Cybersecurity in an Era of National Adversaries
KITECAST - KATIE ARRINGTON
Katie Arrington, former Chief Information Security Officer (CISO) for the U.S. Department of Defense and member of the U.S. House of Representatives, discusses her experience as CISO, noting that the position was newly created in 2019 to address urgent cybersecurity threats. In the role, she aimed to establish consistent standards for cybersecurity across the Department of Defense, including weapons systems, critical infrastructure, and the defense industrial base (DIB). A key challenge was overcoming the different cybersecurity approaches between military branches and establishing a unified culture.
Regarding the Cybersecurity Maturity Model Certification (CMMC), Arrington explains it was initially conceived as a unified standard for defense contractors to demonstrate implementation of NIST 800-171 security controls. Hundreds of industry representatives helped develop CMMC 1.0. Arrington expresses that she regrets not fully eliminating the use of controlled unclassified information (CUI) as an indicator of whether contractors needed certification, believing all defense contractors should adhere to CMMC standards given growing threats.
Arrington highlights the massive cyber threats posed by nation-states like China, Russia, Iran, and North Korea, which she says are targeting U.S. defense contractors to steal key technologies and intellectual property. She points out that China has a dedicated cyber army aimed at making China the world’s economic superpower. Russia has shown its cyber capabilities already in interfering with elections. These adversaries are relentless in exploiting vulnerabilities across the entire supply chain.
For defense contractors bidding on DoD projects, Arrington authored a white paper that estimates per-employee costs for cybersecurity based on company size. She believes contractors should build these costs into project bidding. Arrington argues CMMC is now just about verifying NIST 800-171 compliance, not evaluating maturity, so she anticipates the name changing in the future. In preparation for CMMC 2.0 Level 2 compliance audits, she recommends that contractors proactively get audits now rather than waiting until CMMC becomes a DIB mandate to address urgent threats.
Regarding supply chain risks, Arrington indicates primes cannot fully see risks beyond tier-one suppliers. She urges primes to contractually require CMMC certification from all subcontractors to improve security against threats that can enter anywhere in the supply chain.
In closing, Arrington stresses that cyberattacks are constant and rapidly evolving. No organization can be 100% secure. However, by implementing standards like NIST 800-171, organizations can mitigate these risks. Adherence to cybersecurity frameworks is critical today, an important focus for national security as cyber threats continue escalating.
LinkedIn Profile: https://www.linkedin.com/in/katie-arrington-a6949425/
Transcript
Patrick Spencer:
Hey, welcome everyone. We’re excited to present, let’s start that again. Welcome everyone. We’re glad to bring another KiteCast show to you. We have a great guest today. You’re gonna be thrilled to listen to some of our insights when it comes to national security as well as cybersecurity. Tim, my cohost joins me. Tim, how are you doing today?
Tim Freestone:
Fantastic. Just before 40 weekend. I’m excited.
Patrick Spencer:
Yeah, that’s right.
Tim Freestone:
Yeah.
Patrick Spencer:
Now happy fourth. So Katie Arrington is with us today, Tim. She is the former CISO for the U S department of defense, a role, uh, which she served for in, oh, she re I can’t speak today. She Katie Arrington is with us today. She is the former CISO for the U S department of defense, where she served over three years in that position. She is a former member of the U S house of representatives where she represented the state of South Carolina. Her business background covers substantial time in both the public and private sectors. She is the chair of fundraising for the Palmetto Chapter of Women in Defense and speaks regularly on topics related to national defense and cybersecurity. Katie, thanks for joining us today. We’re really excited to dive into some of the topics that we’ve outlined today.
Katie Arrington:
Well, thank you so much. I’m excited to be here. And even though it is, you guys will be seeing this after, but it is the weekend of the 4th of July and couldn’t be more excited to celebrate the best country the world has ever known.
Tim Freestone:
There you go.
Patrick Spencer:
Yep,
Tim Freestone:
Patriotism, love it.
Patrick Spencer:
exactly. We’re,
Katie Arrington:
I am ext-
Patrick Spencer:
there’s a lot to celebrate, certainly. But at the same time, as we’re about to discuss, there’s a lot of things to be concerned about from a digital standpoint. Um, you served over three years, uh, in the CISO role for the US Department of Defense, uh, talk a bit about that role for those in our audience who may not be aware of what you did and, and at the same time outline what You saw from a cyber threat landscape, there was an evolution that took place during your timeframe there and then since obviously.
Katie Arrington:
Absolutely. So I was blessed and honored to ask to be, I went into the Pentagon January 6th of 2019 of all the days, right? And they brought me in as a highly qualified expert on cyber to kind of figure out what was the break between what happened in the Obama administration with the DFAR rule 7012, where it was said that anybody handling CUI needed to be doing the NIST 171. The problem was we knew that wasn’t happening. And there had been a lot of things up until that point. that were pointing at that. We had the Navy report that same year in 2018, the fall of 2018 that said, things are bad, we need to do something. We had the report from MITRE delivered uncompromised. There was a GAO report. I mean, we had enough evidence and provenance of the data to say, yes, we have a major problem with the defense industrial base. So I went into the Pentagon and… They said take six weeks to figure out what the biggest problems were. Now remember, not remember, so my job was over weapons systems, critical infrastructure, and the defense industrial base. Acquisition and sustainment, that’s where I was the CISO. So over all of the spend, I was the person put in charge of cyber. We had been pushing for a while to have a CISO stood up. because there needs to be a common thread of cybersecurity as everything has cyber in it one way or another. So they actually went and created these position. I applied, I ran competitively and got the job. So immediately started with, how are we gonna get people compliant? How are we gonna make people understand how critical this is? And how much is it going to cost? And how do we offset that? Because when the original rule went into play in 2015, OI resists a department with OMB, and they did a study about the cost of implementation of the 171. But they didn’t follow through with it. Industry should have immediately raised their rates if they were complying with the NIST 171. So immediately… As a small business owner, I’ve worked in large businesses, small service disabled veteran owned, you name it. I’ve been a legislator, I’ve written law, I’ve now worked in the Pentagon. So I’ve seen all the way around. And I can understand where industry was struggling, right? It was self-attestation. And if you’re not going to double check me, then I’m going to attest, right? And at that point in
Tim Freestone:
Yeah.
