Summary5 min read

Podcast Summary: "Sum IT Up: CMMC News Roundup"

Episode: DoD CIO: Stop complaining about CMMC
Date: May 15, 2025
Host: Summit 7

Overview

This episode centers on the recent no-nonsense keynote delivered by Katie Arrington, the Department of Defense's acting Chief Information Officer (DoD CIO), at Tech Net Baltimore. Arrington, known for her blunt communication style and as a driving force behind the Cybersecurity Maturity Model Certification (CMMC) program since its inception, addressed industry skepticism and complaints surrounding CMMC. The hosts dissect her statements, clarify misconceptions, and stress the urgency for defense contractors to comply with existing cybersecurity regulations.

Key Discussion Points & Insights

1. Katie Arrington’s Keynote: Setting the Record Straight

“CMMC is happening, so knock it off” ([01:43])
- Katie Arrington opened her keynote with a definitive proclamation aimed at dispelling rumors or hopes that CMMC requirements might be delayed or canceled.
- The directness of her message is described as a necessary wake-up call for industry stakeholders still in denial.
"Anybody hear about that thing called the CMMC? ... it's happening, so knock it off. All right?"
— Katie Arrington ([01:43])
Presidential Endorsement and Bipartisan Longevity ([01:54])
- Arrington highlighted that her position as CIO is a clear indicator of the administration’s commitment to CMMC.
- She noted that CMMC’s development spans both the Trump and current administrations, underscoring its durability beyond politics.
"CMMC started in Trump 1. It will finish and start and be implemented in Trump 2, the end. Story's over. Let's move on."
— Katie Arrington ([01:54])
The hosts note that such bluntness is both refreshing and necessary, recalling how impactful Arrington’s statements were in the early days of CMMC discourse ([00:37-01:16]).

2. CMMC as Verification, Not New Requirements

Not a New Set of Requirements ([04:23])
- Recalling the wisdom of Arrington’s mother, the keynote reframes CMMC not as an added burden but as verification of requirements (NIST SP 800-171) that have existed since 2014.
- The narrative that requirements are 'constantly changing' is labeled as misinformed.
"It's only an audit measure for you to do what you were contractually required by law to do since 2014, which is implement the NIST 7171."
— Katie Arrington (channeling her mom) ([04:23])
- The hosts reinforce this:
  - CMMC ensures these pre-existing requirements are actually being implemented.
  - Many complaints are rooted in fear—a fear of the unknown or of being unprepared ([06:28]).

3. Accountability: The Real Source of Pushback

Industry Hesitance Linked to Fear and Non-Compliance ([07:33])
- Arrington confronts contractors who failed to integrate compliance costs into their pricing:
  
  "If you didn't build it into your rate because you weren't doing it, shame on you... you should have built your rates based on the requirements the government gave to you."
  — Katie Arrington ([07:33])
- She connects this shortcoming directly to the increase in False Claims Act investigations, emphasizing that compliance has been a legal requirement for over a decade.
- Key statistic: The defense industrial base continues to lose an average of $250 million daily due to cyber shortfalls ([08:53]).

4. The Communication Gap and Bluntness Factor

Frustration Over Unheeded Warnings ([09:00-12:25])
- Hosts lament how, after years of free and repeated warnings, the message is still not being heeded.
- They empathize with the blunt approach, arguing it’s proportionate to the industry’s ongoing noncompliance and apathy.
"For 11 years, you've been telling people that you need to do this. And for 11 years, they're signing a paper saying, yeah, we're doing that. Give us more money..."
— Host B ([11:09])
- Metaphor used: "Nobody wants to pay the light bill for an entire decade, but everybody wants to turn on the power switch." ([12:25])

5. Arrington’s Consistent Public Engagement

Visibility and Messaging Consistency ([13:40])
- Arrington’s return to the program leadership in March 2025 and her consistent, forceful messaging is credited with accelerating the pace of implementation.
- The hosts predict more direct updates as CMMC’s final rules are imminent (summer or fall 2025).

