'd be a cost associated with it. So we have to wait until the contract comes, or the program, the PEO or the PM has to be able to do a mod to the contract where they'd be able to increase the...

Eric:​ CNA. Exactly.

Katie:​ Yep. So we've got a five-year timeline. Well, in 2025 two things happen. A 5G becomes a commercially available capability, and that's a game-changer. That means that our adversaries who are going into the supply chain, and they're going into that small business who doesn't even know that they're a target, and they're pulling low and slow, they're not pulling a lot of data at a high frequency.

Katie: They're doing it very low, very slow. They're coming in on simple, easy ways. Phishing emails. They're doing DDOS attacks. The TTPs on how they come in haven't really changed that much in the past five years. They're all the same type attacks.

Katie: It's just that we're not paying attention to them as much as we should be. So 5G comes on, they don't have to worry about being low and slow. They can use blunt force trauma. And then quantum computing becomes a commercially available capability, which breaks basic level encryption.

The Urgency of Understanding Basic Cyber Hygiene

Katie: Now that encryption won't be the type that is in our high-value weapons systems and whatnot. But the mom and pops that are operating today? It absolutely will.

Eric:​ Who aren't even encrypting their data. I guarantee it in most cases.

Katie:​ Right, and so we're going to have this in 2025. If we don't get ready now if the companies don't understand basic cyber hygiene now, if they wait five years, if they don't move the needle now, it's going to be too late.

Katie: Because our adversary, when they're intaking whether it be CUI, controlled unclassified information, or they're taking your own personal banking information, they're taking it all with them. And every business is susceptible. The thing about cyber, and when I go out and I talk to people, I ask them, tell me something in your life without cyber.

Katie: Inevitably, I'll be sitting and somebody will say, this Apple in front of me. I'm like, well how did the Apple get there? Right? It was all cyber. I joke around, and somebody said, well, love. And I'm like, well, I met my husband on eHarmony, so that's out right?

Eric:​ I was thinking yoga, Katie, and to sign up for the yoga class you go online.

Katie:​ That's right, you go online. There isn't anything that doesn't have some level of cyber on it. I'm 49 years old. I grew up in the age of technology. I remember my first flip phone and I did not, when Al Gore created the internet, he did not realize what he was doing.

Eric:​ Well he certainly didn't mandate security from the beginning.

Understanding That Security Is Not Equal for All

Katie:​ No, and we absolutely didn't realize the impact 20 years ago, 10 years ago. And what we have to realize is that our supply chain has been there for a hundred years with us. This is not something new. Our supply chain is the best in the world, our defense supply chain.

Katie: These are people and companies who absolutely want to do the absolute right thing. The problem is the NIST, if you know that standard, that 171 standard, if you're not an IT professional, it's really hard to understand.

Eric:​ It's a different language.

Katie:​ It is. So the charge of my team when we created the CMMC was, first thing's first. I pray I am never the smartest person in the room, and to date it has never happened. But I do look at things like if I can't understand something, then that's a problem.

Katie: So I said translate the CMMC, take those controls, which are the right controls, and they're the same type controls that are in the ISO standard 27001, and translate them to English so that any small business owner could understand what you're asking them to do.

Katie

:​ The first thing about the CMMC is understanding that security is not equal for all. You have to use your very expensive, very exquisite on what is important to protect. You use basic cyber hygiene on everything else.

Katie: I talk about American ingenuity and where we became the best. What we have is a Delta. And we need just a room within the Delta. The Delta that I'm discussing is, I need to buy down the risk. I need to buy up the uncertainty.

Risk Control

Katie: Right now they're pretty close to touching each other because no one really understands the risk so it's hard to buy it down. And there really isn't a tremendous amount of uncertainty because it's a known quantity.

Katie: The CMMC will create a Delta for businesses to function, give them the capability to buy down the risk by getting basic cyber hygiene skills, by up the uncertainty by working to do more than they have been doing to protect themselves.

