Back to Control Explorer



Control Acronym



Incident Response

CMMC Level


800-171 Control #


CMMC Description

Use knowledge of attacker tactics, techniques, and procedures in incident response planning and execution.

CMMC Clarification

When conducting cyberattacks the attackers (or actors) tend to operate using certain patterns of behavior or exploit capabilities. These patterns and capabilities are known as Tactics, Techniques, and Procedures (TTPs). Knowledge of adversarial TTPs permits an organization to develop the right protective measures and responses to address a potential attack. An organization can build their knowledge of attacker TTPs by participating in Information Sharing and Analysis Centers (ISAC) for their industry. An ISAC collects cyber threat information relevant to the industry and its members in order to improve the cyber posture of that industry. Based on the lines of business an organization may consider more than one ISAC. Example You are a manager. Your organization develops cutting edge technology for the aerospace and defense industry. Recent news indicates the industry is facing increased cyberattacks. Several peers share with you that they have experienced these attacks. To better understand the threats, you enroll the organization in the Aviation and National Defense ISACs. As part of the ISACs, you receive reports that help inform your organizational defenses. You attend ISAC meetings where peers share TTPs and best practices. Using what you learned, you conduct open source research on the Internet for additional information about attackers and how they conduct their operations. You use all of this information to improve incident response planning for the organization.

800-171 Description

800-171 Discussion


Other Source Discussion

This practice requires that an organization explicitly consider the attacker’s perspective in implementing the organization’s incident response capability. The information necessary to do so can be from public sources, from government, or from third-party threat intelligence organizations. Specially, it is not the intent of this practice to require an internal, organizational threat intelligence capability. See practice RM.4.149 for the creation of this information.

CIS Control References

NIST 800-53 Control Ref.

CMMC Derived

NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15