Katie Arrington, who spearheaded the Defense’s Department’s (DoD) initial efforts to create its Cybersecurity Maturity Model Certification (CMMC) program for defense contractors beginning in 2019, is returning to the Pentagon as the agency’s chief information security officer (CISO).

She announced the appointment to DoD CISO in a LinkedIn post.

Arrington was DoD’s CISO for acquisition and sustainment from 2020 to early 2022, and from 2019 to 2020 was special assistant to the assistant secretary of defense for acquisition with a focus on cybersecurity issues across DoD’s acquisition and sustainment organizations.

Most recently, Arrington held senior management government affairs and external affairs positions at Exiger, a provider of supply chain risk management technologies.

The Pentagon’s acquisition and sustainment organization oversaw the initial CMMC program development, and then DoD’s Office of the CIO assumed oversight of the program in early 2022.

After years of work, the Pentagon’s CMMC rule in December 2024 cleared its 60-day Congressional Review period without any changes, signaling that the rulemaking process was officially complete.

The final rule for CMMC requires Defense Industrial Base (DIB) contractors and subcontractors to implement necessary security measures for Federal Contract Information and introduce new security requirements for Controlled Unclassified Information related to specific priority programs.

While the CMMC rule and program are in effect, full implementation continues to wait on revision of the Defense Federal Acquisition Regulation Supplement (DFARS) clause and the final publication of the rule in the Federal Register. DoD officials said they expect to publish the DFARS follow-on rule to contractually implement the CMMC Program in early to mid-2025.