Katie Arrington:
time, 2019, you had company A. who is attesting that they were NIST 171 compliant, but they may have had 60 open poems. It didn’t matter. You were checking the box. And then you had somebody who may be doing 90 of the controls at that point, and they were checking the box, but they were both technically acceptable. And we know that was the problem. So I came into the Pentagon and started down the path of trying to find ways to help with compliance, trust but verify. on everything from
Tim Freestone:
Hmm.
Katie Arrington:
the defense industrial base, through our weapons systems and critical infrastructure. It was a crazy journey, amazing journey.
Tim Freestone:
What I think is interesting, you mentioned there had to be a push for this position in the department, a push for the CISO.
Patrick Spencer:
This is a new position it sounds like.
Tim Freestone:
That’s and that’s in 2019. That’s that boggles my mind. Just
Katie Arrington:
And
Tim Freestone:
they what?
Katie Arrington:
they dissolved the position in January of 20, well, year 2023.
Tim Freestone:
So you must
Patrick Spencer:
Oh wow.
Tim Freestone:
have encountered a series of frustrations from
Katie Arrington:
Say…least.
Tim Freestone:
the start. Yeah. What was the biggest one? Or if you could capture a couple of them in some sort of narrative. I’m interested in, because it’s a constant struggle for pretty much all CISOs and all companies to make the case for, which still boggles my mind, for budget, for personnel, for… you know, execution in, and I can’t imagine in the government, it’s probably even worse or harder. You know, what, what kind of frustration did you have that, or what were the top ones you can talk about and maybe even how you overcame them.
Katie Arrington:
So the number one challenge for everyone, I think, in every company is the culture. We grew up with, I am 52 years old, I am part of Gen X, I grew up with having to turn TV room. Actually, I was the remote controller.
Tim Freestone:
You wear the remote,
Katie Arrington:
Remember that? Stan,
Tim Freestone:
yeah.
Patrick Spencer:
13 panels.
Katie Arrington:
call waiting had just come on board like when I was in high school. So I was constantly like, oh, there’s another call coming in. Culture was and is the biggest, I would say, barrier for the CISO in any role, but cyber as in every company has to have a cyber culture. And even in the Department of Defense, that was a challenge. And everybody thinks that they do it the best. And that’s the challenge point that industry, because I was unique, I was, I call myself a unicorn. There aren’t too many people who can look back at their career and say, I literally have come from every aspect. I’ve owned my own business. I’ve worked as I mentioned, I’ve done it. I’ve written law. It was the biggest was culture because each of the services felt that they needed to have a different way to do it. And I from industry, I’m like, no guys, understand you are driving industry insane. I wouldn’t want to work with you guys because at that point in time, Hondo Gertz, and I have the utmost respect for Secretary Gertz. He is truly one of the American heroes. He wrote a memo in the fall of 2018 that said, I want the highest and best security for all Navy programs. Well, what does that mean? Right? If we’re not even implementing the NIST appropriately, what else do you want? So
Tim Freestone:
Mm-hmm.
Katie Arrington:
culture is the biggest barrier for everyone because you can’t see cyber, you can’t taste cyber, but cyber is all around you. And for a CISO, if you’re doing your job well… Well, they wouldn’t ever know it, right? That’s where everybody’s challenged. What return on investment do I get with the CISO that I don’t have? Well, until you actually understand ransomware, breaches, and the amount of data that you’ve lost and what that costs, it’s a hard thing to explain. But in the department, I had great leadership who supported everything I was doing between Honorable Kevin Fahey and the under, Miss Lord. who said they were over acquisition and sustainment for the entirety. And even the sustainment side, which was Bob McMahon at the time, said, get it done.
Tim Freestone:
Mm-hmm.
Katie Arrington:
And I went to Dana Deese, who was the CIO, and Essie Miller, who was the deputy CIO, and Jack Wilmer, who was my counterpart in the CIO office, and said, we need to have a matrix created. for compliance, trust but verify. CISA had been saying, you know, the ICT, you know, you’ve got to trust but verify. So creating a model, right, that we could go out and audit a company’s cyber posture. Because I believe, honestly, their cyber posture is more important than their safety posture right now. Because you
Tim Freestone:
What do
Katie Arrington:
can
Tim Freestone:
you
Katie Arrington:
have…
Tim Freestone:
mean by that, the safety part?
Katie Arrington:
So you can be ISO 9000, right? And you can have, and I’ll use this, a sprinkler system in a warehouse. Well, that sprinkler system is run on an industrial control system that is cyber, that generally has an outbound or an inbound. And so you put safety, right? But if you don’t have a cyber side of the safety locked up, it isn’t gonna matter.
Patrick Spencer:
and
Katie Arrington:
And… That was the challenge with the report on delivered uncompromised. It said that there were four pillars to acquisition cost, schedule, performance and security. And Bob Metzler is all over, you know, he, he’s, you know, on all over LinkedIn as one of the lawyers to talk. Then he was one of the coauthors of it. And the first thing I said when I read that report was you’re, you’re wrong. Security is the foundation of acquisition. Then you build cost, schedule and performance on top of that. And when I was able to explain that, I changed a lot of minds culturally. I believe, and I’m a devout believer there isn’t a thing of coincidence. I had a plan, a purpose and a mission to be in the department when I was. And it was on the cusp of what we right now we can look at and say was a cultural shift, right? Cyber became the talking point. in 2019, 2020, because of so many factors between COVID and all these people going and working from home,
Tim Freestone:
Mm-hmm.