Katie:​ And in that Delta, that's where we're the best. That's where this nation is the greatest nation that has ever been or ever will be. And the people supporting this national defense is the delta that they will succeed in. The whole point of the CMMC is to make that delta as wide as possible. We know that the threat will change.

Katie: We know that the things that we're doing today, and when quantum comes online when 5G comes online, we need to be able to have something that we can move and be. And I don't like to use the word because I think it's overused but agile enough to understand we need to modify the threat vectors and how we're protecting them. The CMMC will be the tool that we use to help the industry protect themselves.

Eric:​ Now, Katie, when I've seen data stating there's 300 thousand or so plus defense industrial base contractors out there, is that a fairly accurate number?

Katie:​Yep. So we have clear defense contractors that range from 12 to 16 thousand where are the ones that are getting controlled unclassified information. Then there's the whole supplychain, that's 300 thousand plus companies absolutely.

Eric:​ That could be people making food for the military, tires...

Who Needs Cyber Protection?

Katie:​ Absolutely. One of the examples that I talked about when I was out doing the “speaking tour” this summer, was that I had a company that came and they said, you know ma'am, we're just landscapers. We just mow lawns on bases. We don't need any cybersecurity. We're good.

Katie: And I said, well how do you bid your work? The gentleman that I was talking with said, well they send us the plans and then we work out how much square footage there is to mow. I said, so they're giving you the layout, the infrastructure, and everything, to the base? He's like, yes ma'am. Otherwise, I'd mow over a gas line.

Katie:​ And I just sat there for a minute. I said, so you don't think that you need any kind of cyber protection when you're getting the entire electrical layout of the natural gas, the water and everything for a base? You understand where the fence lines are. You're showing where the guard checks are. And he stopped for a second. Okay, ma'am, I didn't even think about that.

Katie

: And I'm like, everybody needs it. And for companies that say like, oh, it's a burden too high. It's just good business sense. Why would you not want to be in business with somebody, a partner with somebody, who understood risk and were able to mitigate it so that we can work together, work as collaborative partners in a trusted environment? I just can't imagine why anybody wouldn't want to say, I have good cyber hygiene.

Upping the Ante in the Cybersecurity Playing Field

Eric:​ I'll tell you why. As a vendor, it's not something that's inspected as part of the procurement process today in most cases, right? So if you have it, it's an extra cost to your business. The fact that this is going to be universally laid out to all DIB companies, defense industrial base, I think levels that playing field. You don't get extra points for securing your data more effectively.

Eric: You just don't today. And that's what I love about the way you're rolling this out and mandating it for everybody. It levels that playing field. And when the DOD is providing for those allowable and reimbursable costs, you're essentially paying to make American suppliers more secure, which I think is...

Katie:​ So you think about how the adversary goes about it, right? They're going out there, and the best way that they can defeat us is to let us defeat... It's always easiest to let the demise come from within, right? So your adversary gets in, they exfil into a system, and I'll just use somebody that's using an AutoCAD drawing.

Katie: It's a lot easier for the adversary to modify that drawing when you don't have any cyber protection on you, on your system. And you manufacture a part. You're doing it to the specs that you're seeing in front of you, but the adversary has manipulated it.

Katie: So it's going to take several product runs before your partner, your prime, figures out that there's a quality problem. They're going to say you're not meeting spec and you're just going to say, I made it to spec. Meanwhile, you lose the contract and go out of business. That's a win for the adversary. Right? And they're doing it now.

The Cyber Realm

Katie:​ There's a report out that they spent around $200 billion to buy up our supply chain last year. That's their goal.

Eric:​ Oh, you see articles all the time. So let me ask you then, your $600 billion a year, essentially the defense budget. That espionage, not including sabotage, like impact to the businesses, or is it just IP theft?

