The Pentagon has released an official announcement eliminating the CISO position previously held by Katie Arrington, effectively assuring she will not return to her prior position. At the same time, the DoD announced that the oversight of the CMMC program will be transferred to the Office of the Chief Information Officer, and away from its prior management by the Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD A&S).

The full statement appears below (click to enlarge):

The move comes only two days after Arrington’s lawsuit against the DoD was dismissed with prejudice, without Arrington having her security clearance reinstated. She still remains suspended from her DoD duties, and with the latest DoD announcement, can no longer return to her prior job.

Arrington was brought on to serve the government through the Senior Executive Service (SES), and such officials cannot be fired except under extraordinary circumstances. It is likely, therefore, that the DoD or other government agency will have to assign Arrington to some other position, one likely to be less glamorous than her prior role as head of CMMC.

The CMMC program underwent a massive overhaul and was re-released as “CMMC 2.0,” effectively scuttling Arrington’s work to date. Investigations continue to probe the conflicts of interest between Arrington and the CMMC Accreditation Body, which Arrington spent much of her time promoting. That body was previously led by Ty Schieber, Arrington’s former superior in the private sector, raising questions of cronyism.

As early as March of 2020, Arrington began making public appearances telling companies to pursue CMMC certification and buy products from the CMMC-AB, falsely claiming that certification would begin in September of that year. To date, the AB has not completed a single accreditation of any certification body, yet has sold thousands of personal credentials, worth millions of dollars, thanks to Arrington’s appearances. The credentials are now under scrutiny as being potentially worthless under CMMC 2.0, but the AB has not offered any refunds.

The role of the AB is now diminished dramatically under CMMC 2.0, and its Board members continue to flounder to find ways to generate new revenue.

The management of CMMC by the OUSD A&S office has proven to be a controversial one, with many defense companies and figures calling it a “pay to play” scam.  It was long predicted that the OUSD A&S office would be stripped of CMMC control because of its tolerance of Arrington’s antics and how it provided “cover” for the AB’s conflicts of interest.

CMMC will now be administered by the DoD’s Office of the Chief Information Officer. That position is held by John Sherman, who took the role in December of 2021.

The OUSD A&S “CISO” role was largely thought to have been invented by DoD officials, including Ellen Lord and Kevin Fahey, to give Arrington a job as compensation for her support of former President Trump. Arrington has no college education, and the CISO job posting required no higher education, an unusual fact when compared to other CISO postings in Federal government. Sources said the position was intentionally “dumbed down” to ensure Arrington was eligible, and competing applicants were ignored. Oxebridge has an open FOIA to unmask her hiring process and gain access to the list of competing candidates, to identify if fraud occurred.

Arrington ran an unsuccessful campaign for Congress prior to her CMMC position. It is largely expected that she will return to politics, and soon announce another run for office.


ISO 17000 Series Consulting