Katie Arrington:
having our computers educate our children. It was just the perfect time. And I was able to travel the country the year before the pandemic and really get people excited about, A, this is an allowable cost. Why aren’t you charging the government for doing it? If you’re not, why? And I can look through all of the time that I was there, and I’ll tell you the one regret, number one, two things. The number one positive thing that came out of the entire CMMC movement was that, and I will take credit for very few things in my life, but I broke the mold when I said, if we develop a standard or an auditing capability, And we don’t have industry in the room while we’re creating it. We’re going to miss it. And nobody
Tim Freestone:
Mm-hmm.
Katie Arrington:
really had done that before. You know, they create NIST and then they open it up for public comment. But
Tim Freestone:
Right.
Katie Arrington:
Ed, with the CMMC, we opened the doors and said, everybody come together and help us. And hundreds of people worked on developing the CMMC model 1.0 that were mainly from industry. And what I find really funny. is at the time when we had the administration change, a lot of things went down in the building. I was of the wrong political affiliation. And they didn’t want,
Tim Freestone:
You’re saying when Biden came in, is that
Katie Arrington:
yeah,
Tim Freestone:
the… Yeah, okay.
Katie Arrington:
they thought I was a political. The
Tim Freestone:
Mm.
Katie Arrington:
tradition team thought I was a political appointee and I wasn’t ever a political appointee. So they didn’t understand why I was still in the building. I’m like, well, kind of my job to be.
Patrick Spencer:
Hypersecurity matters.
Katie Arrington:
And it’s… they thought, all right, we need to pause and reset on the CMMC model because there were these 20 additional controls that industry was having a hard time with and so were the people doing the rule change. And I argued, and why they’ve had to redo the rule change, I argued that part of the process in a rule change is that you give the public an opportunity to comment. I said, we did four times. We opened it up every quarter through that year. Every once a quarter, we did a release after all the working groups and comment. We opened it up from public comment. We adjudicated, we came back four times. So I argued with OMB, we’ve already done the public comment period. And
Tim Freestone:
Mm-hmm.
Katie Arrington:
industry was the one who wanted to add the extra controls into at that time was level three in CMMC, the 20 extra controls. were what industry felt would be the most impactful for cybersecurity.
Tim Freestone:
Mm-hmm.
Katie Arrington:
Now fast forward several years later and NIST released the 171 Rev3.
Tim Freestone:
Mm-hmm.
Katie Arrington:
And what’s in the Rev3? Well, those stinking 20 controls are what they… The government can’t get out of its own way, right?
Tim Freestone:
Oh
Katie Arrington:
And
Tim Freestone:
yeah, yeah.
Katie Arrington:
so my regret was, you know, I… I applaud the team, the PMO shop that doesn’t exist anymore, the CISO PMO shop, and the CMMC team, because if it wasn’t for the likes of Stacey Basjenek and Buddy Dees and John Choi and Don Greenway from, I can’t remember if she was John, she was John Hopkins or Mike because of administration change, you know, the one thing that shouldn’t ever interfere in the Department of Defense is politics. Should never enter it. And it did, and it costs the nation. We are struggling as a nation and our adversaries, when I spoke around the country, I said, you know, the rules of Fight Club, you know, what is the first rule of Fight Club? Talk about Fight Club. And what are we doing? We are telling the adversaries in public comment, how complicated it is to be compliant to the NIST 171. These controls don’t make sense. Well, what do you think the adversary is doing? They’re sitting in the background going, thanks, that made my life a lot easier.
Tim Freestone:
Sure.
Katie Arrington:
And even now what we’re going through, will OMB make this a proposed rule? Probably not, because when we did it initially in 2020, they put it as an interim rule. If everybody remembers that was a lot of negotiating. It’s not coming out as an interim rule. It’s going through the whole process. So we’re, you know, delayed for the CMMC another year, but there’s nothing to prevent a company today from getting NIST 171 rev two verified from a C3 PAO. And they should be because folks, if you’re doing self attestation and you think it’s all good. You never are going to be as critical on yourself, right? Especially if you’re the CISO, right? Imagine if your job is to self attest and you don’t come up with 110 and say, we’re doing great. You’re concerned your job is on the line, right?
Patrick Spencer:
You make yourself
Tim Freestone:
Right.
Patrick Spencer:
look bad, right?
Tim Freestone:
Yeah.
Katie Arrington:
Right? And this.
Patrick Spencer:
You saw the cyber sheath report, Katie, where, but 20, 71% said that they are fine when it comes to a 171, but then the DOD looked at them and said 29% actually comply. So to your point, there’s a big discrepancy there.
Katie Arrington:
It’s actually less than that. And I’ll tell you the first Dibkak audits that we went on and General Murphy was over the, I call it the PICTF, but the Protect Critical Technology Task Force. And Murph and I worked together. The first SPUR score that was entered in and we went to validate, the company had given themselves, I think like an 80, and we walked out with a negative 72. And people don’t realize like, oh, I don’t have MFA. I’m not implementing MFA, multi-factor authentication. That is a massive point like goes down big time, right? If you’re not
Tim Freestone:
Yeah.
