RA.L3-3.11.1e

  • Requirement

    Employ threat intelligence, at a minimum from open or commercial sources, and any DoD-provided sources, as part of a risk assessment to guide and inform the development of organizational systems, security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.

  • Discussion

    The constant evolution and increased sophistication of adversaries, especially the APT, makes it more likely that adversaries can successfully compromise or breach organizational systems. Accordingly, threat intelligence can be integrated into each step of the risk management process throughout the system development life cycle. This risk management process includes defining system security requirements, developing system and security architectures, selecting security solutions, monitoring (including threat hunting), and remediation efforts.

    [NIST SP 800-30] provides guidance on risk assessments. [NIST SP 800-39] provides guidance on the risk management process. [NIST SP 800-160-1] provides guidance on security architectures and systems security engineering. [NIST SP 800-150] provides guidance on cyber threat information sharing.

More Info

  • Title

    Threat-Informed Risk Assessment

  • Domain

    Risk Assessment

  • CMMC Level

    3

  • Further Discussion

    An organization consumes threat intelligence and improves their security posture based on the intelligence relevant to that organization and/or a system(s). The organization can obtain threat intelligence from open or commercial sources but must also use any DoD provided sources. Threat information can be received in high volumes from various providers and must be processed and analyzed by the organization. It is the responsibility of the organization to process the threat information in a manner that is useful and actionable to their needs. Processing, analyzing, and extracting the intelligence from the threat feeds and applying it to all organizational security engineering needs is the primary benefit of this requirement. Note that more than one source is required to meet assessment objectives.

    Example

    Your organization receives a commercial threat intelligence feed from FIRST and government threat intelligence feeds from both USCERT and DoD/DC3 to help learn about recent threats and any additional information the threat feeds provide [b,c,d,e,f]. Your organization uses the threat intelligence for multiple purposes:

    • To perform up-to-date risk assessments for the organization [a];
    • To add rules to the automated system put in place to identify threats (indicators of compromise, or IOCs) on the organization’s network [e];
    • To guide the organization in making informed selections of security solutions [c];
    • To shape the way the organization performs system monitoring activities [d];
    • To manage the escalation process for identified incidents, handling specific events, and performing recovery actions [f];
    • To provide additional information to the hunt team to identify threat activities [e];
    • To inform the development and design decisions for organizational systems and the overall security architecture, as well as the network architecture [b,c];
    • To assist in decision-making regarding systems that are part of the primary network and systems that are placed in special enclaves for additional protections [b]; and
    • To determine additional security measures based on current threat activities taking place in similar industry networks [c,d,e,f].

    Potential Assessment Considerations

    • Does the organization detail how threat feed information is to be ingested, analyzed, and used [a]?
    • Can the organization’s SOC or hunt teams discuss how they use the threat feed information after it is processed [e,f]?

NIST 800-172A Assessment Guidance

CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!

Learn More