Reference: CMMC v2.13
Family: RA
Level Introduced: 3
Title: Threat-Informed Risk Assessment
Practice:
Employ threat intelligence, at a minimum from open or commercial sources, and any DoD-provided sources, as part of a risk assessment to guide and inform the development of organizational systems, security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.
Further Discussion:
An organization consumes threat intelligence and improves their security posture based on the intelligence relevant to that organization and/or a system(s). The organization can obtain threat intelligence from open or commercial sources but must also use any DoD-provided sources. Threat information can be received in high volumes from various providers and must be processed and analyzed by the organization. It is the responsibility of the organization to process the threat information in a manner that is useful and actionable to their needs. Processing, analyzing, and extracting the intelligence from the threat feeds and applying it to all organizational security engineering needs is the primary benefit of this requirement. Note that more than one source is required to meet assessment objectives.
Example
Your organization receives a commercial threat intelligence feed from FIRST and government threat intelligence feeds from both USCERT and DoD/DC3 to help learn about recent threats and any additional information the threat feeds provide [b,c,d,e,f]. Your organization uses the threat intelligence for multiple purposes:
• To perform up-to-date risk assessments for the organization [a];
• To add rules to the automated system put in place to identify threats (indicators of compromise, or IOCs) on the organization’s network [e];
• To guide the organization in making informed selections of security solutions [c];
• To shape the way the organization performs system monitoring activities [d];
• To manage the escalation process for identified incidents, handling specific events, and performing recovery actions [f];
• To provide additional information to the hunt team to identify threat activities [e];
• To inform the development and design decisions for organizational systems and the overall security architecture, as well as the network architecture [b,c];
• To assist in decision-making regarding systems that are part of the primary network and systems that are placed in special enclaves for additional protections [b]; and
• To determine additional security measures based on current threat activities taking place in similar industry networks [c,d,e,f].
Potential Assessment Considerations
• Does the organization detail how threat feed information is to be ingested, analyzed, and used [a]?
• Can the organization’s SOC or hunt teams discuss how they use the threat feed information after it is processed [e,f]?
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
800-172 Requirements vDraft (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.