Katie Arrington:
using MFA and it’s things like that, people weren’t paying attention. And I still argue to this day, and I’m trying to get this workshop put up right now is how to build, I don’t think anybody understands how to build the rate, right? Build your rates. including the NIST 171 and compliance to it, along with supply chain risk management. So I’m working on getting that together because that’s a big thing. You should be charging for what they’re telling you have to be compliant to. And the
Tim Freestone:
essentially baking in the costs of all of this into the bees to the government.
Patrick Spencer:
Are most not charging for it, Katie, to your point?
Katie Arrington:
Oh,
Patrick Spencer:
Or?
Katie Arrington:
so originally when we started this, I reached out to the associations, NDIA, AIA, PSC. AIA had been leading the charge with their cyber maturity model. We had Exostar at that time was doing a security, you filled it out. So I asked, tell me what companies are building into the rate for 171. And nobody had an answer. And that was the ding moment. Like I can tell you in my rates how much I’m paying for my insurance, how much I pay for Microsoft Office for all my, I can tell you off the top of my head, but no one could tell how much they were allocating for compliance to the NIST. So we knew there was a problem there. The
Tim Freestone:
Mm-hmm.
Katie Arrington:
second thing I regret is not killing CUI. I think, and I’ve talked about this, the challenge is when we did the original CMMC program, the whole idea was to lessen the burden on industry, right? To go in and to evaluate their cyber posture once every three years. If they needed to be continuously monitored, et cetera, if that was something the government wanted, that would be another thing. But it was good for all programs, right? And I argued and I still argue today that when you look at program by program and you say, oh, I’m not getting CUI on this one particular program, it’s the combination of all the work that you’re doing and your company that makes it CUI. And the government should really stop that discussion and everyone should have to adhere to the NIST 171. End of story.
Tim Freestone:
Mm.
Katie Arrington:
If you’re telling me as a company, I don’t have CUI, well, the seven programs you’re working on plus all of your employees information and data and your banking information, your intellectual property, everything you have running on your network, you should want to be certified 171, especially with insurance companies. So I wish we’d get rid of, that was my one, you know, One regret was not, you know, two, right? I didn’t, I really thought public comment period, we didn’t have a better than average job. We really spent a lot of time with the public, the industry to build the model. And I should have just said from the get-go, go back and change the 32 CFR.
Patrick Spencer:
Go, please go.
Katie Arrington:
Yeah, and that would have changed that regret on my behalf.
Patrick Spencer:
How many have a default KD to your point that are able to get away with self-estestation and level one only and not go for level two? Is it a sizable percentage of the supply chain?
Katie Arrington:
So that’s, no one can really pinpoint that information. That’s simply because
Tim Freestone:
Mm.
Katie Arrington:
no one’s really marking data correctly, so nobody
Tim Freestone:
Right.
Katie Arrington:
knows.
Tim Freestone:
So I get your point, right? It’s sort of like, forget about identifying CUI. If you’re doing business with the government, you got to be NIST 800171 and CMMC compliant.
Katie Arrington:
Because, and the adversary, how did China take off with the J-20 a mere six months after the F-35 took off with this law on the canopy?
Tim Freestone:
Mm-hmm.
Katie Arrington:
You know, it’s easy to see our adversaries have been, and it’s not just China, you know, Russia, Iran, now Afghanistan, Brazil, Venezuela, the world is coming at us and you as a small company, you know, you gotta remember. China has a million man cyber army who was 100% dedicated to taking control, being the economic superpower. You know, they have a hundred year plan. They ain’t deviating off of it. And we have, we have such a disparity in capability because think about this, in China, and we’ll use China as an example, and they’re no different than Russia, et cetera. they have state-owned enterprise. So if they’re going to build a carrier for their Navy, they pick one company and everybody follows suit. There’s no argument about pricing. There’s no arguments about regulations. They have no rules. And we’re trying to compete in this market, right? And when we put the rules on, the rails on, to keep companies safe and resilient, We push back. We say, oh, there’s
Tim Freestone:
Mm-hmm.
Katie Arrington:
not enough money to do that. Okay, well, the problem is, and I firmly believe this, if you are doing work with the government, know that there’s somebody out there who’s paying
Tim Freestone:
You’re a target.
Katie Arrington:
your target.
Tim Freestone:
Yeah.
Katie Arrington:
The example that I used about the guy, when I went out, gosh, that was right before the pandemic. I was called out to Iowa. to go and look at a welding facility, a service disabled veteran owned small business had called this congressman and said, you know, this CMMC thing, it’s gonna put me out of business. I don’t have the money. So I immediately, you know, I’m, I am, I hope and I pray that I’ve, I come across as I’m a problem solver. I’m not a problem creator, right?
Tim Freestone:
Mm-hmm.
Katie Arrington:
That is my whole life. I wanna solve problems. I went out there and as we started this whole conversation at the start about safety, I took it, you know, I had to wear closed toe shoes, which I love my Louboutins and my Jimmy shoes. So me not wearing high heels is a problem. I had to wear pants. I generally don’t wear pants. I like dresses and skirts because I’m very short and pants don’t look right on me. But so I wore my pants, my long sleeve shirt. I put the goggles on, I put the helmet on, I put the vest on, I stayed to the right of the red line on the production floor.
Tim Freestone:
Mm-hmm.
Katie Arrington:
is so because it was so critical, right? They didn’t want anything to happen to me. And as I’m walking by and the gentleman, they couldn’t have been more gracious and warm. And, you know, they were so excited to have me there. And the congressman, we were walking through the facility and his Mac computer, which was in his welding booth, I saw an AutoCAD design on it. And I saw also Amazon had just delivered a package and his wife had texted him. But my husband’s a land surveyor, so I know AutoCAD. I spend a lot of time looking at AutoCAD.
Tim Freestone:
Mm-hmm.
Patrick Spencer:
Thank you.
