… to push back CMMC.
Why am I so sure CMMC is going to happen?
Follow me on this…
(Updated CMMC Rollout Timeline at the end of this report.)
Back on November 21st, 2025, long before DOGE was put into effect, Katie Arrington spoke as an audience member at CEIC East during a session hosted by Mark Berman and Bob Metzger titled, The NOW and Future of CMMC. She said:
“And the last little thing that I’ll add is the DOGE, whether it really happens or doesn’t happen between Elon and Vivek. I know them both. I’ve talked to them about the CMMC. I said, “Is this is something you’d even consider taking out.” They said, “Hell no. This should be something every company in America needs to have.” So, look at it growing not shrinking.”
We all know who Elon and Vivek are…
So, who is Katie Arrington?
Well… she started CMMC.
Katie Arrington's journey with the Department of Defense (DoD) began in January 2019 when she was appointed as the first Chief Information Security Officer (CISO) for the Office of the Under Secretary of Defense (Acquisition and Sustainment). Shortly thereafter, she conceived of a "unified cybersecurity standard," and starting in March 2019, she, along with a small, dedicated team, began developing the Cybersecurity Maturity Model Certification (CMMC).
Remarkably, within just one year, their hard work paid off, and in January 2020, the CMMC 1.0 documentation was released, setting a new benchmark for defense contractor cybersecurity standards.
Put another way, CMMC is Katie Arrington’s project. She conceived it, and she drove it.
That is until after the political landscape changed. In May 2021, she was placed on administrative leave due to allegations of improperly disclosing top secret information. She resigned in protest in February 2022.
2025’s Changing Tide
Things are different now with the new administration.
Katie Arrington is back!
On March 3rd, 2025, Katie Arrington was appointed as the acting Chief Information Officer (CIO) for the DoD by the Secretary of Defense, Pete Hegseth. This came shortly after her earlier appointment as the CISO for the DoD on February 18th.
The founder of CMMC is now the DoD’s CIO.
A Powerful Statement
What else has Katie Arrington had to say?
In February, around the time of her appointment to CISO, Katie Arrington recorded a message on LinkedIn where she stated the following:
“Let’s talk about the President‘s Executive Order and the hold on regulations. Folks, the CMMC, the 48 CFR, all that’s already gone through. It’s not about the CMMC. I just need you all to know, it is not pausing. Nor does the 32 CFR fall into this effect. So, all you people out there that are saying, “oh this is gonna affect the CMMC.” No no. This is much bigger than the CMMC.
The CMMC is going to stay in place. There’s no question about that, folks. And for the DOGE, those people that think, “it’s gonna cost too much”—we lose every single day in the department of defense, in the industrial base, over $180 million a day. So, all of the naysayers just stop. You’ve had your 5 to 6 years of saying “nay.”
This is going to happen. And I highly suggest you get off of the, “no they’re gonna undo this.”
Put succinctly, Katie Arrington is emphatic that CMMC is happening and is here to stay.
Frankly, it seems rather clear she’s been hired as the DoD’s CIO to make sure CMMC happens.
Looking back, it's no surprise that Donald Trump's Executive Order 13800 in May 2017, which required a cybersecurity report, spurred the development of CMMC.
What does DOGE have to say about CMMC?
Not much.
In fact, there is no publicly available document coming from DOGE I could find that specifically mentions CMMC.
However, Section IV of the DOGE Executive Order, Modernizing Federal Technology and Software to Maximize Efficiency and Productivity, is suggestive of overarching technological upgrading and expansion, not diminishment.
However, to be fully transparent, there have been a few cybersecurity and compliance subcontractor contracts axed in the last couple months. The specific conditions behind these contract cancellations are unknown to me.
The Takeaway – CMMC is Charging Forward
The fact that CMMC went into effect under Title 32 in mid-December 2024, plus Katie Arrington’s appointment as DoD’s CISO, and then CIO less than a month later, is enough weight, in my opinion, to fully tip the CMMC scale.
Here is Title 32:
You can even check the DoD CIO’s website and see that “Level 2 Self-Assessments are Operational in SPRS effective 28 Feb 2025”
https://dodcio.defense.gov/cmmc/About/
Along with a rather thorough description of what the CMMC requirements are.
Katie Arrington is serious about CMMC!
But Wait! There’s more…
Title 48 Final Rule: Let’s not forget Title 48, which is on track for publication by June (some say sooner, perhaps as early as April) which formalizes the DoD’s process for requiring CMMC in DoD contracts, under DFARS.
Title 48 will be issued for an additional 60-day review and likely become effective no later than August 2025.
This means that on the effective date there will be a formalized process for the DoD to require CMMC in their contracts.
Here is the proposed Title 48 rule published in August 2024:
FAR CUI Proposed Rule: To add to this is the FAR CUI Proposed Rule released in mid-January 2025. This proposed rule brings in both the GSA and NASA to collaborate with the DoD in revising the existing FAR language that defines CUI, and support a harmonization of CUI requirements on Federal contracts.
The expectation to that a standardized “CUI Form” will be established for all Federal Agencies.
Here is the current FAR CUI Proposed Rule published January 2025:
CMMC Timeline
To boil it down, CMMC will be rolled out and CUI will have much greater definition.
Hopefully, this will simplify the already challenging compliance process.
Yes, it’s happening. The train is coming.
The options are:
- Prepare and get on board.
- Choose not to ride, step aside, and let the train roll on by.
- Or get clipped or run over by not preparing in time.
Here’s our best guess on a visual timeline:
