CMMC Requirement RA.L3-3.11.1E – Threat-Informed Risk Assessment: Employ threat intelligence, at a minimum from open or commercial sources, and any DoD-provided sources, as part of a risk assessment to guide and inform the development of organizational systems, security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.
Links to Publicly Available Resources – Coming Soon
As the lead federal department for the protection of critical infrastructure and the furthering of cybersecurity, CISA has developed and implemented numerous information sharing programs. Through these programs, CISA develops partnerships and shares substantive information with the private sector. CISA also shares information with state, local, tribal, and territorial governments and with international partners, as cybersecurity threat actors are not constrained by geographic boundaries. This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 3. Mandiant is a recognized leader in dynamic cyber defense, threat intelligence, and incident response services. This publication provides guidelines for establishing and participating in cyber threat information sharing relationships. This guidance helps organizations establish information sharing goals, identify cyber threat information sources, scope information sharing activities, develop rules that control the publication and distribution of threat information, engage with existing sharing communities, and make effective use of threat information in support of the organization’s overall cybersecurity practices. This publication describes a basis for establishing principles, concepts, activities, and tasks for engineering trustworthy secure systems. Such principles, concepts, activities, and tasks can be effectively applied within systems engineering efforts to foster a common mindset to deliver security for any system, regardless of the system’s purpose, type, scope, size, complexity, or the stage of its system life cycle. This NIST Special Publication provides guidance for conducting risk assessments. The purpose of Special Publication 800-39 is to provide guidance for an integrated, organization-wide program for managing information security risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems. The NSA Cybersecurity Collaboration Center (CCC) is how NSA scales intel-driven cybersecurity through open, collaborative partnerships. The CCC works with industry, interagency, and international partners to harden the U.S. Defense Industrial Base, operationalize NSA’s unique insights on nation-state cyber threats, jointly create mitigations guidance for emerging activity and chronic cybersecurity challenges, and secure emerging technologies. ZeroFox is on a mission to create a safer digital world. Using diverse data sources and artificial intelligence-based analysis, the ZeroFox Platform identifies and remediates targeted phishing attacks, credential compromise, data exfiltration, brand hijacking, executive and location threats and more.
The constant evolution and increased sophistication of adversaries, especially the APT, makes it more likely that adversaries can successfully compromise or breach organizational systems. Accordingly, threat intelligence can be integrated into each step of the risk management process throughout the system development life cycle. This risk management process includes defining system security requirements, developing system and security architectures, selecting security solutions, monitoring (including threat hunting), and remediation efforts.
[NIST SP 800-30] provides guidance on risk assessments. [NIST SP 800-39] provides guidance on the risk management process. [NIST SP 800-160-1] provides guidance on security architectures and systems security engineering. [NIST SP 800-150] provides guidance on cyber threat information sharing.
Further Discussion
An organization consumes threat intelligence and improves their security posture based on the intelligence relevant to that organization and/or a system(s). The organization can obtain threat intelligence from open or commercial sources but must also use any DoD-provided sources. Threat information can be received in high volumes from various providers and must be processed and analyzed by the organization. It is the responsibility of the organization to process the threat information in a manner that is useful and actionable to their needs. Processing, analyzing, and extracting the intelligence from the threat feeds and applying it to all organizational security engineering needs is the primary benefit of this requirement. Note that more than one source is required to meet assessment objectives.