CMMC Requirement RA.L3-3.11.1E – Threat-Informed Risk Assessment: Employ threat intelligence, at a minimum from open or commercial sources, and any DoD-provided sources, as part of a risk assessment to guide and inform the development of organizational systems, security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.
Links to Publicly Available Resources – Coming Soon
This publication provides guidelines for establishing and participating in cyber threat information sharing relationships. This guidance helps organizations establish information sharing goals, identify cyber threat information sources, scope information sharing activities, develop rules that control the publication and distribution of threat information, engage with existing sharing communities, and make effective use of threat information in support of the organization’s overall cybersecurity practices. This publication describes a basis for establishing principles, concepts, activities, and tasks for engineering trustworthy secure systems. Such principles, concepts, activities, and tasks can be effectively applied within systems engineering efforts to foster a common mindset to deliver security for any system, regardless of the system’s purpose, type, scope, size, complexity, or the stage of its system life cycle. This NIST Special Publication provides guidance for conducting risk assessments. The purpose of Special Publication 800-39 is to provide guidance for an integrated, organization-wide program for managing information security risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems.
The constant evolution and increased sophistication of adversaries, especially the APT, makes it more likely that adversaries can successfully compromise or breach organizational systems. Accordingly, threat intelligence can be integrated into each step of the risk management process throughout the system development life cycle. This risk management process includes defining system security requirements, developing system and security architectures, selecting security solutions, monitoring (including threat hunting), and remediation efforts.
[NIST SP 800-30] provides guidance on risk assessments. [NIST SP 800-39] provides guidance on the risk management process. [NIST SP 800-160-1] provides guidance on security architectures and systems security engineering. [NIST SP 800-150] provides guidance on cyber threat information sharing.
Further Discussion
An organization consumes threat intelligence and improves their security posture based on the intelligence relevant to that organization and/or a system(s). The organization can obtain threat intelligence from open or commercial sources but must also use any DoD-provided sources. Threat information can be received in high volumes from various providers and must be processed and analyzed by the organization. It is the responsibility of the organization to process the threat information in a manner that is useful and actionable to their needs. Processing, analyzing, and extracting the intelligence from the threat feeds and applying it to all organizational security engineering needs is the primary benefit of this requirement. Note that more than one source is required to meet assessment objectives.