The secretary’s order, signed Friday but first made public Tuesday, came after an eye-opening investigation by ProPublica revealed Microsoft had been relying on China-based engineers to support DOD cloud computing systems.

Short on specific details, Hegseth’s order enlists the CIO — with the support of the department’s heads of acquisition and sustainment, intelligence and security, and research and engineering — to “take immediate actions to ensure to the maximum extent possible that all information technology capabilities, including cloud services, developed and procured for DoD are reviewed and validated as secure against supply chain attacks by adversaries such as China and Russia.”

Hegseth first referenced his order in a video posted to X on Friday, in which he said, “some tech companies have been using cheap Chinese labor to assist with DoD cloud services,” calling for a “two-week review” to make sure that isn’t happening anywhere else in the department’s tech supply chains.

The secretary, in both his video and the new memo, stopped short of calling out Microsoft specifically. However, a spokesperson for the company has since stated publicly that it has made changes to “assure that no China-based engineering teams are providing technical assistance for DoD Government cloud and related services.”

“This is obviously unacceptable, especially in today’s digital threat environment,” Hegseth said in the Friday video, claiming that the system at the center of the incident is “a legacy system created over a decade ago during the Obama administration.”

He added: “We have to ensure the digital systems that we use here at the Defense Department are ironclad and impenetrable, and that’s why today I’m announcing that China will no longer have any involvement whatsoever in our cloud services.”

The memo itself calls on the department to “fortify existing programs and processes utilized within the Defense Industrial Base (DIB) to ensure that adversarial foreign influence is appropriately eliminated or mitigated and determine what, if any, additional actions may be required to address these risks.” Specifically, it cites the Cybersecurity Maturity Model Certification (CMMC) — the final rule for which, as of Wednesday, is undergoing regulatory review with the Office of Management and Budget — acting CIO Katie Arrington’s new Software Fast Track program, and the FedRAMP process as existing efforts the Pentagon CIO should rely on to ensure the department’s tech is secure.

Within 15 days of the order’s signing, DOD’s Office of the CIO must issue additional implementing guidance on the matter, led by department CISO Dave McKeown.

On top of that, it taps the undersecretary of defense for intelligence and security to “review and validate personnel security practices and insider threat programs of the DIB and cloud service providers to the maximum extent possible.”

The post Hegseth calls on DOD CIO to protect tech supply chain from influence of China appeared first on DefenseScoop.

Leslie Beavers, who also served as acting DOD CIO for a period at the end of the Biden administration and during the early days of the second Trump administration, will step down as DOD principal deputy CIO at the end of September.

“The Office of the CIO would like to congratulate Principal Deputy DoD CIO Leslie Beavers who announced today that she will be stepping down from her position at the end of September after more than 30 years of uniformed and civilian service,” reads a LinkedIn post from the DOD CIO’s office. “From projects such as Mission Partner Environment and the standup of the Cyber Academic Engagement Office to work to accelerate Identity, Credential, and Access Management enterprise solutions, Ms. Beavers’ unique blend of uniformed, civilian, and private industry experience drove success and innovation.”

Beavers also played a key role in the Office of the CIO’s delivery of its Fulcrum IT strategy in 2024 with then-CIO John Sherman.

In an exclusive interview with DefenseScoop, Beavers detailed the genesis of Fulcrum, which has become the guiding strategic framework for the Pentagon’s IT modernization.

“It was really important to crystallize the department’s vision into what success looks like, which is what we are attempting to do here in Fulcrum because I am trying to get program managers across the department — not just within the CIO organizations, but in all the different weapon systems program offices — to make decisions a little differently, to make them with the user experience in mind, to make them with interoperability as a priority first and really defining what success looks like, and giving them that vision,” she said.

When Sherman stepped down from the CIO role at the end of June 2024, Beavers filled it temporarily until Katie Arrington was appointed to perform the duties of CIO in March. Since then, Beavers retained her deputy role, supporting new efforts under Arrington’s leadership like the Software Fast Track initiative and “blowing up” the Risk Management Framework.

It’s unclear what Beavers’ next role will be after her departure or who will take her place when she officially leaves. DefenseScoop reached out to the Pentagon for comment.