Notable Quotes & Memorable Moments

The “Knock It Off” Moment

"That CMMC thing, it's happening case point, instant. It's right. Like within the first minute."
— Host B ([03:26])
Mother’s Wisdom on Resistance

"You only put down your fear if you're putting it down. Ask yourself, why. If you're putting down the cmmc, why are you putting it down?"
— Katie Arrington (quoting her mom) ([04:23])
On False Claims and Accountability

"You wrote a poem and you said, I’d get to it. I can’t tell you how to build your rates. ...the NIST 171 was law since 2014 and we are still complaining it’s too hard in 2025..."
— Katie Arrington ([07:33])
On Industry Fatigue with the Message

"People don’t like Katie’s attitude. They don’t like the way that she communicates. But the only time anybody pays attention ... is when she gets in their faces."
— Host A ([12:25])

Timestamps for Important Segments

[01:43] — Katie Arrington's uncompromising keynote start: “CMMC is happening, so knock it off.”
[04:23] — CMMC is just audit/verification of old requirements, not a moving target.
[07:33] — Addressing business accountability, rate modeling, and False Claims Act.
[09:00] — Hosts reflect on industry’s tendency to ignore repeated compliance messaging.
[12:25] — The necessity of Arrington’s blunt communication style.
[13:40] — Context on Arrington’s renewed DOD role and accelerated rulemaking.

Conclusion & Takeaways

CMMC’s implementation is inevitable and non-negotiable. Both regulatory and leadership continuity reinforce this.
Contractors must accept that CMMC only verifies existing legal requirements. Complaints are often rooted in past non-compliance, not in any sudden increase in demands.
Arrington’s blunt style is purposeful—the time for denial or delay is over, and the DoD expects full adherence.

For those still skeptical or behind on compliance, Arrington’s message couldn’t be clearer: it’s time to stop complaining and start validating.

Links to referenced statements and interviews by Katie Arrington are available in the podcast episode notes.

