RA.L3-3.11.4e  

Reference: CMMC v2.13

Family: RA

Level Introduced: 3

Title: Security Solution Rationale

Practice:
Document or reference in the system security plan the security solution selected, the rationale for the security solution, and the risk determination.

Further Discussion:
The System Security Plan (SSP) is a fundamental component of an organization’s security posture. When solutions for implementing a requirement have differing levels of capabilities associated with their implementation, it is essential that the plan specifically document the rationale for the selected solution and what was acquired for the implementation. This information allows the organization to monitor the environment for threat changes and identify which solutions may no longer be applicable. While not required, it may also be useful to document alternative solutions reviewed and differing levels of risk associated with each alternative, as that information may facilitate future analyses when the threat changes. In addition to the implementations required for Level 2 certification, which may not be risk based, at Level 3, the SSP must carefully document the link between the assessed threat and the risk-based selection of a security solution for the enhanced security requirements (i.e., all CMMC L3 requirements derived from NIST SP 800-172).

Example
You are responsible for information security in your organization. Following CMMC requirement RA.L3-3.11.1e – Threat Informed Risk Assessment, your team uses threat intelligence to complete a risk assessment and make a risk determination for all elements of your enterprise. Based on that view of risk, your team decides that requirement RA.L3-3.11.2e – Threat Hunting is a requirement that is very important in protecting your organization’s use of CUI, and you have determined the solution selected could potentially add risk. You want to detect an adversary as soon as possible when they breach the network before any CUI can be exfiltrated. However, there are multiple threat hunting solutions, and each solution has a different set of features that will provide different success rates in identifying IOCs.

As a result, some solutions increase the risk to the organization by being less capable in detecting and tracking an adversary in your networks. To reduce risk, you evaluate five threat hunting solutions and in each case determine the number of IOCs for which there is a monitoring mechanism. You pick the solution that is cost effective, easy to operate, and optimizes IOC detection for your enterprise; purchase, install, and train SOC personnel on its use; and document the risk-based analysis of alternatives in the SSP. In creating that documentation in the SSP, you follow the guidance found in NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems [a,b,c].

Potential Assessment Considerations
• Has the organization completed a risk assessment and made a risk determinations for enterprise components that need to be protected [c]?
• Can the organization identify what is being protected and explain why specific protection solutions were selected [a,b]?
• Have all the decisions been documented in the SSP [a,b,c]?

Source: CMMC v2.13