Katie Arrington:
And I looked and I said, can you minimize so I can see what you’re doing? And what was on his Mac computer was not, it wasn’t correctly marked. He had sent it to his personal email so that he could have the plans on his Mac.
Tim Freestone:
Yeah, take it home.
Katie Arrington:
And I’m just like, well, it’s, you know, and what he was working on, I mean, I stopped immediately called DCMA called DC3, right? Did all the right things and that company, they did phenomenally well. I mean, they were, they, it’s because no one really explained the rules, right?
Tim Freestone:
Yeah.
Katie Arrington:
And the small and medium sized businesses are the ones the adversary really is going after. they’re targeting them because a they know that they don’t have the security because they hear it clearly. If you look at log on LinkedIn, and anytime I make a post, you know, I get everybody Oh, it costs too much or it’s too much. They know our conversations, folks. It’s not like we’re talking in a bubble. And they’re listening.
Tim Freestone:
Right.
Katie Arrington:
So
Patrick Spencer:
Hmm.
Katie Arrington:
if you know, and in the conversation of a company, well, it’s too expensive. Well, are you using cybersecurity as a service? Or are you trying when I was at the DoD and started this, I remember distinctly people saying, you know, there’s not the capability out there to do this. I’m like, oh, you guys are dead wrong. I said, you know, you go to HIPAA, you try and get in and work in Accenture or Epic into their health information exchange and not meet their cyber requirements. I dare you, because you’re then gonna have
Tim Freestone:
Mm-hmm.
Katie Arrington:
to.
Tim Freestone:
Right.
Katie Arrington:
There’s, and you know, your company as well, several others, right? You were right there, ready to go. Like these are the things, and I applaud, you know, what you guys have done. You mapped it out. This is the control within the NIST that our capability meets. This is the cost. Most companies don’t take the time to just map it out and say, okay, how much is this costing us pieces and parts? And does it make sense to create the capability organically? Or is it more… to go with cybersecurity as a service. And, you know, and I talked to industry and capability providers to ensure that you had small business rates and understand that
Tim Freestone:
Yeah.
Katie Arrington:
they couldn’t afford that million dollar subscription fee upfront. And to build your pricing models to correlate with the contracts that they’re working on. Right?
Tim Freestone:
Hmm.
Katie Arrington:
It’s because I had a different viewpoint, right? I looked at things as a business owner. and I understood contracting, right? So this contract will last this amount of time. I need this capability. And how does that overlap into others? I applaud industry. The capability providers have stood up, have created, right? Now the problem is I firmly believe the government is putting their head in the sand with the ostrich theory, right? That if I don’t pay attention to it, right? We have bigger things they’re working on. If you don’t get cyber right, nothing’s gonna work right.
Tim Freestone:
Yeah. You bring up cost of this narrative for the past, you know, five or 10 minutes as the cost has come up a lot. Is there a, is there a form general formula? The, the wide swath of small to medium businesses could say like, well, if I’m, if I have a million dollar contract with the government, with the department of defense, I should be spending X percent as well based on that to protect the CUI that’s exchanging.
Patrick Spencer:
and including that in my prize.
Katie Arrington:
So
Tim Freestone:
Yeah.
Katie Arrington:
I actually wrote a white paper and published it, put it out there with the cost of how much it would be per seat, you know, a butt in a seat
Tim Freestone:
Uh.
Katie Arrington:
to, a button, a seat, how much it would cost based on the size of the company. Um, and I, I didn’t do it based on NAICS codes because they really have not given a NAICS code for medium sized businesses. And I say they’re, they’re. You shoot out if you’re using NAICS code 541330, you’re allowed a $38.5 million three year rolling average, but the rest of the NAICS codes are about 45 million year
Tim Freestone:
Mm-hmm.
Katie Arrington:
rolling average. Listen, it’s the valley of death for medium sized businesses. I mean, you wake up one morning and you’re a small, the next day you’re completing with a Lockheed Martin, right? And so I tried to build those rates. consistent with what I saw, you know, micro companies, zero to 15, then, you know, 15 to 50, 50 to 150, you know, building it in that way. And I wrote that white paper, submitted it to Congress, testified about it. And it varies, but you can’t look and say at a million dollar contract, you know, it costs this much. It’s how many people do you actually have is more work.
Tim Freestone:
Thanks.
Katie Arrington:
A contract is where the rate is.
Tim Freestone:
Mm-hmm.
Katie Arrington:
And if you’re going to use a CSP, right? And
Tim Freestone:
Yeah.
Katie Arrington:
that and what level, right? What classification really makes a difference? So we have that and I’ll be more than happy to send you all the white paper, but I worked it with all of the big cloud providers and companies such as yourselves, like I reached out and said, what does the cost look like? And together.
Tim Freestone:
Mm-hmm.
Katie Arrington:
It’s out there. And I asked, gosh, and when I put the white paper out, I said to get everybody level set, take 300,000 companies within the DIP. If the government was to put $10 billion a year into getting people compliant to the NIST 171 over the FIDAP, the five years of the budget, right? It would be, it’s nothing. And you think about $10 billion a year, I sneeze $10 billion, sadly, in the, and I know this is a sore subject, but if we put what we spend in Ukraine in six months in the industrial base, we wouldn’t have a problem.
Tim Freestone:
So it’s, and to compound that, the head in the sand part, you know, it seems like we, let me back up. Patrick and I have been in cybersecurity for quite a while. And so we’re constantly surrounded by, like we just assume everybody is knowledgeable on all of this stuff because we just see it all day long. And we’ve constantly put fear and certainty and doubt into the market as a driver for, you know, cybersecurity purchases. It seems there seems to be so much of that now that none of it really lands with companies anymore. And so this is where regulations come in, but only regulations that have some sort of stick, you know, if you don’t comply X, Y, and Z will happen to you. Um, and CMMC 2.0 seemed to be some driver of that, but it keeps getting. Pushed out. Um, and we all, we sit here and talk about the. NIST 800 171 and CMMC 2.0 and how you should absolutely do it because of X Y & Z But if there isn’t a stick that’s actually applied it seems like it’ll just be a never-ending battle. Would you agree with that and
Katie Arrington:
Oh, 100%.