Loading summary

Transcript30 lines

[00:03]
A
All right, folks, it is May of 2025. We are fresh off of CS2 Reston, and conspicuously missing from CS2 Reston was Katie Arrington, currently performing the duties of the DOD CIO because she was up the road at Tech Net Baltimore. And if you missed it, if you've been living under a rock, if you haven't read the articles about it, boy, oh, boy, do we have some clips from her keynote address. For the people out there who think that CMMC isn't happening, that's what we're going to talk about today.
[00:37]
B
Let's. Let's just face it, Jacob. Whenever Katie takes the stage, there is the opportunity for you to have an oh moment, right? Like the oh, I can't believe that that just was said, right? I can't believe she put it that way. Finally, it's clear. It's as present in point of day. And I think that from the feedback from Technic Cyber, some of the things in which she said is going to leave you thinking like, oh, finally somebody said it right.
[01:03]
A
Back in the day, circa 2019, 2020, when Katie Arrington spoke, people listened. It was headline news. We didn't have a podcast. Things have changed over the years and now we have a podcast. And for some reason, that still is puzzling to me. People aren't listening when Katie is talking. So we're going to go ahead and just use this opportunity to, to provide to the people the things that Katie's saying, because it isn't just an oh moment. This is a oh, shiitake mushrooms type of moment. But we'll just let Katie, we'll just Katie speak for herself here. Oh, no, this is, this is the start of her keynote.
[01:43]
C
So what big things is a CIO up to? Anybody hear about that thing called the CMMC ring about, yeah, it's happening, so knock it off. All right?
[01:54]
A
Look at.
[01:55]
C
The industry doesn't understand it's happening. I don't know what more of a statement the president could have made than putting me in the position he put me into. That was not by mistake. CMMC started in Trump 1. It will finish and start and be implemented in Trump to the end. Story's over. Let's move on.
[02:18]
A
Well, so, I mean, listen, these are exact. No hate at all. This is exactly what we've been telling people for years, right? This is exactly what we've been telling people. You have to know the bigger picture of how CMMC started, what happened with rulemaking, how CMMC is going, and when you zoom out far enough, it is Inevitable that the program will execute if you stick, stay zoomed in on little tiny wrinkles and hot takes on social media and this and that. Your confirmation bias can lead you to believe that it's not happening and that you have more time. This is the lady in the office of the DoD CIO who is in charge of CMMC, who was the lady who was charged with creating the program in the first place just a couple years ago. Don't take it from us. That's how she opened her keynote at the major AFC Net Cyber Baltimore event with all the DOD people, all the primes, everybody from the government inside the beltway. That's her message.
[03:26]
B
Okay, so first, when she came off stage, you knew it was going to get serious. But the face in which she was making when she hit the knock it off. Right. Had me, like, with PTSD flashbacks of my mom yelling at me and my brother because we were doing something out in public we probably shouldn't have been doing. Just hitting us with the quick knock it off in the face. And we knew it was time to straighten up. Yeah, I mean, dude, command coming off the stage, foot hitting the ground. That CMMC thing, it's happening case point, instant. It's right. Like within the first minute.
[03:58]
A
Yeah, I mean, that's, that's that as she's walking down the stairs to do her. Her walk and talk thing, which Katie is famous for. Yeah, that's how she talked about. It was just Mother's Day. Everybody loves their mom. Moms are great. Katie even talked about her mom later on during the presentation. Let's hear what, what, What Grandma. What grandma had to say.
[04:24]
C
Fine. Right? My mom lived by three principles. They were real simple. Right. You only put down your fear if you're putting it down. Ask yourself, why. If you're putting down the cmmc, why are you putting it down? It's only an audit measure for you to do what you were contractually required by law to do since 2014, which is implement the NIST 7171.
[04:51]
A
Mom's always right. Mom's always right. We love our moms around here. We're big mama's boys. And Katie's mom knocked it out of the park. What have we always been telling people? CMMC is not the set of requirements. CMMC is not a new set of requirements. CMMC is not constantly subject to change, and it's always adjusting and this and that, and we can't predict what's going on every time. Over the years, people have said, oh, it's new or, oh, it keeps changing when under the surface. DFAR 7012 and NIST SP 800171 have been unchanged for almost a decade, if not longer, depending on when you start counting, then you are inadvertently exposing yourself as not knowing what's going on. At best if you're saying that it's constantly changing. So, as Katie said in a different version of what we always say, CMMC is not the thing that's making you do the requirements. It's making sure you did the requirements. It is a verification program for existing cyber security requirements that you were subject to via other contract clauses. We just are in the middle of a series on the DFARS cyber series of contract clauses. We're about halfway through. Check out the links below if you need a refresher on what DFARS7012 is. But you know, just like Katie's mom said, if you're putting it down it, it's because you got to ask yourself why? So everybody that's like, oh, CMMC this, CMC that. Why? What's the problem? It's just proving you're doing the thing you said you were doing.
[06:29]
B
Yeah, exactly. So if mom's always right, Grandma is definitely 100% of the time always right. And if grandma's saying it, and I just want to touch back on that, you only put down what you fear. And we've noticed that people are putting it down because they're scared of it. Because normally in human nature, people are scared of things that they don't know about or they are unaware of. Right. Or that simply they just can't do. They're fearful of doing right. And one of the things that you said was that, you know, and we've said it all along, is that CMMC is not what's making you do the requirements. It's just making sure that you did the requirements right. Just, just in case. But in a lot of cases, what we're finding out is CMMC is letting people know they should have been doing the requirements and they haven't.
[07:14]
A
Well, funny that you say that. Funny that you say that. We've got great rapport on this show. It's funny that you say that Katie had something to say about CMMC being the thing that is causing people to realize that they have requirements to do. During the Q A session at the end of her presentation, let's hear what Katie had to say.
