Requirement text: RM.5.155: Analyze the effectiveness of security solutions at least annually to address
anticipated risk to the system and the organization based on current and accumulated threat intelligence.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171B
Since sophisticated threats such as the APT are constantly changing, the threat awareness
and risk assessment of the organization is dynamic, continuous and informs the actual
system operations, the security requirements for the system, and the security solutions
employed to meet those requirements. Threat intelligence (i.e., threat information that has
been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary
context for decision-making processes) is infused into risk assessment processes and
information security operations of the organization to identify any changes required to
address the dynamic threat environment.
NIST SP 800-30 provides guidance on risk assessments.
CMMC CLARIFICATION
Organizations should perform regular assessments of their cybersecurity capability to
include the effectiveness of the security controls in light of current threat intelligence. These
assessments go beyond identifying misconfigurations and vulnerabilities to assessing the
intended capability against newly acquired threat intelligence to determine if the expected
effectiveness against the threat is still being achieved. Such an assessment could identify
shortcomings in the intended cybersecurity capability that the adversary could take
advantage of resulting in risks to the organization These assessments of the security
solutions will help identify necessary changes in the design, architecture, and configuration
of the solutions. These changes should be rolled into standard operating procedure
timeframes and based on criticality of the findings.
Example 1
Your organization built a new service this year that will prevent users from browsing the
internet directly. The new solution allows users to have indirect internet and allows
downloaded content after a scrubbing and analysis process. During an assessment it was
identified that this solution is working properly, except that all PDF files can be downloaded
without being scrubbed and sent directly to the users’ machines. This finding leads the team
to look at the configuration of the solution and identify that a misconfiguration has been put
in place. The team makes this finding a high priority and immediately put in a change request
to the team that manages the solution. The assessment team works with the configuration
team and verifies the change is put in place and PDFs are no longer downloaded without
being analyzed.
Example 2
Your organization has end point protection on each enterprise user system. This solution
helps monitor for malicious commands being run on the solution. During an assessment it
is found that if a user attempts to run a music application that is already whitelisted, the end
point monitoring solution fails. This causes an endpoint to lack the extra protection and
monitoring desired by the organization. Upon further analysis, it is identified the endpoints
failing required a driver update to fix the problem. This problem was fixed and the endpoints
no longer suffer from this issue.
References
• CMMC modification of Draft NIST SP 800-171B 3.11.5e
• CERT RMM v1.2 RISK:SG6.SP1