The federal government will move to settle its case with Katie Arrington, a Department of Defense procurement and cybersecurity official who was accused of leaking classified information.
In a joint status update filed Jan. 29, the two sides asked a D.C. District Court judge to dismiss a lawsuit that was filed against the Department of Defense and National Security Agency "with prejudice pursuant to the parties' settlement agreement executed in connection with this matter."
The settlement was telegraphed for weeks in previous court documents, and one of Arrington’s lawyers, Mark Zaid, told SC Media earlier this month that the settlement would resolve the litigation but not the underlying dispute and that they are “continuing through the administrative process to challenge the proposed revocation.”
On Monday, Zaid told SC Media that the settlement will give them access to information around an incident that led the NSA to suspend Arrington's security clearance and place her on administrative leave last year.
"As a result of the litigation, Arrington was able to obtain additional crucial information that was necessary in order to respond to the Defense Department's initiation to revoke her security clearance," he said in an email to SC Media. "We are currently continuing with her appeal and believe the evidence clearly demonstrates that no security violation ever occurred. We hope that this matter will be completely favorably resolved within a few months."
As the chief information security officer for acquisition and sustainment at DoD, Arrington managed the Cybersecurity Maturity Model Certification (CMMC) program, an initiative stood up during the Trump administration to better measure the cybersecurity compliance of defense contractors. She was abruptly placed on administrative leave in May 2021 and told in a letter by the NSA that her security clearance was being pulled “as a result of a reported Unauthorized Disclosure of Classified Information and subsequent removal of access."
Arrington’s lawyers said they brought the lawsuit after the government repeatedly refused to share basic information about the circumstances that led to Arrington’s punishment. The lawsuit pressed for details regarding the nature of the incident that led to the revocation, what information she is alleged to have passed on, to whom and when.
Zaid, a veteran lawyer who has worked on government and federal cases for decades, repeatedly told DoD and NSA in emails submitted to the court that without this information, it was effectively impossible for Arrington to mount a substantive defense or clear her name. In those emails he also claimed that refusing to offer such information violated DoD’s own policies and procedures and that he holds an active top-secret clearance that would allow him access to such information about his client. Arrington's job requires a security clearance, and her lawyers have argued that revoking her clearance would be tantamount to firing her.
In communications with Arrington, DoD officials said the incident had been referred for criminal investigation, but documents submitted in court show that the Air Force Office of Special Investigations reviewed the incident at the center of the dispute and concluded that it “could not identify any nefarious intent which would warrant a criminal or counterintelligence investigation at this time.” Her lawyers have also claimed that the decision was politically motivated and “designed to interfere with the cybersecurity activities that [Arrington] was running through DOD, which NSA did not support.”
In 2018, Arrington ran for Congress as a Republican candidate in South Carolina, losing a close race to Democrat Joe Cunningham in South Carolina's 1st Congressional District. She was hired to her post at DoD during the Trump administration and was initially the face of CMMC, as the Department of Defense sought to better ensure contractors were following cybersecurity standards designed to protect sensitive, but unclassified, information about their technologies and military programs.
Such standards have always been spelled out in law and federal contracts, but for years companies have been allowed to self-certify that they were being implemented. Compliance experts have told SC Media that it is an "open secret...that nobody’s implementing these controls” and the U.S. defense industrial base has hemorrhaged data around military weapons and systems as they have come under relentless assault from cyberespionage groups tied to the Chinese and Russian governments.
Under Arrington, the DoD initially envisioned a new system that would go active in 2021 and compel all companies seeking to do business with the military to be assessed by independent third-party auditors to ensure their systems and data were being protected in line with federal requirements. After she was placed on leave, management of CMMC fell to Jesse Salazar, deputy assistant secretary of defense for industrial policy, and contractors expressed widespread confusion and frustration as DoD went quiet for months.
Last November, the Pentagon announced a new framework that would only require third-party cybersecurity audits for companies that handle controlled unclassified information and other sensitive data, while allowing everyone else to continue self-certification.