Top Pentagon cyber official probed over disclosure concerns

The National Security Agency gathers some of the nation's most sensitive signals and eavesdropping intelligence from foreign adversaries.
The National Security Agency gathers some of the nation's most sensitive signals and eavesdropping intelligence from foreign adversaries.PHOTO: REUTERS

WASHINGTON (BLOOMBERG) - The Pentagon official who has been overseeing its new cyber-security initiative for defence contractors has been placed on leave in connection with a suspected unauthorised disclosure of classified information from a military intelligence agency, according to an official document.

Ms Katie Arrington, chief information security officer for the Pentagon's acquisition and sustainment office, was informed May 11 that "her security clearance for access to classified information is being suspended" as "a result of a reported Unauthorised Disclosure of Classified Information and subsequent removal of access by the National Security Agency," according to a memo made available to Bloomberg News.

The National Security Agency, which is part of the Defence Department, gathers some of the nation's most sensitive signals and eavesdropping intelligence from foreign adversaries, mostly via satellite.

"If this preliminary decision becomes final, you will not be eligible for access to classified information" or "assignments to duties that have been designated national security sensitive," the memo from the Office of the Under Secretary of Defence for Acquisition and Sustainment said.

The memo to Ms Arrington provided no details about the possible disclosure of information. Pentagon acquisition spokesperson Jessica Maxwell said the department can't comment on any questions about Ms Arrington's status.

"Absolutely no decisions have been reached regarding any aspect," Ms Arrington's attorney Mark Zaid said in an email.

He confirmed the content of the memo, saying that "when faced with such programmatic allegations DoD would routinely open an investigation as a matter of course. This is how the system works. Accepting an investigation, however, doesn't prejudge the merits."

Ms Arrington is on administrative leave during the "preliminary investigation," the "specific details of which have not been made known to us," Mr Zaid said.

"She has neither been fired nor had her security clearance revoked," he said. "We look forward to an opportunity to completely clear her name and her return to work."

Ms Arrington is a former two-term Republican state representative from South Carolina who ran an unsuccessful campaign for Congress in 2018 that emphasised her private-sector cyber experience.

She was brought into the Pentagon in 2019 under the category of "Highly Qualified Expert" and later competed for and attained the nonpartisan Senior Executive Service status, Mr Zaid said.

Her official Pentagon biography says she has more than 15 years of cyber experience "through positions at Booz Allen Hamilton, Centuria Corporation, and Dispersive Networks. These positions have given her a unique experience of supporting and work with the government at large, small, and non-traditional contracting firms."

A US official familiar with the case said Ms Arrington's politics - as a Republican under a Democratic president - aren't a factor in the investigation, and it's not an attempt to force her from the Pentagon.

The official, who discussed the case on condition of anonymity because of its sensitivity, also said the disclosure investigation isn't connected to Ms Arrington's management of the Pentagon's ambitious Cybersecurity Maturity Model Certification system, or CMMC, which is being slowly implemented as Deputy Defence Secretary Kathleen Hicks reviews the programme inherited from the Trump administration.

In 2019, Ms Arrington took over implementing the programme and attempting to build industry support for its complex certification process. She quickly emerged as a skillful ambassador, speaking at dozens of events to sell the programme to the defence industry, according to Bloomberg Government analyst Chris Cornillie, who has studied the programme.

Under the certification programme, every company in the defence supply chain - as many as 300,000 American companies producing everything from F-35 fighter jets to computer microprocessors to office supplies and plumbing equipment - must undergo a cybersecurity audit performed by a third party about every three years overseen by an "accreditation board," Mr Cornillie said.

It's "proceeding at a halting pace." The proposed programme "sets the standard for our defence industrial base" and "must be the first step in establishing a framework of safeguards" for industry, Senator Joe Manchin said in an email.

The West Virginia Democrat, who's chairman of the Senate Armed Services Committee's cyber panel, said during a May 19 hearing that Ms Hicks "will be making significant modifications" to the certification process.