Katie Arrington gets into the nitty-gritty of CMMC, in this two-part series.

Episode Table of Contents

• [0:26] The Vision of DOD Supply Chain
• [05:23] Shoring up the Simple Stuff
• [11:49] How Do We Fix the Problem With the DOD Supply Chain?
• [16:33] CMMC as a Communication Tool
• About Our Guest

The Vision of DOD Supply Chain

Arika:​ Last week, you heard the conversation that we had with Katie Arrington, the CSO for the Department of Defense for Acquisition. We're going to continue that conversation this week.

Arika:​ I think what you're doing in the defense world is incredibly impressive and certainly. There’s a need that's driving the sense of urgency here. Do you foresee that across other agencies and departments in the government, especially those that deal a lot with the same contractors?

Arika: Do you see that they will also start to roll out similar standards? And it's a new decade. Where do you see with this being rolled out right now? Where do you see us, let's say in 2030. As we roll this out starting with Department of Defense, where do you see us in 10 years?

Katie:​ I know other federal agencies are already looking at it. So I've got to work all the bugs out. I want everybody listening to this podcast to know that there will be problems. There will be challenges. We will overcome them. You all keep forgetting to remember who we are. We are the people that put the man on the moon. We can do this.

Getting Cyber Certified

Katie: We're going to have our issues. We will stumble, I am sure. But I do believe that as we roll out in 2020 and 2021 you're going to see several other federal agencies, large ones, adopt the CMMC. Where I think this ends in 2030: I think that the CMMC becomes two things. In 2020, it is going global. So if you are in countries Canada, UK or Australia and you're in the manufacturing or you're part of our supply chain, you're going to have to get certified.

Katie:​ We're already talking to our partners. Go back to the time after World War II. When we started doing military standards, the mil-spec, about manufacturing defense products, at the same time we did that, NATO stood up. They had a NATO standard on what is basically what they defined as quality and safety in manufacturing. When those two started to elevate, they came together and created something called the ISO, the International Standards Organization.

Katie: The reason our team took so many different standards and put them into the CMMC, is like ISO international standards 27001. You'll see that in the model. I actually put that in there because our allied partners are already doing a lot of this. A lot of them have already moved out and they have their own cyber certifications.

Katie:​ We are working with them to do reciprocity to mold them together and I think CMMC will become a standard that will be used in a global environment in the very near future.

Cybersecurity Insurance

Katie: In 2030 I can see we have what FINRA, a financial cyber certification companies have. There's HIPAA for the healthcare, but I think it's going to get more robust with the CMMC added to it. But that will become the norm. And I harken to say that I think cybersecurity insurance will become part of our daily language. Much like, car insurance.

Eric:​ I love that.

Katie:​ You know, we have home insurance, we have renters insurance, business insurance. It only makes sense that I think that in 2030, one of the things we look at is cybersecurity insurance. We know it will happen, but are you doing your due diligence to buy down the risk and buy up the uncertainty that will determine your rates? But I think that absolutely we will be.

Eric:​ I love the reference to ISO. I hadn't thought about it from that perspective, but it's something that needs to be built in from the beginning. We talk about that all the time. In the industry, we keep spending more money and getting further and further behind the problem. Quite frankly, it's easier to steal it than to build it. And why fight it if you can just break it via cyber, changing the plans back to your point. But having it as an industry standard, something that's just built in, makes sense.

Katie:​ When we think about most of our weapons systems, they're 20 to 30 year legacy systems. So we have to get good at what we're doing now.

Shoring Up the Simple Stuff

Katie: By just shoring up the simple stuff, which is Occam's razor, always the simplest and easiest solution, you always go to it. If our industry can do something like update their passwords and don't tape them to their computers, that would be really nice. I play this game in airports where I see people's passwords taped to their computers, it drives me crazy. If I can have people actually activate and maintain their antivirus software, that would be-

Katie:​ Basics, and do a company wide warning “don't open an email you don't know, notify us”. If we could just do those simple things across the board, we would drastically reduce the amount of ax bills that go on.

Katie:​ Then we could take those resources and put it to more R&D, that we can put those resources back into our country's economy, our defense industrial base, and really go back to basics. I mean, this is not about getting rich. It's about doing the right thing because I'm a strategic thinker. I'm longterm. I need that small business in Dubuque, Iowa to be there.

Katie: Because if I'm developing a weapon system with them, I've got a 20 year life cycle. I need you to be there in 20 years. I want to make sure that you have the right investment. That you have the standards that you need to do business. And cyber is one of them. And we've defined quality and safety really, really, really, really good in this country. I mean, we do an amazing job.

A Whole New Realm

Katie:​ The aeronautics industry has shown us when there's a safety issue, they share that information because it's important to people's lives. We have to get that way about sharing security threat intel so that we can protect ourselves. Because we really are in a whole new realm of business espionage and cyber attacks. And we have to get there. There's no, what is it? There is no I in team. With 90% of our data living on our partners' networks, it's a we thing and we have to work together to solve it.