Patrick Spencer:
It’s getting punted down the field, right?
Katie Arrington:
So
Tim Freestone:
Yeah.
Katie Arrington:
you got to think, and you know, this is probably going to end up, just going to tell you now, it’s going to be end up being two podcasts for sure.
Tim Freestone:
Yeah, yeah,
Patrick Spencer:
Hahaha.
Tim Freestone:
we yeah, that happens.
Patrick Spencer:
We’ll reconvene next
Katie Arrington:
Yeah,
Patrick Spencer:
week.
Katie Arrington:
so here’s the problem, right? The government says, yes, we need this. But then, so you have the HASC and the SASC, right? The House Armed Services Committee and the Senate Armed Services Committee. And they say, yes, this is needed. And they make recommendations to the DOD in the NDAA, the National Defense Authorization Act, every year. And, but what they don’t do is talk to the or the authorizers.
Tim Freestone:
Mm-hmm.
Katie Arrington:
So they make all these grandiose requirements, but the funding to support that isn’t there. So in the DOD, there are a lot of people that think, oh my gosh, they get so much money. You know, we’re eight over $800 billion. Well, folks, it’s a lot. By the way, I carry this around wherever I go, right? This thing called the US Constitution. And our founding fathers. Like the one thing we could agree upon was we needed to have a national, well that time was in 80, but we need to have defense, right? A national defense. It should be the biggest thing in our budget, right? It should be. It absolutely is. It’s the whole purpose, right? Defend our democracy. So when we think about the money, if your POM cycle is five years, you’re in a contract today. You’ve gone, you’ve gotten as an acquisition person inside the DOD, you’ve said, okay, this program is gonna cost this much money because I’ve done a market survey. Well, you’ve done a market survey on people that aren’t doing all the right things. So you’re saying it’s going to cost this because they’re not doing the right things when it’s really gonna cost this, right? That delta is the problem. Well, if you enforce it, they have to stop doing something to start to pay for something else. And that’s part of the narrative most people don’t understand, is that the DOD is in a contract, right? It’s like, do you remember in NDAA 889 when we all had to take Huawei and ZTE out of
Tim Freestone:
Yeah.
Patrick Spencer:
Yeah.
Tim Freestone:
Yep.
Katie Arrington:
I was the DOD representative on that. So I was the one that had to coordinate, approve for ODNI. If I approved it, it went over. Well,
Tim Freestone:
Mm-hmm.
Katie Arrington:
what I said was to the government, guys, even when the federal, which was a year before industry had to take it out, now mind you, there was a year gap. There was no money to rip and replace, right? So we had companies calling in saying, okay, well, we signed a contract with you government. You knew we had Huawei in it, it was in our stack, and now you’re telling us that we have to take it out, but you’re not paying us to replace it? That is where we keep falling down. And until we have continuity of understanding cost to get what you are requiring, and legitimizing that cost and cost realism, right? It’s never gonna take effect and never gonna be there. And Dave Bassett, General Bassett. I adore that man. Admiral Lewis prior to him, both DCMA. John Ellis, who doesn’t get a lot of visibility, but my gosh, he is such a force of nature when it comes to this. I’ll tell you a story, true story. Admiral Lewis and John Ellis, I was probably in the building three weeks, asked for an office call. I was like, Admiral’s coming to see me? Oh, heck yeah, bring him in. And he sits down and John Ellis hands me a white paper. So in the DOD, when you don’t get something funded, you write white papers. And then basically, you in fight to get the money from the services. You go and
Tim Freestone:
Mm-hmm.
Katie Arrington:
you… And they’re like, will you as the cyber person for acquisition and sustainment, will you write a white paper for us? for DCMA, the fourth estate. Now remember, the fourth estate is probably the most hated in all of the DOD, right? The services hate OSD. They hate OSD. They think we have Title X, we don’t need you, we have our own money and our own authorities. And OSD is always like, well, we set the standards and the requirements, you execute to them. And they were all, you know, that’s when Mark Esper was the secretary. He would hold night court and you had to justify every employee you had. He was, he was a great secretary in that regard. Night court. We all hated night court, man. You just, and it was at night. You do it at night. It wasn’t called night court because it was a joke. It was at nighttime because you had to work all day long, then present your case
Patrick Spencer:
Prepare for it.
Katie Arrington:
off hours. But. Dave, Admiral Lewis and John, they said, we need 900 people to go out and audit cyber. And I’m like, we’ll never get 900 FTE with the requirement you need to work in the Department of Defense. And you won’t have continuity in that money to do that because our budgets are, they fluctuate, right? And the fourth estate they go after. I said, That was one of the prefaces to starting the CMMC. I said it needs to be an outside of government, a third party audit, just like ISO, where the government’s willing to pay for ISO certification, but they can’t do it. And there were competing minds at the time in DoD, Liantha, I will never forget that. At that time, the DCMA side and the CIO had already started down the path of the, what is now the 70-19. 70-20 and 70-21 clauses,
Tim Freestone:
Mm-hmm.
