Speaker News

Katie Arrington: DoD to Soon Announce ‘Pathfinder’ Contracts for CMMC

Katie Arrington



Katie Arrington: DoD to Soon Announce ‘Pathfinder’ Contracts for CMMC

Katie Arrington, the Department of Defense’s chief information security officer for acquisition and sustainment and a 2020 Wash100 winner, said the agency is set to name the first 15 contracts that will serve as “pathfinders” for its Cybersecurity Maturity Model Certification program. 

During AFCEA’s TechNet Cyber conference held on Dec. 1, she added that the Pentagon expects to announce the initial pathfinders soon as the defense industry awaits the number of vendors to be affected by the decision, the Federal News Network reported Thursday

The first set of procurements will constitute the initial real-world application of CMMC, the initiative the agency has been developing since 2019 to enhance its cybersecurity efforts. For the time being, procurement officials have only used the model to contracts in non-punitive tabletop exercises, and without disclosing the contracts involved.

Arrington said CMMC will be in full swing in October 2025, when the full framework will be used for all defense contracts. She added that every vendor earning a contract will need to secure a certification from a third-party evaluator, at whichever of the five CMMC levels contracting officials consider appropriate for the work involved.

“These three clauses are a big deal, and they’re changing the game,” she said. “No longer is the government doing just trust, we’re actually going to verify. And security is now an allowable cost.”

There will be plenty to learn from the initial pathfinder contracts, and DoD and its contractors will likely need every moment of the five years the department has built into the schedule before the full implementation of CMMC, according to Arrington. 

“The biggest change is when I write a contract, I’m going to be required to determine the CMMC levels of the tasks that are in that contract. And some of the discussion we’ve been having as a team internal to DISA, is whether there is a way to standardize how we assign CMMC levels to contracts,” she said.

Potomac Officers Club Logo
Sign up for Potomac Officers Club's daily briefing
Receive updates on events and relevant news

Category: Speaker News