Eric:​ The cost of certification is considered an allowable, reimbursable call. How are we looking at that from a budgeting perspective? Are we plussing up the DOD budget, are we just going to do less? Are we pulling it out of future savings where we're not going to have our intellectual property stolen? Or in the example you gave, which I don't think a lot of people think about, we're not going to have our product mis-configured by an adversary logged in one of our systems. How do we pay for that?

Katie:​ We've gone through the first initial ones that we're talking about. We're working with the PMs to ensure that there's the cost. We’re also doing some cost analysis and cost realism has been something that we've really been focused on. I'll say that we have been working with all of the right federal agencies to make sure this happens. Then we have the money.

The Big One

Katie: The big one is OMB. They have been very gracious to us to understand the cost. But we kind of need to take one step back. So if you're a company right now and you have DFR clause 252.204.7012 and you are touching CUI.

Eric:​ CUI is Controlled Unclassified Information.

Katie:​ You have been attesting that you're doing all 110 controls of the NIST 171. Have you been doing that for-

Eric:​ We're all lying to you.

Katie:​ It's not lying, so we've been working with the PMs to make sure that the cost realism is there. The Navy has leaned in. Air Force has leaned in as well with cyber requirements in their contracts and they're understanding that they're paying for those. But the challenge is that, once again, I came from being a contractor. I mean, that's where I cut my teeth in DOD and what we haven't, DOD unto itself didn't realize.

Katie: That's why the CMMC is so important. Companies generally don't work with just one branch of service. They're working with all. When you have one set standard for Air Force or one set standard for Navy, it is financially a burden for companies to have to go out and meet that criteria or this criteria to be doing the work. The CMMC unifies that. Therefore it'll reduce the cost for an industry to get certified.

Katie:​ Once every three years you get certified, we're going to build it into the rates. We understand the cost. We make sure that the industry is getting paid for what we're asking them to do because that's how business works.

Rocking and Rolling

Katie: The fourth part is we're going to come back and continually audit to ensure that industry is where they need to be. But no, we've done our budgets. This year our budget came two weeks ago. Thankfully, Congress just passed our budget. We're rocking and rolling and we have the resources. And I will say that Congress did give us plus ups to make sure that we did this correctly.

Katie: So our friends in the legislators did us a huge service. They plussed up a lot of areas in appropriations that we didn't ask for. Knowing that this was coming and our PMs and PEO shops had been working diligently with us over the past year to make sure that we could get to where we need to be.

Eric:​ Outstanding.

Katie:​ Definitely. The government, when we have a common interest, we can do great things. But the CMMC is not a Katie Arrington thing. This really is about those 300,000 businesses. Moreover, the 290,000 small businesses that are the bread and the butter, they are literally the bedrock of this nation. And ensuring that they're there for the long term is the most important thing for us.

How Do We Fix the Problem With the DOD Supply Chain?

Katie: There are people who volunteered to sign up to serve this nation and put the ultimate sacrifice on the line for our freedoms, we have to ensure that they're having the absolute best behind them. I can't think of anybody in the world that I would not want working within our industrial base right now on that team, doing the right things and giving them the capability to be as secure as possible.

Katie: But just like when we came out with the ISO standards, when you went to work on a manufacturing line 75 years ago, no one told you to put goggles on. No one told you to put a hard hat on. It's because the threat changed, how you protect yourself changed, and that's where we are today.

Eric:​ We typically have guests and I usually ask the question: how do we fix this problem? And the problem is really the cyber problem. Intellectual property theft, malware, you name it. And we never really get what I'll call a satisfactory answer. I can tell you that I truly believe CMMC is going to be the biggest driving force in the US economy, if not the global economy.

Eric: It will help us secure our infrastructure, secure our businesses. When I look at it, it's the most practical, most capable, strategic level effort. It actually helps us stop losing to all of these adversaries who just want to take information or put us out of business, whatever it may be. To me, this has the most promise.

The Tracks That Make Cybersecurity Tank Work

Katie:​ Well, thank you. I appreciate that. I look at it like when we originally started driving cars. There weren't any rules or standards and people were all over the place and banging into each other. Once we all agreed that, okay, these are the standards. This is the test that you've got to take to make sure that you can drive. Everybody did it and traffic deaths, granted, it'll never be perfect, but that's how we function on freeways. We all understand the risk.

Katie: We're certified to be there. And we're audited by insurance to ensure that we're doing the right things every day. It's that practical, that easy. I thank you for your kind words, but know that this is just one little piece of a bigger puzzle. I look at the CMMC. Looking back after World War II, or World War I, how we got different is because warfare changed. Our adversary started digging trenches. To combat that, our ingenuity came up with a tank, a tank moved the war fighter to the trench.

