Back to Control Explorer
RM.5.155
Content
Control Acronym
RM
Family
Risk Management
CMMC Level
5
800-171 Control #
N/A
CMMC Description
Analyze the effectiveness of security solutions at least annually to address anticipated risk to the system and the organization based on current and accumulated threat intelligence.
CMMC Clarification
Organizations should perform regular assessments of their cybersecurity capability to include the effectiveness of the security controls in light of current threat intelligence. These assessments go beyond identifying misconfigurations and vulnerabilities to assessing the intended capability against newly acquired threat intelligence to determine if the expected effectiveness against the threat is still being achieved. Such an assessment could identify shortcomings in the intended cybersecurity capability that the adversary could take advantage of resulting in risks to the organization These assessments of the security solutions will help identify necessary changes in the design, architecture, and configuration of the solutions. These changes should be rolled into standard operating procedure timeframes and based on criticality of the findings. Example 1 Your organization built a new service this year that will prevent users from browsing the internet directly. The new solution allows users to have indirect internet and allows downloaded content after a scrubbing and analysis process. During an assessment it was identified that this solution is working properly, except that all PDF files can be downloaded without being scrubbed and sent directly to the users’ machines. This finding leads the team to look at the configuration of the solution and identify that a misconfiguration has been put in place. The team makes this finding a high priority and immediately put in a change request to the team that manages the solution. The assessment team works with the configuration team and verifies the change is put in place and PDFs are no longer downloaded without being analyzed. Example 2 Your organization has end point protection on each enterprise user system. This solution helps monitor for malicious commands being run on the solution. During an assessment it is found that if a user attempts to run a music application that is already whitelisted, the end point monitoring solution fails. This causes an endpoint to lack the extra protection and monitoring desired by the organization. Upon further analysis, it is identified the endpoints failing required a driver update to fix the problem. This problem was fixed and the endpoints no longer suffer from this issue.
800-171 Description
800-171 Discussion
N/A
Other Source Discussion
DRAFT NIST SP 800-171B Since sophisticated threats such as the APT are constantly changing, the threat awareness and risk assessment of the organization is dynamic, continuous and informs the actual system operations, the security requirements for the system, and the security solutions employed to meet those requirements. Threat intelligence (i.e., threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes) is infused into risk assessment processes and information security operations of the organization to identify any changes required to address the dynamic threat environment. NIST SP 800-30 provides guidance on risk assessments.
CIS Control References
NIST 800-53 Control Ref.
CMMC Derived
NIST CSF Control References
NIST 800-171 References
Applicable FAR Clause
NIST CSF Control Reference
CERT RMM Reference
CERT RMM v1.2 RISK:SG6.SP1
Modification of NIST 800-171B Reference
CMMC modification of Draft NIST SP 800-171B 3.11.5e