Katie Arrington:
they had already started down that pathway. And I’m like, guys, you’re going to confuse industry. Don’t do a SPUR score and then come up with the MMC. Stop and wait to the CMMC. And, you know, and that was, you know, Admiral Lewis at DCMA trying to fix his problem. Um, if we could go back in time and undo that, that would be great. But that was, you know, we knew we need to have something. We wanted to go. But what’s a car gonna do, right? DCMA comes in and they issue you a car and you have your corrective action report and you gotta get better. They come back in 30 days and have you done it? No, then they issue a second car. After the third time, they can penalize you 5%, right?
Tim Freestone:
5% of the contract value.
Katie Arrington:
It’s like a damp rag hit. That’s what, you know,
Tim Freestone:
Yeah.
Katie Arrington:
first
Patrick Spencer:
Yeah.
Katie Arrington:
a go, no go on CMMC. You’re either, you know, when we give you this work, right, doing a corrective action report, if there’s been an ex-bill or you’re not doing something appropriate, the information’s already gone. The data’s already been taken. It’s like OBE. And I think Jen Easterly, people think that I’m highly critical of Jen. I think Jen Easterly has a massive job, just like Chris Krebs had a massive job. right, to put all this out there. But you can’t, no one will do anything, sadly, in corporate America for the right reasons. They are concerned about profit and loss. And unless you make it that they can’t get work, they’re never going to institute it completely.
Tim Freestone:
That’s the stick part that I was talking about. It’s like, nobody cares unless it costs. As soon as it costs, then they comply, right? As soon as there’s some stick big enough that outweighs the expense of the protection, then they start. But just because you should, because it’s good practice, because the bad guys are out there, it’s just, it’s too difficult to convince people that way. You know?
Patrick Spencer:
You know, P&L outweighs the cost or the time and resource expenditure. Katie, before we close
Katie Arrington:
Okay.
Patrick Spencer:
out the podcast, as we were talking
Katie Arrington:
So,
Patrick Spencer:
about CMMC, we got to talk about this. You
Katie Arrington:
I’m
Patrick Spencer:
presented at a couple of conferences recently where you spoke
Katie Arrington:
going
Patrick Spencer:
about CMMC and its viability
Katie Arrington:
to go
Patrick Spencer:
for
Katie Arrington:
ahead and
Patrick Spencer:
the
Katie Arrington:
start the
Patrick Spencer:
long
Katie Arrington:
video. So, I’m going
Patrick Spencer:
term.
Katie Arrington:
to go ahead and
Patrick Spencer:
And you’ve recommended that we might need something else that’s probably going to eventually dissolve. Can you speak to… what your thoughts are on that subject because I suspect they’re a bit controversial.
Katie Arrington:
So the CMMC, even the name of it, a cybersecurity maturity model, it’s no longer a maturity model. Why are you calling it a maturity model? CMMC does, it’s not. It’s now just a compliance check to the NIST 171
Tim Freestone:
Mm-hmm.
Katie Arrington:
or the FAR, you know, the level one FAR. And it’s so far down the path right now. So another year or so, let’s stop with. CMMC, right? Because I don’t know if that name will remain with it, right? Think about that. It’s no longer a maturity model. And if, and I hate to say this, oh, but if I’m somebody’s lawyer, right, I’m going to say you’re going to make me adhere to a maturity model that’s not a maturity model. This doesn’t even, because we live in a litigious society, I know that’s coming. And when I spoke at the CMMC day, what I said is stop talking about CMMC. Let’s start talking about NIST 171 verification. Are you doing the right things? And you don’t need to wait for the government to say, okay, now this is the CMMC model. You can pick up the phone and as a prime, you should require it. If you have a contract with CUI, you should make sure every single sub has a NIST 171 rev two verification from a C3PAO, because their risk is your risk. And the last thing I’ll leave on this podcast and saying to folks, when I talk to Senator rounds, Senator mansion, Senator Blumenthal, Senator Rick Scott, across bipartisan right across the aisle. This is the number one they said and I disagreed and they’re like, it’s all the prime’s responsibility. I’m like, The prime doesn’t see, due to contract privity, the entirety of their supply chain. They only see their tier one suppliers. You cannot make them responsible. And they said, yeah, we have to, because that’s who’s getting the money, and it’s flowing down from them. So I have urged, I have begged, I will continue to plead for the primes to put it in their contracts with their subs, build it into the rates, and that will move mountains. You imagine if one of the top five crimes came
Tim Freestone:
Thank
Katie Arrington:
out and said,
Tim Freestone:
you.
Katie Arrington:
everybody who’s going to be on a contract with CUI with us has to have a NIST 171 rev two verification. Man, wouldn’t that people, and everybody’s like, Oh, they’ll, they’ll stop. They won’t work with the government. Well folks, I don’t know if y’all are paying attention, but the government is a big mammoth. They’re not going to walk away, especially company. They’re not. It’s, it’s a false narrative. The things that keep companies from wanting to do business with the DOD is the fact that they A, don’t standardize requirements, which CMMC absolutely did, right?
Tim Freestone:
Mm-hmm. Yeah.
Katie Arrington:
And they change the rules. They give exceptions. You cannot, right? The moment the exceptions have become the rule, not the other way around, the government needs to, you know, and why I, you know, Jen Easterly, I applaud DHS. They’re looking at, and DOE are all coming up and saying, yep, we need to have a NIST verification system. The National Cyber Solarium Report, which was written bipartisan by an independent and a Democrat, right? I miss, gosh, I miss Congressman Jim Langevin, like nothing ever. That man was brilliant. And Ingus Grant, I believe, was the other co-author of the Solarium Report that said, we need a national… a federal cyber security verification program. And they even cited in it, base it off of the DOD, CMMC. So I know I caused a lot of heartburn in that, but I know lawyers, right? And it’s no longer a maturity model. So they’ll probably change the name. Don’t get caught up in that. Be focused on what the CMMC really is. And what is it? It’s the trust but verify that you’re doing the NIST 171.