Katie: I look at cyber war as a trench and I think that a part of that tank is the CMMC. I think that there are things that will be coming along down the pipeline that'll help businesses even more. But I do see it as an essential part. I would say that the wheels or the tracks to make the cybersecurity tank work.

Eric:​ Well, I certainly don't see it as a product, which is what everybody, the customers, the industry see. They seem to think like this wiz-bang product is going to change the world.

Understanding What Small Businesses Need

Eric: I can't think of a single product out there that even has a shot. I love the approach. I don't know what you think Arika.

Arika:​ I think the work that you are doing is incredibly impressive. Obviously we need it and I think we're going to be better as a government with it, so goodluck.

Katie:​ To the listeners of your podcast, one of the things I would say is that we are, one of the areas to really help us help ourselves is that we understand that most small businesses, they need to be CMMC three, which is basically the instantiation of the NIST 171.

Eric:​ That's the level three, Katie?

Katie:​ Yes. They will need cyber security as it service products. If there's a product company out there, look at the most recent CMMC model. Tell us, shoot it. There's a website on the portal, an email address on the portal. You can submit. Tell us what areas your products solves. We need to hear what your industry is doing so we can help marry that up to the right people. If your company works on endpoint software or you have a product company that may solve this problem, let us know.

Katie:​ That's why we've tried to do our best at getting information out there, but I can't ingest enough technology and this whole idea of as the threat changes and we are able to share security information with each other.

CMMC as a Communication Tool

Katie: As new products come online, as the threat evolves, CMMC becomes the way that small businesses can communicate with each other and say, "Hey, I've had this problem. This is the product that I purchased. The software license or this capability" because that's where we're going to get the innovation to solve these big problems. So know that this is not just getting certified one day and then you're done. Understand that this has got to become your daily practice for survival.

Eric:​ It's part of what we do.

Katie:​ It's hygiene. You brush your teeth, you take a shower, you wash your hair. Hygiene. Everyday you have to be diligent about this.

Arika:​ Well, thank you Katie. I know you're very busy, so I want to be respectful of how generous you've been with your time today. Thank you so much for being on the podcast.

Arika:​ What do you do when you are leading such a huge endeavor? How do you use your downtime and do you even have any downtime?

Katie:​ I live in Charleston, South Carolina. I work in Washington DC. So when I'm down, I'm generally on a plane heading home. And when I get home, I have four grandchildren under three.

Family Time

Katie:​ I don't get a whole lot of downtime. It's those little people and it's remembering that, and I don't want to come across as cheesy and hokey, but I really am. When I look at those four little faces, I want them to have the same opportunity I did. That's all I ask, the opportunity to succeed. But I just have to have the capability to do that. My downtime is spending it trying to teach four people how, through their parents, to be good souls, but to ensure that they've got a tomorrow to go to. That's it, man.

Eric:​ We'll call it family time.

Katie:​ All right, well thank you guys so much for inviting me.

Arika:​ Thanks so much and happy work anniversary.

Arika:​ Wow, that was a great conversation. I hope you all enjoyed it. Please continue to tune in every week to To The Point Cybersecurity. We will continue to have great guests such as our guest today. Katie Arrington. Again, thank you always for listening and until next week, this is To The Point Cybersecurity.

About Our Guest

Katherine “Katie” Arrington is currently the Chief Information Security Officer for Acquisition. In this position, she serves as the central hub and integrator within the Office of the Under Secretary of Defense for Acquisition and Sustainment, OUSD(A&S), to align acquisition cyber strategy.

As the cyber lead and programmatic analytic advisor for strategic cyber programs, Ms. Arrington is responsible for conducting analysis within the major defense acquisition program portfolio and across the Department of Defense. This cross functional analysis will ensure transparency within the acquisition strategy, interoperability between enterprise networks, and compliance strategies for cyber initiatives.

She also meets with key Cyber personnel (across both DoD and Federal Agencies) as well as legislators to ensure that changes made in the National Defense Authorization Act (NDAA) are supportive in reaching the goals of decreased spending and increased compliance with current and future standards.

The final focal point will be on protecting the Department’s intellectual property/data and securing our weapon systems and critical infrastructure. Before assuming her position in OUSD(A&S), Ms. Arrington had an extensive career as a legislator and senior cyber executive. Ms. Arrington was a candidate for South Carolina US House of Representative 2018 and a South Carolina State Representative for two terms. She has substantial experience and capabilities in cyber strategy, policy, enablement and implementation across a wide range of domains, including DoD, Federal, Healthcare and State.

She acquired her experience in cyber over the past 15 years with Booz Allen Hamilton, Centuria Corporation and Dispersive Networks. This has given her the unique experience of working at a large business, small business and non-traditional contractor for the government. She attended Canisius College in Buffalo, NY.