RM.4.150 Employ threat intelligence to inform the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.

CMMC Practice RM.4.150: Employ threat intelligence to inform the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.

Links to Publicly Available Resources

CMMC CLARIFICATION (Ref CMMC – Appendix B)

Threat intelligence (See RM.4.149 and SA.3.169) provides for an organization with a better understanding of the adversaries and their TTPs. This understanding helps an organization plan, design, architect, and integrate solutions in a manner that will help thwart adversary activities. This understanding should be used to design the enterprise architecture as well as the endpoint monitoring capabilities and to plan threat hunting actions. Threat intelligence can be very valuable when an organization is building their defensive playbook. Having defensive response and recovery actions planned prior to an attack taking place is key to having efficient and timely defensive cyber operation actions.

Practice IR.4.100 requires a similar use of adversary knowledge for incident response and execution.