CMMC Checklist Contact Us
Back to list
Published 23 Jun 2025

Your Risk Belongs to You. Own it.

This past Thursday, I attended the North Texas ISSA Lunch and Learn. The speakers— Curtis SimpsonJulio Casablanca M.Sc., CISSP, CCISO., and Miguel Clarke—delivered sharp insights on operationalizing security in the real-world. Each of them brought a unique lens. But Julio Casablanca’s remarks about risk ownership really stuck with me and I have been thinking about how they relate to the CMMC program.

Julio said that, while threat intelligence is beneficial, looking at threat intelligence without context renders it simply a “vulnerability” – not something that is actionable.

There’s so much to unpack in that single thought.

In the security world, we’re inundated with data: vulnerability reports, threat feeds, vendor alerts, industry advisories. But the real question is—what do we do with all of it? If we’re not operationalizing threat intelligence in a way that connects to our specific systems, our business operations, and our mission goals, we’re simply collecting vulnerabilities. And that alone isn’t enough.

Understanding context is crucial.  It is possible that a vulnerability may be effective, if exploited.  But how much does an exploited vulnerability impact our organization – or our ability to safeguard sensitive information?

·         What are the benefits if we address a vulnerability?

·         What are the consequences if we don’t?

This is exactly the kind of thinking that’s missing in many organizations—especially when they treat vulnerability management and risk assessment as checkbox activities.

Julio’s core point was that context determines priority. You could have a critical CVSS 10 vulnerability, but if it doesn’t affect your systems, doesn’t impact your data, and doesn’t influence your mission. Should it be your highest priority? Or should you be more concerned about a lower-rated vulnerability that directly threatens your operations?

That’s the real value of operationalized threat intelligence: understanding not just the existence of a vulnerability, but its relevance to your environment.

This Ties Directly to CMMC Control RA.L2-3.1.11

This brings me directly to a control that I work with often as part of CMMC implementation  engagements and formal CMMC assessments:

RA.L2-3.1.11 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.

This is not about compliance for compliance’s sake. And note that it goes far beyond running a  “pen test.”  It is about understanding your environment, the threats against it, and the real-world consequences of action or inaction.

And here’s the part that is crucial to understand:

You can’t outsource this.

We’ve entered a phase in CMMC where there is a strong temptation to outsource as much as possible. Managed Service Providers (MSPs), Managed Security Service Providers (MSSPs), third-party auditors, GRC tools like SMPL-C and FutureFeed… They all promise to take work off your plate.

But when it comes to risk assessment, only the Organization Seeking Certification (OSC) can make the critical judgment calls. Because only the OSC understands:

  • What systems are truly critical to its mission
  • What impact downtime would have
  • How much data loss is tolerable
  • What regulatory exposure its contracts create
  • What its business priorities really are

A third party can run scans. They can point out vulnerabilities. They might even help patch them. But they cannot determine your risk tolerance. That’s on you.

Julio’s words hit this point exactly:

“It would be more beneficial for decision-makers if we present an assessment of the costs involved in taking action, as nothing in security comes without cost. By providing decision-makers with the cost implications of their choices, we empower them to make well-informed decisions based on the risks involved.”

This is the very heart of RA.L2-3.1.11. It’s not about identifying every threat—it’s about giving leaders a risk-informed basis to make decisions. And that means someone inside your organization has to own the process.

Final Thoughts

CMMC may feel like just another compliance hurdle. But controls like RA.L2-3.1.11 actually move the needle in meaningful ways.

They force organizations to move beyond tools and checklists—to ask the harder questions:

  • What are we actually protecting?
  • Who are we protecting it from?
  • What would happen if we failed?

Julio Casablanca reminded us that security isn’t just about having the right data—it’s about using it in the right way, in the right context, to inform the right decisions. You can’t outsource that. And you shouldn’t try.

Because when you truly own your risk, you begin to own your resilience, too.

If you’re working toward CMMC Level 2, or just trying to mature your risk management program, this is the mindset shift that will make the difference.

Let’s stop collecting vulnerabilities and start building understanding.

 

Brenda Harper
Content Writer
Related Posts
cfyt3i • 23 Feb 2026
Unsubscribe Confirmation
Are you sure you want to unsubscribe from our mailing list?
Brenda Harper • 19 Feb 2026
Defined Roles Demonstrate Maturity and Repeatability
Have you ever heard the saying that if Everybody thinks Somebody is going to do something, then Nobody actually does...
Brenda Harper • 15 Feb 2026
How Much Risk is Too Much?
Here’s the hard truth. Not all risk can be eliminated. But compliance frameworks like CMMC require you to determine how...

Company

About
Contact Us

Resources

Regulations
CMMC Checklist
Best Practices
More

Support

FAQs