[07:33]
C
Am I going to hire it out? But right now, if you want to be in the defense industrial base, few things on the CMMC Number one, if you didn't build it into your rate because you weren't doing it, shame on you. I can't tell you how to run your business, but shame on you. You missed out. Why do you think that there are so many false claims acts happening right now? How many do we see? I know we just saw three in the past week, but when the government said to you to be compliant, you must do the NIST 171 and so many of you checked the box and then you wrote a poem and you said, I'd get to it. I can't tell you how to build your rates. You should have built your rates based on the requirements the government gave to you. And if you had a poem, you should have resourced in your rates how to get to that poem. So talking to me about how hard it is after the law went into effect in 2014, do you all realize that the NIST 171 was law since 2014 and we are still complaining it's too hard in 2025 while we were losing on average $250 million a day in the defense industrial base.
[08:56]
B
I'm not laughing, but it's like I'm taking in breaths of fresh air.
[09:00]
A
Jacob, people forgotten you forgot. Listen, I know it says Summit seven on the polo. I know we sell things, but you could go find this information for yourself. We put the information out for free. We're not charging for this information. A lot of people forgot right when they announced CMMC 2.0 in November of 2021. From that time all the way up Until July of 2023, you could not go anywhere without the DOD talking about CMMC, even after Katie left. So even if you didn't like Katie, disagreed with her, the politics, whatever, right? Other appointees inside the DoD from a different administration were still constantly talking about the critical importance of this program because the program was solving a problem that wasn't made up, right? Not only is it a statutory requirement, you still have a problem with the fact that the department has zero assurance over the protection of its data that it's paying people to implement and it knows that it's not being done. So then we go into this long period of like 14 and a half months after the 32 CFR CMMC rule was published, where the DoD is not allowed to to comment on the program because they're in the middle of rulemaking. And everybody said, well, I haven't heard anything. These crazy guys on this podcast keep talking about it, but I haven't heard Anything from anybody like Katie. So I guess it's not happening. Boom, the rule is done. It goes into effect. There's a hundred companies that have CMMC level 2 certifications. Katie gets put back in charge of the program that she started, and this is what she has to say about it. So I'm not here to tell you that I told you so. What I'm here to tell you is that if you don't believe it when we say it, how about when the DoD CIO says it? How about that?
[10:57]
B
And then. So some people may comment on maybe the. The attitude. I don't want to say attitude, but basically the man or the way that she. She delivered. Yeah, People absolutely hate.
[11:10]
A
People hate the tone.
[11:11]
B
Think about this. Think about. For 11 years, you've been telling people that you need to do this.
[11:16]
A
And.
[11:16]
B
And for 11 years, they're signing a paper saying, yeah, we're doing that. Give us more money. And then when it comes time for you to be like, okay, those things that you said you've been doing for 11 years, or.
[11:29]
A
Or the fact that the government knows that you're not implementing the requirements. The government knows that.
[11:35]
B
It's still giving these nice, like, friendly nudges.
[11:37]
A
Like, well, they know. They know that you haven't implemented the requirements. They know that they've experienced direct harms on capabilities inside the joint force of. Across various weapon systems. Right. They know that people are continuing to shirk their responsibilities on contract. And then as soon as the government comes up with a program that says, we'd like you to prove that you're implementing these things, please, everybody goes, you're being ridiculous. You're the one that's being insane. You're the one that's crazy. And you're like, are you nuts? Like, it's amazing that they're as restrained as they are. I certainly would be. I couldn't do that job. I'd be on stage freaking out. So people, listen. It comes down to this. People don't like Katie's attitude. They don't like the way that she communicates. But the only time anybody pays attention to this stuff is when she gets in their faces.
[12:26]
B
Yeah. Nobody wants to pay the light bill for an entire decade, but everybody wants to turn on the power switch.
[12:30]
A
There you go. So don't take it from us. Take it from Ms. Arrington herself. She's easy to get a hold of. She'll talk to you on LinkedIn. If you message her enough, she'll respond to posts. She's out here communicating, just like she was back in the day. We'll add a link to a bunch of her interviews and a bunch of statements that she made in various articles back in April. But it just isn't getting the traction that it got in 2019 and 2020. And I'm here to tell you, we're here to tell you you need to be paying attention to what's going on because if you told yourself you got a bunch of time or it's not happening, you were wrong. You were 100% wrong, and Katie will tell it right to your face.
[13:06]
B
So in that down period between Arrington ERA one and Arrington ERA two, right. We'll name it that, see if it catches on. In that downtime, we would be lucky to maybe get, you know, a Stacy coming out or somebody else coming out and speaking about the program, but never as Stacy was pretty blunt as well. But not as bluntly as this.
[13:28]
A
Right.
[13:28]
B
But you would usually get it on rare occasions, maybe once a quarter or something like that. I, I don't think this is Katie's only appearance. Right. Like this is not Katie's only time. Within the past two weeks talking about.
[13:41]
A
Yeah, she got a point. She got put into this position in March. She was given a bunch of statements in April, which we'll link below, gave this keynote just last week. So, you know, pick, pick what your flavor of how you'd like to get this information. But she's extremely consistent in what's going on and this isn't any different than what she said in 2019 and 2020. So, you know, we'll have a update episode coming up on when we think the rule and stuff is happening. But it's still very confident that that's happening sometime summer, fall of this year, if not faster. But this is why we said that it would go faster than average because you got people like Katie back in the building running the system. So there you go. We'll put the links below. Don't shoot the messenger. You can ask, you can ask the boss lady herself and we'll see you next week.