The US Dept. of Defense has responded to an official Freedom of Information Act (FOIA) request related to the hiring of Katie Arrington as Chief Information Security Officer (CISO) for the office responsible for the CMMC program. The request was submitted by Oxebridge in April of 2021. Arrington no longer holds the position, having resigned after her security clearances were suspended.
The response comes after Oxebridge warned the DoD that it would launch an official FOIA lawsuit if the request was not acted upon. The Oxebridge warning letter pointed out that according to official court filings submitted by Arrington in her two lawsuits against the Federal government, the DoD and other agencies responded to FOIAs submitted by Arrington within weeks, whereas the Oxebridge request had languished for over a year.
Arrington had been hired by the Office of the Undersecretary of Defense for Acquisition and Sustainment. It is widely thought her personal ties to Kevin Fahey, the former Assistant Secretary for Acquisition, won her the job. Fahey denied this to Oxebridge, instead saying that Arrington was put hired by Ellen Lord, who was the Under Secretary of Defense for Acquisition and Sustainment at the time. Lord has not replied to requests for comment.
The final reply from DoD does not reveal any irregularities in Arrington’s hire, but does invoke “privacy” concerns to justify why the information was nearly entirely redacted.
Oxebridge demanded to see the “Decision Matrix” of candidates that applied for the position, to justify how Arrington — who had no higher education and little in the way of technical cybersecurity experience — had been hired.
In its response, the DoD wrote:
There were 42 applicants for the position. 15 applicants were not referred by the Senior Executive Management Office (SEMO) because they were determined to be unqualified or submitted incomplete applications. 27 applicants were referred by SEMO to the Executive Evaluation Panel for review. The panel determined that 4 of the 27 applicants should be interviewed by the Panel for managerial qualifications. Of those 4, 2 applicants were determined to be “best qualified” and referred to the selecting official. Ms. Arrington was ultimately selected.
When asked why the CISO position was stripped of higher education requiremetns, the DoD replied:
This position was classified in the 0301 series – Miscellaneous Administration and Program. There are no positive education requirements for this series.
Arrington only has a high school diploma, but was hired over at least two candidates known to Oxebridge who hold related university degrees. Arrington claimed to be going to “night school” for a degree during her employment as CISO, but there was never any evidence of her actually doing so, and the claim was later dropped.
Behind the scenes, two sources with knowledge of Arrington’s hiring insisted she was hand-picked due to her support of then-President Donald Trump. One source indicated that the interviews of alternative candidates was “a sham,” and that the other candidates had superior qualifications. The heavily redacted FOIA materials do not provide any means to verify this, however.
The redacted Decision Matrix, shown at right, reveals that the hiring decision was based on only three questions, despite the position being for a DoD CISO and Special Executive Services (SES) hire. The matrix shows entries for 27 candidates, with four of them highlighted in yellow, indicating high scores. Arrington is one of those four.
It is not clear how Arrington’s resume would have supported the high scores on the three questions. Arrington’s prior employment included stints in Business Development and sales of cybersecurity consulting firms, but she did not hold any technical or engineering roles. Nevertheless, she was given high marks for “ability to translate broad national security objectives /policies into specific programmatic guidance for cyber, supply chain and trusted capital portfolios” and “complex acquisition topics to include acquisition policy and the strategies for securing the defense industrial base.”
Each question was rated by three “raters,” and their result was averaged. In two questions, she received a perfect score of “5” from all three reviewers.
Arrington went on to mandate the creation of the CMMC Accreditation Body, which was immediately led by her former superior at Dispersive Technologies, Ty Schieber. The parties insisted that Schieber’s takeover of the AB, while Arrington led the DoD office that created it, was a “coincidence.”
The CMMC program faced multiple scandals, investigations, and a GAO audit under Arrington, who was eventually suspended from her position under allegations of having leaked classified information to a government contractor. That contractor reported the leak to the NSA, which suspended Arrington’s security clearances during its investigation.
Growing impatient, Arrington later resigned in time to run for US Congress as a pro-Trump Republican in South Carolina. She lost that election, and is now focusing on a podcast project. Fahey appeared on the show as Arrington’s “guest.”
Oxebridge has one additional FOIA still open, demanding the full contract between the DoD and CMMC Accreditation Body, including its signature page. The government has so far refused to release the contract to the public.