Katie Arrington, the one-time architect of the DoD’s “CMMC” program, has lost a primary election that would have allowed her to run for Congress, representing her state of South Carolina. The Associated Press has called the election for her opponent, Nancy Mace.

Arrington had the endorsement of Donald Trump, but this failed to bring her enough votes to beat Mace.

Arrington was hired under former Under Secretary of Defense for Acquisition and Sustainment (A&S) Ellen Lord, under what has since evolved into a minor scandal. Arrington has no higher education, and her role as A&S “Chief Information Security Officer” was granted after the official DoD job posting removed all requirements for a university degree, a factor which would have normally been required for such a position. Arrington immediately set about to create the “CMMC Accreditation Body,” which was led by her former superior at Dispersive Technologies, Ty Schieber.

Arrington then actively worked to support Schieber, in what many argued was a conflict of interest and violation of her office. She refused to investigate when it was discovered that Schieber lied about the CMMC-AB’s tax status in order to win an exclusive DoD contract. Schieber was ousted from the CMMC-AB after soliciting $500,000-per-person “memberships,” resulting in accusations of pay-to-play. Arrington refused to investigate the AB after the “Diamond Member” scandal, and instead raged against Board members who pushed Schieber out. Arrington then went on to refuse to investigate a half-dozen formal complaints against the CMMC-AB, and instead took to LinkedIn to publicly attack whistleblowers and reporters. At least four FOIA’s have been filed to unmask her original hiring process, and multiple complaints alleging abuse of office were filed.

The CMMC-AB went on to accredit Cask Government Services, ignoring reporting that the company is under a Federal criminal probe for bribery of government officials. One Cask employee has already pleaded guilty and awaits sentencing, as Federal prosecutors pursue senior management in that company. Despite this, the CMMC-AB granted Cask official CMMC assessor status, claiming to have performed a “corporate background check” and ethics review. As an official assessment body, Cask would ironically hold power over whether defense industry companies gain access to Federal contracts, even as it is being probed for having illegally steered such contracts to itself. Again, Arrington refused to investigate.

Arrington repeatedly made false statements about CMMC, in an attempt to push people to buy credentials sold by Schieber and the AB. She falsely claimed that companies could start pursuing CMMC certifications as early as March 2020. In reality, no such certifications were available, and are still unavailable as of June 2022. As late as November 2021, she was still found to be making the same claims on LinkedIn.

Arrington had her security clearance suspended for allegedly leaking classified information, although the details on this have never fully been revealed. Arrington later sued the government, but settled the case in exchange for having her attorney’s fees paid. She did not win the “name-clearing hearing” she demanded, nor nearly any of her other demands. It is presumed that the investigation into her leaks continues, but the government has not provided any updates.

Immediately after settling, Arrington announced her run for Congress. She then filed a new FOIA lawsuit arguing many of the same points in her original suit. The government has denied the allegations made by Arrington, claiming in their filing that she voluntarily surrendered all rights to pursue them in her settlement agreement. That agreement has still not been made public.

Arrington enjoyed a cultlike position as the head of the CMMC program, as companies attempted to ingratiate her in exchange for favors. After her departure from DoD, Arrington loudly denounced the DoD through a series of controversial statements, causing some of those companies to distance themselves from her.

The CMMC program underwent a dramatic “2.0” overhaul after Arrington’s departure, nearly dismantling everything Arrington had put into the scheme. The role of the CMMC-AB has been dramatically stripped back, forcing the organization to rebrand as “The CyberAB” and attempt to market its services outside of the United States. That organization has yet to accredit a single CMMC certifying body, but has generated millions of dollars in revenue, selling CMMC 1.0 “credentials,” which may now be worthless.


ISO 17000 Series Consulting

Why we report on these topics

Since 2000, Oxebridge has worked to improve ISO and related certification schemes by identifying problems and then proposing solutions. We report on issues affecting standards users because so few other news outlets do. Our belief is that in order to fix the problems in these schemes, we must first understand the nature and breadth of those problems. Our reporting aims to do just that. Elsewhere on the Oxebridge site you will find White Papers and other articles proposing ideas to correct these problems.