Prior to serving as principal deputy CIO, Beavers was director of intelligence surveillance and reconnaissance enterprise capabilities in the Office of the Under Secretary of Defense for Intelligence & Security and an intelligence officer in the Air Force at the rank of brigadier general. She also held roles in the private sector with GE and NBC Universal.

The post Deputy CIO Leslie Beavers leaving DOD appeared first on DefenseScoop.

The DOD CIO published a request for information Wednesday on Sam.gov calling for industry’s input on emerging technologies, solutions and business practices that can support the department’s attempt to revamp the Risk Management Framework (RMF). The initiative largely seeks to replace the legacy framework with a multi-phased construct that will be demanding for cyber and acquisition professionals. Officials are hoping to speed up capability delivery to warfighters.

“Although RMF enhances security through continuous monitoring and risk-based decision-making, it’s often seen as slow and cumbersome,” the RFI stated. “To meet the urgent demands of modern cyber threats and accelerate innovation, the DoD is working to streamline the RMF process — aiming for greater efficiency without compromising on security.”

While the framework has guided the Defense Department’s acquisition process for its military networks, weapon systems and other critical IT infrastructure for decades, the RMF has come under scrutiny in recent months by senior leadership. Since returning to the department in March to perform the duties of Pentagon CIO, Katie Arrington has repeatedly stated in public forums that she is “blowing up the RMF” and other bureaucratic processes known to stifle innovation.

“The RMF is archaic, it’s a bunch of paperwork,” Arrington said in April at the UiPath on Tour Public Sector event. Along with the RMF Revamp, she recently initiated a related effort called the Software Fast Track (SWFT) program that aims to streamline acquisition of on-premises software capabilities.

The RMF was designed to let the department integrate controls throughout a system’s lifecycle, including cybersecurity, operational resilience and supply chain risk management. Ensuring a system is RMF compliant is a seven-step process that results in receiving an authorization to operate (ATO) on Pentagon networks.

However, the entire framework can take weeks to over a year to complete. Even then, a military system with an ATO is required to have it renewed every three years.

According to the request for information, the CIO is considering a new “Risk Management Construct” that outlines specific actions to take across five phases of a system’s development cycle — design; build, or initial operational capability; test, or full operational capability; onboarding; and operations. The first four phases also include recommendations on where to use automation, such as by integrating a continuous-integration/continuous-delivery pipeline in the build phase or automatic vulnerability remediation during onboarding.

The document also asks industry to answer a series of questions regarding technologies and best practices the Pentagon could employ to enhance the RMF process, limit redundant compliance efforts and improve reciprocity across the department.

“Key areas of interest include [artificial intelligence-driven] cybersecurity tools, security control inheritance, artifact reuse, continuous monitoring solutions, proactive cyber defense mechanisms, security testing frameworks, and risk assessment models that support rapid integration of automation, monitoring, and active threat mitigation within cybersecurity programs,” the RFI stated.

Responses — due by July 24 — will inform the CIO’s strategy moving forward.

The post DOD CIO solicits industry to inform revamp of ‘cumbersome’ cybersecurity risk framework appeared first on DefenseScoop.

The DOD currently maintains more than 2 million Microsoft 365 E5 licenses across two separate programs — the Defense Enterprise Office Solution (DEOS) and the Enterprise Software Initiative (DOD ESI). Through the established contracts, Pentagon components can purchase software licenses for commercial Microsoft products, including Office 365 applications and other collaboration tools.

But ongoing efforts spearheaded by the Department of Government Efficiency (DOGE) have prompted the Defense Department to review how many of those licenses it actually needs, Katie Arrington, who is performing the duties of Pentagon CIO, told DefenseScoop.

“Our Microsoft 365 contract [is a] very big contract here in the Department of Defense. Does every individual in the Department of Defense need an [E5] license? Absolutely not,” Arrington said June 6 in an exclusive interview.

With the department’s Deputy CIO for the Information Enterprise Bill Dunlap, Arrington has been working alongside her DOGE representative to review individual position descriptions and multi-level securities to determine what level of Microsoft 365 E5 license that person needs, she said. Other criteria being considered include user and mission requirements for office productivity software, as well as collaboration capabilities, a DOD CIO spokesperson told DefenseScoop.