Tim Freestone:
Mm-hmm.
Patrick Spencer:
Do we need to worry about 172? Where does 172 come into play?
Katie Arrington:
So when the original model level four and five were 172 and 172 is really exquisite security, you know, 24 hour SOC capabilities and something everybody’s going to have or need, they’ve because the level three in the new CM, the CMMC 2.0 is the government will be auditing that. There will be the ad in that. But even that the discussion is the cost.
Tim Freestone:
Mm-hmm.
Katie Arrington:
making sure you’re doing the right thing and charging the government. If they’re requiring it, they need to pay for it. I always say whenever I do a webinar or a podcast, it’s always a circle. I always start at the same place that I end. And it’s culture. It’s 100% culture. And if you think a $20 million contract over the course of three years, and you are not investing in your company to be cyber compliant, the likelihood that your company is gonna make it through the next five years as we are, and people may disagree with me, they can. I say we are in an open cyber war with so many adversaries domestically and internationally that your company, I did a white paper, few weeks ago in a company of 250 employees or more, if you have ransomware on average, it’s 5,400 per minute that you’re down, that you’re losing money-wise and to rebuild your network. So is it worth taking 10% of that $20 million contract and ensuring you’re secure? You betcha.
Patrick Spencer:
And that doesn’t include all the legal fees and the machinations around demonstrating compliance afterwards,
Katie Arrington:
I know
Patrick Spencer:
right?
Katie Arrington:
this is a long one, but I will never forget Christmas Eve in 2020, getting a call from Secretary Mnuchin at the time saying, you know, we have a small business somehow or another. They got my number. They’re in a critical program and they have ransomware. Who do we get them in contact to help them pay that? I’m like, well, sir, we don’t pay terrorists. There’s nobody going to come to help you. So either you’re going to pay the ransomware or you’re going to rebuild your network. And the phishing schemas that are out there right now, I did a LinkedIn post a few weeks ago where if you’re not paying attention, it’s one letter in the, that you probably wouldn’t ever catch reading the email, it wouldn’t dawn on you. And there’s a thing on, a scam on the Instagram right now. Neiman Marcus going out of business, buy all Chanel bags for $252. Y’all realize that’s not real, right? It’s-
Patrick Spencer:
Hehehehehehe
Katie Arrington:
That’s the best phishing scheme I’ve seen in a minute. And our adversaries don’t, I mean, think about it. For the country that starts with an A, R and ends with an A that works so diligently for that whole fall of 2020 exploit, right? To insert malware into a software. Do you think they did it with just one? Or do you think they did it with a lot of them?
Tim Freestone:
Right.
Katie Arrington:
Electronic warfare, once you fill one hole, you find another and you will never be 100% cyber secure. Never. Because if you add a new capability, you have a bring your own device policy in your company and you have one employee let their kid play on the phone and do… It’s that much of a risk. Like one… employee can bring you down. Think about that.
Tim Freestone:
Yep.
Patrick Spencer:
Well, we’re going to have to schedule a follow-up podcast with you, Katie, to your point, because there’s a plethora of other topics that we would love to cover
Katie Arrington:
Oh,
Patrick Spencer:
with you.
Katie Arrington:
and I, you know, absolutely, because the next thing, right, is the government, the DOD is coming up with supply chain risk management requirements, and cyber is one of them, and they know
Tim Freestone:
Mm-hmm.
Katie Arrington:
how you’re doing it. So bring me back anytime. I love to, you know, you guys are great. I love to talk to you. Thank you for your allowing me to, you know, take your Friday afternoon and listen to me. But for anybody that’s listening, you know, Procrastination in this is something you cannot afford to do. The adversary is openly targeting you. You may not think it today. You may think you’re inconsequential. I’ve said this a thousand times and I’ll send you a thousand more. One team, one fight. We are only as good as the weakest link in our supply chain. Think about that. And I hope that we can start sharing risk information freely because risk is a four-letter word that people say is bad, but I say risk is something if you take it on the upside and you have risk mitigation, it’s a good thing to share risk.
Patrick Spencer:
Make it all better. Yeah.
Tim Freestone:
Sure. Great.
Patrick Spencer:
Well, Katie, thank you so much for your time today. This has been a very thought-provoking conversation and we’re going to take you up on our offer and have you back for a subsequent podcast show for
Katie Arrington:
Well,
Patrick Spencer:
certain.
Katie Arrington:
thank you for your
Tim Freestone:
Yeah,
Katie Arrington:
time,
Tim Freestone:
next, please.
Katie Arrington:
your attention, your dedication to this nation for cyber security, the fact that you have been in it for so long. I’m glad that cyber warriors are allowed now to let their freak flag fly and by
Tim Freestone:
Hehehe
Katie Arrington:
high, don’t take it down. Don’t let them put it down. And for anybody on the podcast that’s listening and you are a CISO or you are in your company and you’re struggling with getting the C-suite who really needs to have the culture. Please reach out to me on LinkedIn. And I have, I don’t, I say this to everybody. I don’t charge any money. If you want me to discuss with your corporate leadership why it’s important, bring me in, I’ll tell them. And you can take it from the horse’s mouth of somebody that was in the Pentagon and explain it to them Barney style.
Patrick Spencer:
Hahaha!
Tim Freestone:
That’s a great, great way to end the podcast. Appreciate it, Kate.
Patrick Spencer:
They’re crazy not to take you up on that offer,
Katie Arrington:
Well,
Patrick Spencer:
Katie.
Katie Arrington:
I, so I spend probably four hours a day doing it every day because I believe in this country and I believe in what we are the beacon on the hill. And remember, we may not be a perfect country, but we are the best on this planet.