Asked when organizations should think about getting CMMC compliant, Katie Arrington’s reply at the Secureframe National Cybersecurity Summit was: "About a year ago or, I don’t know, 2017 when it was required by law."

Previously Performing the Duties of the Department of Defense Chief Information Officer (PTDO CIO) Assistant Secretary of Defense for Acquisition and now as CIO at a DIB vendor, Katie Arrington helped develop CMMC in the public sector and implement it in the private sector. Equal parts policy architect and industry operator, she remains an impatient advocate for organizations still sitting on the sidelines.

“Why wouldn't you do these things? Tell me. In this age, when you have models out there that can go through and find vulnerabilities in your system in a millisecond, why wouldn't you be doing your utmost best?…Why aren't you following the guidelines the government has set?”

The major message of her keynote: CMMC is here and actively being enforced, but still fundamentally misunderstood by the organizations treating it as a compliance checkbox.

“We have to realize this is not a compliance issue. This is about business survivability and national security. This is about supporting the warfighter. ”

When should you have gotten compliant? Years ago.

When asked about the enforcement timeline, Arrington didn’t point to Phase 2 of the DoD rollout. She said organizations should have been compliant years ago. 

The underlying security requirements of CMMC aren’t new. NIST 800-171 Rev 2, which is required for CMMC Level 2, has been legally required under DFARS 7012 since 2017. What CMMC added was accountability by contractually implementing cybersecurity requirements that too many organizations had been “[putting] on POA&Ms and not taking seriously," she said.

This is what people still misunderstand about CMMC, Arrington explained. "If you were paying attention, it really was never a DoD CIO program. It was an acquisition program." 

It's now showing up in contracts and other transaction agreements (OTAs) for the Army, Navy, and Space Development Agency (SDA), and being actively flowed down by major prime contractors, including L3 Harris, Lockheed Martin, General Dynamics.

“You can't keep doing business the old way in the Department anymore. They want it competitive, they want many options. If you're not secure and ready to do the work, they're going to move to the next player.”

CMMC is even extending beyond the DoD—NASA, for example, and civilian agencies are already including CMMC requirements in contracts, she said—and into the private sector as well. In her current role as a DIB vendor at IonQ, Arrington stressed that she's now subject to the same requirements she helped build, with no grace period. But she’s also using those requirements as a benchmark to assess suppliers even if they aren’t doing federal work. 

“As a CIO at a publicly-traded company, that's what I'm doing to ensure security and compliance. And I'm not the only one doing that,” she said.

"If you're not doing [CMMC], then you don't plan on being in business with the government for long or in business, period, in my opinion."

CMMC isn’t a checklist and and "it won't happen to me" isn't a strategy

The thread running through Arrington's entire session was a frustration with how CMMC gets framed: as a bureaucratic hurdle rather than a reflection of actual security posture, and as someone else's problem rather than an existential business risk.

“What the government is using it for is an insurance policy that you have the right cybersecurity culture and posture,” she said. “It's not a checklist. It never was a checklist.”

To understand the true importance of CMMC, just look at how much ransomware was paid out in the past year, she said. According to Chainalysis, ransomware actors received at least $820 million in payments in 2025, with the United States as the most targeted nation globally.

Her advice for security practitioners who feel like they're pushing uphill internally is to use this as a jumping off point with leadership. Start the conversation with your CEO and CFO by asking what they'd do in the event of a ransomware attack, she said. Do they back up data? What's the policy? What's the most critical data they need to protect? 

“These are things that CMMC makes you start to think about as a cyber culture. It's not a checklist,” Arrington repeated. “It's to create a mindset around what you need to do to protect your environment.”

For organizations still unconvinced of the stakes, she returned to an example she's used before: the F-35. The aircraft was a classified program unknown to the public for years. Within six months of its public reveal, China launched a plane with a strikingly similar design.

“Do you think the prime leaked that information, or do you think a sub that didn't have proper markings on the data got infiltrated and they picked it from there?”

Adversaries are actively targeting smaller subcontractor and infiltrating non-classified systems precisely because they're less protected. "They're there. They may not have made themselves aware to you, but they're there and waiting for an opportune moment."

"We're almost like ostriches burying our heads in the sand going, 'Oh, it won't happen to me.' It absolutely is going to happen to you. It’s just a matter of time.”

She pushed back against the idea that smaller organizations aren't “important” enough targets, emphasizing that protecting sensitive defense information is a collective responsibility.

"We are all one team, one fight. We are all here to support the warfighter," she said.

“So why aren't you, as a company, taking this seriously, going and getting an audit, finding out where your gaps are, and filling them for business resiliency?”

You’re responsible for getting secure, but you’re not alone

Arrington closed with a reframe that cut against the most common complaint about the program: that it's too expensive and burdensome for smaller organizations.

“CMMC is a business enabler, not a business hindrance,” she stressed. “Why wouldn't you want to say, I'm CMMC Level 2 certified?”

Primes are actively seeking out compliant subcontractors and want their subs to succeed because the supply chain depends on it.

For subcontractors, even achieving Level 1 and then being transparent with primes about gaps and having a clear POA&M and remediation timeline is a stronger position than having no cybersecurity posture at all, she argued.

"Be honest about it because they're going to find out,” she said. But they will also likely want to help you get compliant, especially if you’re a niche small business. 

“Primes need smalls, and they also want to nurture those businesses to get to ‘good,’” she explained.

Those that are struggling to level up their cybersecurity have resources and an entire community they can leverage.

The Navy's N-CODE program helps micro-businesses navigate certification. The Army, DoD's Project Spectrum, and the Small Business Administration all have support programs. There's even a reimbursement program: organizations that earn CMMC certification may be eligible to recoup costs through a government apprenticeship program.

"The government wants you to do this," she said. "You're not alone."

Her closing message was simple: stop waiting and stop treating this as someone else's problem.

"This isn't going away, so why are you putting off the inevitable?”