CSRA, which is owned by General Dynamics IT, has served as the lead integrator for the DEOS contract since 2020, when the company received a 10-year blanket purchase agreement from the General Services Administration and Defense Department. The program allows Pentagon components to purchase individual licenses for cloud-based Microsoft 365 email and collaboration tools on a monthly basis.

Although the GDIT-led team, which also includes Dell Marketing and Minburn Technology Group, initially received the award in 2019, the department was forced to re-compete the contract following two bid protests by competitor Perspecta. The procurement battle resulted in the GSA and Pentagon giving the contract to GDIT at an estimated value of $4.4 billion — much lower than its originally projected $7.6 billion value.

The department can also purchase licenses for software products — including from Microsoft and other vendors, such as Oracle — using an Enterprise Software Agreement (ESA) contract vehicle, which is managed by the DOD ESI. Instead of buying individual licenses through DEOS, an ESA is used to purchase software via resellers in bulk and on an annual basis.

Arrington did not say how many Microsoft licenses are on the chopping block, but emphasized that the effort is geared toward “optimizing the licenses that we have.”

A reduction in E5 licenses would be yet another cut to the Pentagon’s IT enterprise prompted by the department’s work with DOGE. Along with reductions to its civilian workforce, the Defense Department has ordered several of its IT consulting contracts be cancelled and replaced by internally sourced services — an action also being taken by some of the military departments, as well as the DOD CIO.

“On an average day we would probably put out a contract for consulting on how to optimize or automate the RMF. We didn’t do that. We went internally. We did it ourselves, and we’re going to use our partners in the industry to help, because they would be the beneficiaries,” Arrington said, referring to her ongoing push to overhaul the Pentagon’s Risk Management Framework (RMF).

The office is also reviewing its contracts with systems integrators to ensure there are no duplicative efforts underway, as well as pushing for more use of commercial-off-the-shelf capabilities, she added.

Despite challenges that may come from DOGE-inspired cuts, Arrington said that she believes the work will help the Pentagon be on a “level playing field” moving forward.

“[The Defense Department] is as energized as I’ve ever seen it. But that doesn’t mean there’s no concern,” she said. “Change is hard, but it’s definitely needed.”

The post EXCLUSIVE: Pentagon CIO reviewing Microsoft 365 licenses as part of DOGE-related cuts appeared first on DefenseScoop.

“We’re using technology to help reduce the time, because that’s been the real problem with software,” Katie Arrington, the senior official performing the duties of Pentagon chief information officer, said Friday in an exclusive interview with DefenseScoop. “When we bring it into the building, we have to find a lab, we have to find a person, we have to get it resourced. And what we should be doing is accepting as much as possible and looking at it rapidly, because software is only as good as it is relevant.”

Since returning to the Pentagon in March to perform the duties of DOD CIO, Arrington has waged war on the legacy processes used by the department to buy software capabilities — namely the lengthy Risk Management Framework (RMF) and beleaguered authority to operate (ATO) approvals. 

“I’m blowing up the RMF. The RMF is archaic,” Arrington told a crowd of defense industry representatives at the UiPath on Tour Public Sector event in April. She later added that by next year, she hopes that ATOs are “something I never hear about again.”

Both the RMF and the ATO process have guided the Pentagon’s acquisition process for all of its systems for more than a decade. The RMF is a structured set of guidelines used to identify and manage cybersecurity risks on the Defense Department’s networks. After a system goes through the RMF process, it must receive an ATO that gives the final approval to operate on the network.

Many of the military departments have done some disparate work to automate the RMF process and embrace continuous ATOs, which use automated monitoring and security controls to approve software without need for reauthorization. But recently, Arrington initiated a Pentagon-wide effort to overhaul the RMF.

She told DefenseScoop that the “old school” processes are obsolete and no longer representative of the modern technologies the Pentagon needs.

“Why I say an old school ATO doesn’t really hold any validity anymore is because an ATO is granted at a very specific time in the network, the architecture of the network, the iteration of the software. Everything is like a snapshot in time, it’s a static moment,” she said. “But software is dynamic, it changes — every patch, every iteration, every version. So why wouldn’t we move to a continuous ATO and look at the RMF process as the building blocks?”

The RMF revamp will focus on how the process can be integrated with automation and continuous monitoring capabilities for an entire program’s lifecycle, a Pentagon spokesperson told DefenseScoop. They added that the framework will remain “a structured process which integrates security, resilience, zero-trust and related cybersecurity considerations to design, build and monitor DoD technology.”

