Press Coverage
Chetrice Romero Featured in SecurityWeek: “Industry Reactions to Pentagon Suspending CMMC Phase 2: Feedback Friday”
Ice Miller senior cybersecurity advisor Chetrice Romero was featured in the SecurityWeek article, “Industry Reactions to Pentagon Suspending CMMC Phase 2: Feedback Friday.”
The article included:
“As the Department of War continues implementing the Cybersecurity Maturity Model Certification (CMMC), much of the conversation has centered on assessment requirements, technical controls, and certification timelines. Those are certainly important. But the organizations that will be most successful are the ones that recognize CMMC is not simply another compliance exercise. At its core, CMMC is about building organizational resilience. Many of the required practices, from incident response planning and testing to workforce training and recovery planning, are capabilities every organization should already be investing in regardless of regulation. As emerging technologies like artificial intelligence continue to accelerate both innovation and cyber threats, resilience has become a business imperative, not just a compliance requirement.
For organizations just beginning their CMMC journey, my advice is simple: don’t start with the controls. Start with your business. Understand where your Controlled Unclassified Information (CUI) resides, how your organization operates, what your greatest risks are, and where you stand today. From there, build a strategic roadmap that prioritizes the highest risks and aligns compliance efforts with business operations. Organizations that take the time to develop a thoughtful strategy almost always reach certification more efficiently, with less disruption, and with a stronger security posture than those rushing to implement disconnected requirements simply to “check the box.”
[While] many organizations understandably view CMMC as a technology initiative, I believe its long-term success depends far more on people than products. Policies only matter if they are understood and followed. Incident response plans only matter if they have been exercised. Security awareness training only matters if it changes behavior. Technology is an essential enabler, but resilience is built through leadership, culture, preparation, and practice. Organizations that embrace CMMC as an opportunity to strengthen those fundamentals will discover that compliance is simply the byproduct of becoming a more resilient organization, one that is better prepared for whatever challenge comes next.”