Katie:​ It is all, right? Companies, the $600 billion is, from across the US, how much companies are losing. IT theft is big, right? But straight-up espionage is another. There's this study out on the NDIA's website. They did a survey of small businesses.

Katie: The survey said 74% of small businesses said they'd never been a victim of a cyber attack. And the thing that came to me in that immediately, it was like, wow, 74% just don't have any idea. The next war does not start in a kinetic fashion.

Eric:​ Why should it?

Katie: ​It's January 6th, I'm looking at Fifth Domain, there's an article out written by Andrew Eversden a couple of days ago, and the title, They're Going to Want Bloodshed, Five Ways Iran Could Retaliate in Cyberspace. Well, absolutely. We have to understand that there isn't a place where you can't reach somebody in the cyber realm, right?

Katie: Kinetic, if you're flying an F-35, or you have a patriot missile, or you have a military member holding a weapon, there is a finite amount of territory that they can cover. The bullet can only go so far. The missile can only go so far. Cyber goes everywhere.

Eric:​ And it's cheap.

Danger in Disguise

Katie:​ Well, I would say I wish it didn't take as little effort as it is, but companies don't understand. And my husband, bless his heart, I love him. He owns a small business. He will never make this mistake again. But he literally took a screenshot from his phone a couple of months ago, I was sitting on a Saturday afternoon, and he sends me a screenshot and he's like, babe, we can retire.

Katie: And it was a phishing scheme that he had opened the email, it said, Dear Mr. Arrington, you have a relative who passed away in the UK recently and they've named you in their estate. Could you please send?

Katie:​ I said to my husband, did you open that email? He's laughing. He's like, yeah. I'm like, babe, do you not know what I do for a living?

Katie:​ You are the problem. Does the fact I've been gone for nine months mean nothing to you? It's just, that's the kind of... And he's a smart man. It's that easy for the adversary to get in.

Eric:​ Katie, Arika has a Prince in Nigeria that's holding a lot of cash for her also. We've talked about that in the past.

Katie:​ I'm so glad.

Arika:​ This conversation with Katie we believe deserves two episodes. So we're going to pause it right here, and please tune back next week and we'll finish this conversation with Katie Arrington. Thank you.

Arika:​ Thanks for joining us on the To The Point Cybersecurity podcast, brought to you byForcepoint. For more information and show notes from today's episode, please visit www.forcepoint.com/govpodcast. And don't forget to subscribe and leave a review on iTunes or the Google play store.

About Our Guest

Katherine “Katie” Arrington is currently the Chief Information Security Officer for Acquisition. In this position, she serves as the central hub and integrator within the Office of the Under Secretary of Defense for Acquisition and Sustainment, OUSD(A&S), to align acquisition cyber strategy.

As the cyber lead and programmatic analytic advisor for strategic cyber programs, Ms. Arrington is responsible for conducting analysis within the major defense acquisition program portfolio and across the Department of Defense. This cross functional analysis will ensure transparency within the acquisition strategy, interoperability between enterprise networks, and compliance strategies for cyber initiatives.

She also meets with key Cyber personnel (across both DoD and Federal Agencies) as well as legislators to ensure that changes made in the National Defense Authorization Act (NDAA) are supportive in reaching the goals of decreased spending and increased compliance with current and future standards. The final focal point will be on protecting the Department’s intellectual property/data and securing our weapon systems and critical infrastructure.

Before assuming her position in OUSD(A&S), Ms. Arrington had an extensive career as a legislator and senior cyber executive. Ms. Arrington was a candidate for South Carolina US House of Representative 2018 and a South Carolina State Representative for two terms. She has substantial experience and capabilities in cyber strategy, policy, enablement and implementation across a wide range of domains, including DoD, Federal, Healthcare and State.

She acquired her experience in cyber over the past 15 years with Booz Allen Hamilton, Centuria Corporation and Dispersive Networks. This has given her the unique experience of working at a large business, small business and non-traditional contractor for the government. She attended Canisius College in Buffalo, NY.