To help the department move away from cumbersome checklist-based authorizations, Arrington also created the Software Fast Track (SWFT) program that she said is designed to allow the Pentagon to integrate software capabilities much faster than currently possible. SWFT is separate to CIO’s effort to reform the RMF, but the program looks to optimize the RMF’s software assessment process and streamline capability delivery.”

SWFT will have companies receive a third-party assessment based on 12 risk factors outlined by the Pentagon, ranging from a company’s cybersecurity posture to its financial health. Vendors will also be required to submit their own software bill of materials (SBOM), as well as an SBOM from a third-party assessor to see if there are any differences in the evaluations, Arrington explained. 

“When that information comes into the department, we’re going to have AI and large language modeling on the backside so that we can detect anomalies,” she said. “If there’s a variant between one SBOM and another SBOM, we’re going to validate all of the data.”

And while replacing institutional processes like the RMF and ATO is an arduous task, the Office of the DOD CIO is moving as quickly as it can. After Arrington announced SWFT in an April memo, the program officially began on June 1. Concurrently, the office is conducting a 90-day sprint to develop a framework and implementation plan that defines specific requirements, security verification processes, information-sharing mechanisms and risk determinations “to expedite the cybersecurity authorizations for secure, rapid software adoption,” according to the Pentagon.

Meanwhile, the office is reviewing responses it received for a trio of SWFT requests for information published in May that asked for industry’s input on specific tools, external assessments, and automation and AI-enabled capabilities, respectively. The CIO received over 500 responses across all three RFIs, demonstrating that industry is onboard with SWFT and eager to get the ball rolling, Arrington noted.

“I’ve committed to reading through all of them to really understand what [are] the best practices in industry,” she said. “What does real continuous monitoring look like? Do we need commercial red teams? What are risk factors if you’re doing continuous monitoring or you have a disruption in software? What are the proper and right risk mitigation processes? All of this is wrapped into acquisition, how we’re really approaching this modernization effort.”

Arrington noted that SWFT’s implementation is being done strategically and in partnership with other key stakeholders across the Defense Department, including the service CIOs, chief information security officers, the acquisition and sustainment directorate and Pentagon directorates that support command, control, communications, computers and cyber.

Before the end of June, the DOD CIO plans to release another RFI to industry that outlines five tenets for how the Pentagon plans to execute SWFT, Arrington said. Some ideas her team is considering include a tiered approach for the roles and responsibilities of cybersecurity service providers and different aspects of continuous monitoring.

“Industry’s part of this is going to be over the summer, and then hopefully I can get those responses [and] we can come together and start with a fundamental, new approach in early August or early fall,” she said.

Moving fast on SWFT will be integral for other reasons, as well. Arrington will exit her CIO role once President Donald Trump’s nominee for the position is approved by Congress. In May, the administration tapped Kirsten Davies — an IT and cybersecurity professional from the private sector — to serve as DOD CIO, but her confirmation hearing has not yet been scheduled.

And although the program’s attempt to reform the Pentagon’s software acquisition process has been met with positive reception — while also being in line with broader efforts by Secretary of Defense Pete Hegseth aimed at increasing use of innovative procurement authorities — Arrington acknowledged that SWFT’s success will depend on how well the department can adapt to the cultural shift it requires.

“We’re so risk adverse that to be relevant, we have to assume a little bit of risk in moving forward. And I think that’s going to be the biggest challenge set for the department, is culturally learning how to operate within that little bit of risk factor. I’ll take a 90 percent solution and work on remediating the 10 percent while we’re developing it,” she said.

Updated on June 12, 2025, at 4:15 PM: This story has been updated to add comment from a Pentagon spokesperson and to clarify that SWFT is separate from the CIO’s effort to reform the RMF.

The post Inside the Pentagon CIO’s push to overhaul antiquated software acquisition practices appeared first on DefenseScoop.

“This is something that, when they say ‘incidents happen,’ it innovates us and urges us to make the requirement, and make the devices, and make the technology available. So, this is something that we are taking as a priority,” Katie Arrington, the senior official performing the duties of Pentagon CIO, told lawmakers Thursday.

