Back to Control Explorer
RM.4.150
Content
Control Acronym
RM
Family
Risk Management
CMMC Level
4
800-171 Control #
N/A
CMMC Description
Employ threat intelligence to inform the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.
CMMC Clarification
Threat intelligence (See RM.4.149 and SA.3.169) provides for an organization with a better understanding of the adversaries and their TTPs. This understanding helps an organization plan, design, architect, and integrate solutions in a manner that will help thwart adversary activities. This understanding should be used to design the enterprise architecture as well as the endpoint monitoring capabilities and to plan threat hunting actions. Threat intelligence can be very valuable when an organization is building their defensive playbook. Having defensive response and recovery actions planned prior to an attack taking place is key to having efficient and timely defensive cyber operation actions. Practice IR.4.100 requires a similar use of adversary knowledge for incident response and execution. Example 1 Your organization recently started subscribing to a threat feed service to gain valuable intelligence on adversary actions and what is currently happening against other organizations. Based on information gained from this service, your DCO team utilizes the information to hunt for adversary TTPs received from the service every day. This information helps provide up-to-date TTPs, and it also provide the latest adversarial actions taking place across other organizations subscribing to the threat feed, as well. This information is invaluable in molding your architecture towards specific threats as the information is received. Example 2 Your new threat feed has recently sent out information that states a specific action against a specific vendor solution is underway at various organizations similar to your own. This information is passed to your DCO team for hunting operations, and the architecture team utilizes it to make small adjustments to the organizations enterprise architecture that prevents similar tactics from being successful in your environment.
800-171 Description
800-171 Discussion
N/A
Other Source Discussion
DRAFT NIST SP 800-171B The constantly changing and increased sophistication of adversaries, especially the advanced persistent threat (APT), makes it more likely that adversaries can successfully compromise or breach organizational systems. Accordingly, threat intelligence can be integrated into and inform each step of the risk management process throughout the system development life cycle. This includes defining system security requirements, developing system and security architectures, selecting security solutions, monitoring (including threat hunting) and remediation efforts. Support References: • NIST SP 800-30 provides guidance on risk assessments. NIST SP 800-39 provides guidance on the risk management process. NIST SP 800-160-1 provides guidance on security architectures and systems security engineering. NIST SP 800-150 provides guidance on cyber threat information sharing.
CIS Control References
NIST 800-53 Control Ref.
CMMC Derived
NIST CSF Control References
NIST 800-171 References
Applicable FAR Clause
NIST CSF Control Reference
NIST CSF v1.1 ID.RA-2, ID.RA-3
CERT RMM Reference
Modification of NIST 800-171B Reference
NIST 800-171B Reference
Draft NIST SP 800-171B 3.11.1e