CMMC Practice RM.5.155: Analyze the effectiveness of security solutions at least annually to address anticipated risk to the system and the organization based on current and accumulated threat intelligence.
CMMC CLARIFICATION (Ref CMMC – Appendix B)
Organizations should perform regular assessments of their cybersecurity capability to include the effectiveness of the security controls in light of current threat intelligence. These assessments go beyond identifying misconfigurations and vulnerabilities to assessing the intended capability against newly acquired threat intelligence to determine if the expected effectiveness against the threat is still being achieved. Such an assessment could identify shortcomings in the intended cybersecurity capability that the adversary could take advantage of resulting in risks to the organization These assessments of the security solutions will help identify necessary changes in the design, architecture, and configuration of the solutions. These changes should be rolled into standard operating procedure timeframes and based on criticality of the findings.