She shed new light on those and other near-term plans during a House Armed Services subcommittee hearing about the DOD’s current IT and AI posture.

Reports first emerged in March that Defense Secretary Pete Hegseth shared high-stakes military operational plans in a group chat — via the encrypted but unclassified texting app Signal — with several of his counterparts in the Trump administration and an American journalist (who unveiled the ordeal after he was accidentally added to the group chat). Cybersecurity advocates, former military officials and members of Congress immediately raised concerns about the messages and warned that sharing classified or sensitive information on non-government platforms about planned military operations could put servicemembers’ lives at risk.

With support from President Donald Trump, Hegseth repeatedly pushed back on criticism about his Signal use — and news reports have since surfaced that the SecDef has texted in multiple other chats on the app, where Pentagon business was discussed. 

In April, the Pentagon inspector general opened an investigation into Hegseth’s participation in transferring details about impending military operations on unclassified networks. Officials involved are also reviewing whether DOD’s official policies and procedures were followed and if records retention requirements were met.

“The way we have traditionally communicated is going into a [Sensitive Compartmented Information Facility, or SCIF] and having a high-side communication, and that has been the way we have worked it for many, many, many, many years. And we’re evolving. The technology is evolving. And I will just say that it is [up to] my office, along with many others, to ensure that we come up with a real capability in real-time to allow that communication to go forward. It’s paramount,” Arrington said.

“And I’m not really fond of voice [communications]. I think that there’s enough microphones and people out there in the world that I really like the idea of text messaging and ensuring that our elite senior leaders can communicate effectively away from their offices, because the government doesn’t [just] function within the building, within the Pentagon, or within the White House, or within this building itself,” she added.

Earlier this week, Trump named Kirsten Davies to serve as the DOD’s next CIO in a permanent capacity. Until she takes the helm, Arrington is currently wearing dual hats as acting CIO and chief information security officer. During Trump’s first term, Arrington served as the department’s CISO for acquisition and sustainment. In 2021, under the Biden administration, it was disclosed that her clearance was suspended as “a result of a reported Unauthorized Disclosure of Classified Information and subsequent removal of access by the National Security Agency.” Public details are sparse, but a lawsuit associated with the scandal was settled between Arrington and the DOD in 2022.

At the hearing on Thursday, she told lawmakers that — behind one other “classified endeavor” — finding a way for senior government leaders across agencies and the White House, as well as members of Congress, “to have true secure communications on a day-to-day basis” is considered the “number two priority” in her office.

“That’s what I’m doing right now, sir, because it is paramount for me,” Arrington reiterated.

She didn’t expand on what the unfolding efforts to accelerate secure texting options currently entail. In her written testimony, Arrington pointed to one key modernization initiative that will involve producing an enterprise-wide Mission Partner Environment to underpin secure information exchanges between U.S. officials and international allies at various classification levels.

“My office’s job is to make sure that we do better for both you, the secretary of defense, the deputy, the president — everyone across the board — it’s a forcing function. It is something that is a priority for our office to make sure that we have that in rapid time. I would be more than happy to give you a classified brief on all of the efforts that we’re doing to ensure security of communications,” Arrington told lawmakers at the hearing.

The post Post-Signalgate, Pentagon CIO prioritizes secure platforms for sensitive instant messaging appeared first on DefenseScoop.

Under the Software Fast Track (SWIFT) program, the Pentagon will use artificial intelligence to replace legacy authority to operate (ATO) and Risk Management Framework (RMF) processes when buying new software. Acting DOD CIO Katie Arrington signed a memo authorizing the new effort, and it will officially launch May 1, she said.

“We need to change our thought process, because having software in an ATO that is a static environment doesn’t help the warfighter,” Arrington said Tuesday during a keynote at the UiPath on Tour Public Sector event, produced by FedScoop. “What changes every single day is the network, the software [and] the environment. Why are we so structured to stay in a static position when our adversaries are always dynamic?”

As the Pentagon becomes more dependent on software-based capabilities, leaders have looked to pivot away from traditional ATO frameworks encumbered by lengthy administrative processes and manual paperwork that can stifle modernization. Some organizations have begun exploring continuous authority to operate (cATO) methods, which use automated monitoring and security controls to approve software without need for reauthorization.

