Sources report that Katie Arrington’s departure from the DOD and CMMC Program Management Office was due to “clearance issues,” based on a claim by a DOD representative who suggested she may return once those issues are cleared.
Arrington was the Chief Information Security Officer for the Office of the Undersecretary of Defense for Acquisitions & Sustainment, and the head of the DOD’s CMMC efforts. Previously, she made nearly weekly media appearances and was active on LinkedIn, posting official updates. Oxebridge reported in May that Arrington had been removed from her position and ousted from DOD, based on reports from a half-dozen sources, but the exact reason for her departure was still not clear.
Arrington faces multiple ethics and other investigations for her role as CMMC head, including a probe by the DOD’s Defense Criminal Investigative Services (DCIS). On multiple occasions, Arrington falsely claimed on LinkedIn that parties may only work in the CMMC field if approved by her office or the CMMC Accreditation Body, going so far as to claim this applied even to individuals commenting on CMMC. Arrington then limited her LinkedIn posts for a short period, as did others in the CMMC PMO. She then resumed making the comments, resulting in Oxebridge filing a complaint with the DOD Inspector General alleging “misuse of office and misuse of position.”
Arrington’s comments were viewed by many as an attempt to financially prop up the nascent CMMC-AB through dubious claims couched as official policy statements. The CMMC-AB’s original Board Chair, Ty Scheiber, was Arrington’s former superior at her prior employer, Dispersive, raising questions about cronyism.
Arrington ignored reports alleging the CMMC-AB may have obtained its DOD contract through fraudulent filings with the Defense Logistics Agency. In early 2020, Schieber filed official representations and certifications documents with DLA, claiming the CMMC-AB was “tax-exempt.” Schieber’s filings then allowed the CMMC-AB to gain a CAGE code and thus obtain its DOD exclusive contract from Arrington. In fact, the CMMC-AB has never been granted “tax-exempt” status, raising questions as to the legality of the no-bid contract, and whether Schieber committed fraud. Because CAGE code falsification is a felony, it is problematic that Arrington’s office refused to either report this or investigate her former boss in the matter.
Arrington likewise refused to investigate a revelation that the CMMC-AB’s training courses fail to comply with the US Americans with Disabilities Act. The CMMC-AB then ignored an official complaint on the matter, and their official assessor courses — a mandatory requirement for CMMC assessors — still do not comply with ADA. Arrington’s office has declared that only assessors with the CMMC-AB training may work as assessors, effectively denying employment for those with disabilities, including service-disabled veterans. The matter is now with the Dept. of Justice, which oversees ADA compliance.
Arrington also pushed through the DOD contract which requires the CMMC-AB to pursue ISO 17011 accreditation by the organizations IAAC and IAF. The IAAC is located in Mexico and led by an Uruguayan national, and the IAF’s President is a Chinese Communist Party member and national executive in Beijing. The DOD contract would thus grant Mexico and China final oversight authority over the entire CMMC scheme, and allow either country to scuttle the entire CMMC program by de-accrediting CMMC-AB at any time.
Multiple CMMC-AB Board members resigned at that time, and the remaining Board members, led by Karlton Johnson, signed it.
The DOD PMO has refused to enforce rules against conflicts of interest, allowing CMMC-AB Board members to operate companies selling products and services related to CMMC certification compliance. In April, CMMC-AB Board Members claimed they would mandate 100% home inspections of cybersecurity controls in the private residences of work-from-home employers, pitting the CMMC program against the US Constitution’s fourth amendment. The CMMC PMO promised a clarification on this policy, but never produced it.
Karlton Johnson recently took a position with Microchip Technologies, which was later found to be pursuing CMMC certification. This raises the appearance that Microchip is using Johnson as a means of ensuring their CMMC certification, and all but guarantees a protest should Microchip obtain CMMC and later win a Federal contract requiring that certification.
New CMMC-AB CEO Matt Travis has denied that there are conflicts of interest, instead claiming that the public does not understand the body’s conflict of interest policy. Without any DOD oversight, the CMMC-AB is likely to continue to engage in these practices.
Despite the claims that Arrington may return once the clearance issues are corrected, this is not ensured. It is common for clearance rights to be revoked when a government employee is under investigation. As a Senior Executive Service employee, however, Arrington holds special protections against being fired outright, and is likely only to be re-assigned.
Jesse Salazar, the Deputy Assistant Secretary of Defense for Industrial Policy, has already taken over for Arrington, and admitted this in his recent testimony before the Senate Armed Services Committee.