Katie Arrington: Change Is Good and Change Is Coming
From empowering the cyber workforce to ensuring the Department of Defense (DoD) meets its fiscal year 2027 zero-trust requirements, Katie Arrington expresses confidence about the future of the defense industry, as well as the nation as a whole. Performing the duties of chief information officer (PTDO CIO), Arrington shared her firm belief in the opportunities of change. And change is coming.
"The secretary [Pete Hegseth] has made it very clear—we are here for the warfighter, and our job is to give them the best options, the best technology, the best chance of survival, because our country is the beacon on the hill around the world," Arrington said. "Our republic, our democracy, is so critically important to the rest of the world that we need to do the very, very best."
Today, in her role as PTDO CIO, Arrington is building on the moment and pacing forward. Having been one of the trailblazers of the Cybersecurity Maturity Model Certification, commonly referred to as CMMC, Arrington discussed its progress and crucial role for national security. “She’s growing,” Arrington stated. “We’re waiting for the final stages, I believe, and I’m fairly certain Army’s going to be the first one out of the gate with CMMC requirements.”
Initiatives like the CMMC are vital, she said. “Nation-state attacks are something that we’re feeling every day, and we lose on average about $200-$250 million a day in the DIB, the defense industrial base, due to data loss, ransomware, IP [intellectual property] theft, etc.,” Arrington continued. The current administration is coming up with new ideas to shorten the timeframe of accomplishing critical objectives such as CMMC. And for skeptics and critics who state concerns over additional cost and expense, Arrington shared her thoughts.
“We need people to learn how to do this. We cannot give you free technology to get smart and good and brought up on cyber because our adversaries aren’t just looking at this particular program, they’re looking at the whole, so we need to elevate,” she said. “Rising tide makes all the boats go up.”
Arrington therefore noted several conversations taking place with the federal CIO about federalizing CMMC.
When it comes to zero trust, Arrington expressed confidence in the entire department meeting the end of fiscal year 2027 goal of full implementation. “Have you met me?” she asked in response to SIGNAL Media’s question on the topic. “I’m pretty intense. My nickname is LD, Little Dynamite. We’re going to get there by ’27,” she stated. “Lives depend on it, democracy depends on it and Congress has afforded us the resources,” she said, stating that this is a team effort from all CIOs. And while obstacles are unavoidable, Arrington says there is strength in failing early, failing often, learning and moving forward. “We must get there,” she emphasized.
With constant software changes, zero trust will continue to evolve, and policies will have to follow suit. “We need dynamic capability,” Arrington stated, noting the common static behavior of policies.
While Arrington’s years of service to her nation span over various industries, the beginning of her journey was much more personal.
“I was a military wife and I had this beautiful little boy, and we were sent from Fort Drum down to Walter Reed for about six months,” she stated during an exclusive interview with SIGNAL Media. “[My son] had massive surgery two times, 200 titanium plates in his head. And that is the basis of why I do what I do . . . I owe this country, I owe this nation, I owe the taxpayers; they saved my son’s life.”
She went on to create and help certify the first special needs, exceptional family member daycare as part of the U.S. Army Family and Morale Welfare and Recreation, also known as Army MWR. Arrington consequently became a GS employee for MWR and later helped write Army Regulation 608-10 on child development services.
Her introduction to the crucial importance of data, and therefore cybersecurity, stemmed from her former husband Doug’s time in Iraq, she said, not providing a last name. “May 24, 2007, he was there training the Iraqi police force, and on their off day, they were driving perimeter tours,” she said.
The vehicle was struck by an improvised explosive device, or an IED. The vehicle had been previously reconfigured, and the communications box was moved, which caused a disruption in Doug’s headset. “Doug saw the storm drain was not on right and yelled ‘halt’ and nobody heard him,” Arrington said. The IED was hidden in the drain, later detonating and killing everyone but Doug, who was ejected from the vehicle, and one other soldier.
“That was my calling, and that’s how I started this career,” Arrington said, referencing the start to her time in industry and becoming immersed in the world of cybersecurity. As a legislator, she was appointed to serve on South Carolina Cyber following the 2012 social security breach, which exposed 3.6 million numbers, according to reports. “We did not have a cyber emergency plan for the state, and understanding the challenges that were in that, it was because it was unencrypted that that breach occurred and just became incensed that this was my passion and calling,” she stated. Arrington then went on to start her own small business, later to become the first chief information security officer of acquisition and sustainment at the DoD.
This is a time of change, and change is good …
To meet the growing demands of a rapidly changing landscape, the cyber workforce must adjust and remain resilient. Arrington noted her team’s work on Cybercom 2.0, which redefines the cyber workforce. “There are things that need to be updated,” she said, citing that DoD 8140 did not include artificial intelligence when it was first written. The evolution of such policies will require industry and academia participation, she stated.
“Do we need programs in software development to help people program better? Do we need to change regulations on that? I don’t know,” Arrington stated. “This is the time of ‘let’s look and really think about it,’” she went on, further emphasizing the need for “coordination with industry, the actual operators, the people behind the terminal and the academics to make sure that they’re getting the right curriculum together to support what the operator is having a problem on and working through.”
The cyber workforce is Arrington’s first line of defense, and policy changes, along with updated training and new certifications, are coming. “And we should be excited about that,” she said.
Arrington also shared her passion for investing in younger generations. Kids in secondary and middle tier education—and even younger, she said—should be brought up with science, technology, engineering and mathematics (STEM). “If we don’t understand how technology works, you will always work for technology,” Arrington stated. “Anything that my office can do to support the training, the education, the advancement, 100% is a priority for us.”
The team is additionally working on products to help identify vulnerabilities in software to then remediate and centralize the information for the DoD to use in a holistic way.
“This is a time of change, and change is good . . .” Arrington repeatedly told SIGNAL Media. “We need to be doing things that are right for the warfighter at the time of relevancy.”
For more on the Defense Department's cyber efforts, be sure to read the May issue of SIGNAL Magazine and register for #TechNetCyber 2025, taking place May 6-8 in Baltimore.