Instead, SWIFT will do a third-party assessment of companies’ cybersecurity postures based on 12 risk characteristics. Vendors will also be required to provide a software bill of materials (SBOM) “from production and sandbox” that is certified by a third party, Arrington said. 

“I have AI on the backside — large language modeling — that will determine if there are any anomalies, if there’s something in your source code that’s bad. If not, you get a provisional ATO,” she said.

Arrington added that SWIFT will allow the department to pivot away from the current RMF, a structured set of guidelines used to identify and manage potential cybersecurity risks on networks. For more than a decade, the framework has guided the Pentagon’s acquisition process for all of its systems — from development to sustainment.

“I’m blowing up the RMF. The RMF is archaic, it’s a bunch of paperwork,” Arrington said. She added that in the next year, she hopes that ATOs are “something I never hear about again.”

SWIFT comes as Secretary of Defense Pete Hegseth is pushing the entire department to speed up procurement and delivery of digital and software-based capabilities. In March, Hegseth issued a memo that calls on Pentagon leaders to use innovative acquisition authorities — from the Software Acquisition Policy to commercial solutions openings — to rapidly buy software.

“We need more innovation. The [secretary of defense] has told us, bring software, bring [commercial-off-the-shelf] into the building faster, at a more rapid rate,” Arrington said. “And our job is to ensure that we are doing the best to ensure that we have lethality, that we’re ready and that we’re efficient.”

When the program launches, Arrington said she plans to bring together all of the department’s CIOs, chief information security officers, the acquisition and sustainment directorate and other stakeholders at the Pentagon. In the near future, the department plans to release a request for information (RFI) to gather industry input.

The post New Pentagon program to speed up software acquisition set to launch May 1 appeared first on DefenseScoop.

The aim is to “cut wasteful spending” and “support the continued rationalization” of the Defense Department’s IT enterprise, Hegseth wrote.

The move comes amid a broader push by the Trump administration to implement Department of Government Efficiency (DOGE) initiatives across federal agencies.

Hegseth’s new memo to senior Pentagon leadership ordered the termination of contracts affecting a variety of DOD components, including a Defense Health Agency contract for consulting services; an Air Force contract to re-sell third party enterprise cloud IT services; a Navy contract for business process consulting services; and a Defense Advanced Research Projects Agency (DARPA) contract for IT helpdesk services.

In a video released on social media touting these DOGE-related efforts, Hegseth estimated that those contract terminations would save the Pentagon approximately $1.8 billion, $1.4 billion, $500 million and $500 million, respectively.

“These contracts represent non-essential spending on third party consultants to perform services more efficiently performed by the highly skilled members of our DoD workforce using existing resources,” he wrote in the memo.

Hegseth also tasked the Pentagon CIO to work with the DOGE team to produce a plan within 30 days for how DOD will in-source IT consulting and management services to the department’s civilian workforce.

The new call for in-sourcing comes as Pentagon leaders are advancing efforts to make major cuts to the civilian workforce. Hegseth has said he wants to reinvest savings from employee reductions into higher-priority warfighting capabilities.

The plan from the CIO that Hegseth ordered in Thursday’s memo must also address how the Defense Department will negotiate “most favorable rates on software and cloud services, so the DoD pays no more for IT services than any other enterprise in America,” the SecDef wrote.

The memo also tasks the chief information officer to complete an audit of Pentagon software licensing by April 18. The purpose of the audit is “to ensure we are only paying for the licenses we actually use, the features we actually need, at the most favorable rates,” according to Hegseth.

Katie Arrington is currently performing the duties of DOD CIO.

Earlier this week at the Sea-Air-Space conference, Navy Chief Information Officer Jane Rathbun said DOGE and the DOD CIO were reviewing the service’s software enterprise.

“It’s all about making the right investments in modernizing, but modernizing with an eye towards effectiveness and efficiency. We’ve got this new administration. We’ve got the DOGE in working with us, and they’re focused on effective consumption of commercial software. Are we doing the best job we can deliver in buying and utilizing the software that we have?” she said.

The Navy is a huge purchaser of software licenses, Rathbun noted.

