Top Pentagon cyber official investigated over disclosure concerns
The Pentagon official who has been overseeing its new cybersecurity initiative for defense contractors has been placed on leave in connection with a suspected unauthorized disclosure of classified information from a military intelligence agency, according to an official document.
Katie Arrington, chief information security officer for the Pentagon’s acquisition and sustainment office, was informed May 11 that “her security clearance for access to classified information is being suspended” as “a result of a reported Unauthorized Disclosure of Classified Information and subsequent removal of access by the National Security Agency,” according to a memo made available to Bloomberg News.
The National Security Agency, which is part of the Defense Department, gathers some of the nation’s most sensitive signals and eavesdropping intelligence from foreign adversaries, mostly via satellite. “If this preliminary decision becomes final, you will not be eligible for access to classified information” or “assignments to duties that have been designated national security sensitive,” the memo from the Office of the Under Secretary of Defense for Acquisition and Sustainment said.
The memo to Arrington provided no details about the possible disclosure of information. Pentagon acquisition spokesperson Jessica Maxwell said the department can’t comment on any questions about Arrington’s status.
“Absolutely no decisions have been reached regarding any aspect,” Arrington’s attorney, Mark Zaid, said in an email. He confirmed the content of the memo, saying that “when faced with such programmatic allegations DoD would routinely open an investigation as a matter of course. This is how the system works. Accepting an investigation, however, doesn’t prejudge the merits.”
Arrington is on administrative leave during the “preliminary investigation,” the “specific details of which have not been made known to us,” Zaid said.
“She has neither been fired nor had her security clearance revoked,” he said. “We look forward to an opportunity to completely clear her name and her return to work.”
Arrington is a former two-term Republican state representative from South Carolina who ran an unsuccessful campaign for Congress in 2018 that emphasized her private-sector cyber experience. She was brought into the Pentagon in 2019 under the category of “Highly Qualified Expert” and later competed for and attained the nonpartisan Senior Executive Service status, Zaid said.
Her official Pentagon biography says she has more than 15 years of cyber experience “through positions at Booz Allen Hamilton, Centuria Corporation, and Dispersive Networks. These positions have given her a unique experience of supporting and work with the government at large, small, and non-traditional contracting firms.”
A U.S. official familiar with the case said Arrington’s politics -- as a Republican under a Democratic president -- aren’t a factor in the investigation, and it’s not an attempt to force her from the Pentagon. The official, who discussed the case on condition of anonymity because of its sensitivity, also said the disclosure investigation isn’t connected to Arrington’s management of the Pentagon’s ambitious Cybersecurity Maturity Model Certification system, or CMMC, which is being slowly implemented as Deputy Defense Secretary Kathleen Hicks reviews the program inherited from the Trump administration.
In 2019, Arrington took over implementing the program and attempting to build industry support for its complex certification process. She quickly emerged as a skillful ambassador, speaking at dozens of events to sell the program to the defense industry, according to Bloomberg Government analyst Chris Cornillie, who has studied the program.
Under the certification program, every company in the defense supply chain — as many as 300,000 American companies producing everything from F-35 fighter jets to computer microprocessors to office supplies and plumbing equipment — must undergo a cybersecurity audit performed by a third party about every three years overseen by an “accreditation board,” Cornillie said. It’s “proceeding at a halting pace.”
The proposed program “sets the standard for our defense industrial base” and “must be the first step in establishing a framework of safeguards” for industry, Sen. Joe Manchin said in an email. The West Virginia Democrat, who’s chairman of the Senate Armed Services Committee’s cyber panel, said during a May 19 hearing that Hicks “will be making significant modifications” to the certification process.