Back to Control Explorer



Control Acronym



Situational Awareness

CMMC Level


800-171 Control #


CMMC Description

Design network and system security capabilities to leverage, integrate, and share indicators of compromise.

CMMC Clarification

Most cyber-defense solutions provide an API (Application Programming Interface) that allows an organization to automate updates to solutions for IoC blocking, hunting, or other mitigation. By automating the process, the organization will remove the likelihood of a human mistyping an entry, and it greatly reduces the time for insertion into the security solution as compared to manual entry. Example 1 Your organization uses a cyber intelligence service and as information comes in, bad domains are provided that an organization would not want their assets visiting. Once received, the information is pushed to the corporate firewall, proxy server, and DNS services for blocking, and reducing the gap between receiving the information and the time it takes to block any access to the bad domains. This stops users from accessing potentially malicious files from the domains provided. Example 2 The organization receives information that a specific attack probe is being launched from a foreign system. The threat report identifies the country codes and IP structure for the attack machines. Your intelligence processing solution collects this information and then adds the IP addresses to the block list of your corporate firewall. Within ten minutes after the automated process updated the firewall you receive logs of the attempts against the corporate website. The logs show the attempt but the details show the attempts were blocked. All of this took place without human intervention and prevented the attack from being successful.

800-171 Description

800-171 Discussion


Other Source Discussion

CMMC Sharing IoCs (Indicators of Compromise) to systems across an enterprise strengthens an organization’s ability to thwart adversaries. Designing an organization’s security architecture to integrate and share IoCs rapidly increases the likelihood of stopping an attack that is happening at machine speed. Machine speed attacks are attacks that are happening in real-time and use automation to increase the speed at which the attack spreads and performs actions. Effective sharing requires that intelligence services as well as internal resources process IoC information and provide it to the necessary systems in order to act on the information quickly.

CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 SI-4(24)

CMMC Derived


NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15