“It’s a big number. And so are we buying effectively? Are we utilizing the things that we’re buying effectively? There’s always opportunity for improvement. And I would say that’s an area in my portfolio that I want to focus on but have not a lot of people to do that, which is something that has always bothered me and I want to be doing better at is really this optimization concept. I’ve got to continuously modernize but I have to do it in an optimal way,” she said.

The post Hegseth issues new directive to rein in Pentagon spending on IT services contracts appeared first on DefenseScoop.

“We are at war in a non-kinetic sense … You have a president, what the message has been very clearly is the way we’ve been doing things isn’t working. It’s broken. This is your time. Come out of your shells. The art of the possible is before you now,” Katie Arrington said at the DOD Cyber Workforce Summit. “You have time to say this regulation, this policy, has been handcuffing you from doing what is needed and necessary to protect the United States … Our adversaries are not waiting for us to pass a new policy.”

Arrington — who was selected as the Pentagon’s chief information security officer, reprising that role from the first Trump administration, and is now serving as the acting DOD CIO — warned that not only have many Americans become complacent about cybersecurity, but adversaries know U.S. networks and will exploit them.

“Is our adversary going to turn the power off before they launch a kinetic attack? Yes. Where have we seen this time and time again? When are we going to learn? This is the time, folks. This is your moment to lean in, to take risks,” she said. “We have to do better. We have to start thinking like they do … Our adversaries know our architecture. Our adversaries know how we do business. Why? Because we’re a fully transparent government.”

More offensive capabilities are needed to combat these threats, she said.

Several Trump administration officials have articulated the need for more offensive capability in cyberspace to hit back against adversaries and deter undesirable behavior, namely Chinese activity that has targeted critical infrastructure and telecommunications firms.

Arrington said her role is to help alleviate policies that are hindering DOD personnel from countering foes.

“We’re fighting a war right now one-handed. My job, and the role that I’m in is [to] give you both your hands, because you need them. Policies are in place, and yes, we need to modify some. We need more offensive capability,” she said. “If a regulation or a policy is impeding you doing your job, say something. This is an opportunity to change this … but you need to communicate upward what the challenges are, because otherwise the status quo will remain. That is something that, to me, is simple. We have these things all over airports, ‘see something, say something.’ If there’s a policy or requirement, something that’s impeding you, let’s figure out how to get it out of the way to help you do [your] job, which is to defend the greatest country this planet has ever known.”

The post Pentagon CIO calls for more offensive cyber capability appeared first on DefenseScoop.

The DOD Office of the CIO announced the move by Secretary of Defense Pete Hegseth to place Arrington as the acting CIO in a post on LinkedIn. The post also confirmed that Leslie Beavers, who had been acting CIO since John Sherman left the role last June, will return to her primary role as principal deputy CIO.

“In this capacity, Ms. Arrington serves as the primary advisor to the Secretary of Defense for information management/Information Technology (IT); information assurance, as well as non-intelligence space systems; critical satellite communications, navigation, and timing programs; spectrum; and telecommunications,” per the LinkedIn post.

A defense official confirmed Arrington started in the role Monday.

The Pentagon CIO is a presidentially appointed role that requires Senate confirmation. It’s unclear if the Trump administration plans to nominate Arrington to the role, and the defense official did not comment when asked about the possibility.

Arrington returned to the Pentagon as CISO on Feb. 18. During the first Trump administration, she served as chief information security officer for the department’s acquisition and sustainment directorate and was regarded as a key architect of the department’s Cybersecurity Maturity Model Certification program, which aims to improve the cybersecurity posture of the defense industrial base and contractors by requiring minimum cyber standards to win contracts.

The final rule for the CMMC program went into effect last December.

Arrington is also known for her political career, running for Congress as a representative for South Carolina’s 1st District in 2018 as a Republican, during which she earned President Donald Trump’s endorsement. However, she lost that race to Democratic nominee Joe Cunningham.

Her tenure during the Trump administration was also marked with controversy. In 2021, Arrington was placed on leave in connection with an alleged unauthorized disclosure of classified information from a military intelligence agency and her security clearance was suspended. She eventually settled a lawsuit over the matter against the DOD in 2022 before announcing another bid for Congress that year.

The controversy surrounding her security clearance became a key discussion point in her run for the House, and she lost the Republican primary to Nancy Mace, who was ultimately elected into office.

The post Katie Arrington named acting Pentagon CIO appeared first on DefenseScoop.