Practice RA.L3-3.11.5e Details

From CMMC Toolkit Wiki
Jump to navigation Jump to search

Source of Reference: The official CMMC Level 3 Assessment Guide from the Department of Defense Chief Information Officer (DoD CIO).

For inquiries and reporting errors on this wiki, please contact us. Thank you.

RA.L3-3.11.5E – SECURITY SOLUTION EFFECTIVENESS

SECURITY REQUIREMENT

Assess the effectiveness of security solutions at least annually or upon receipt of relevant cyber threat information, or in response to a relevant cyber incident, to address anticipated risk to organizational systems and the organization based on current and accumulated threat intelligence.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:

[a] Security solutions are identified;
[b] Current and accumulated threat intelligence is identified;
[c] Anticipated risk to organizational systems and the organization based on current and accumulated threat intelligence is identified; and
[d] The effectiveness of security solutions is assessed at least annually or upon receipt of relevant cyber threat information, or in response to a relevant cyber incident, to address anticipated risk to organizational systems and the organization based on current and accumulated threat intelligence.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine

[SELECT FROM: Risk assessment policy; security planning policy and procedures; security assessment policy and procedures; security assessment plans; security assessment results; procedures addressing organizational assessments of risk; security plan; risk assessment; risk assessment results; risk assessment reviews; risk assessment updates; threat intelligence information; other relevant documents or records].

Interview

[SELECT FROM: Organizational personnel responsible for security assessments; organizational personnel responsible for risk assessments; organizational personnel responsible for threat analysis; organizational personnel responsible for information security].

Test

[SELECT FROM: Mechanisms supporting, conducting, documenting, reviewing, disseminating, and updating risk assessments; mechanisms supporting and/or implementing security assessments].

DISCUSSION [NIST SP 800-172]

Threat awareness and risk assessment of the organization are dynamic, continuous, and inform system operations, security requirements for the system, and the security solutions employed to meet those requirements. Threat intelligence (i.e., threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to help provide the necessary context for decision making) is infused into the risk assessment processes and information security operations of the organization to identify any changes required to address the dynamic threat environment.

[NIST SP 800-30] provides guidance on risk assessments, threat assessments, and risk analyses.

FURTHER DISCUSSION

This requirement requires the organization to analyze threat intelligence and consider the effectiveness of currently deployed cybersecurity solutions against existing, new, and emerging threats. The goal is to understand the risk to the systems and the organization based on threat intelligence and to make adjustments to security solutions to reduce the risk to an acceptable level. Analysis of solutions should include analysis of operational system settings of the deployed systems and not be solely a conceptual capability analysis. This analysis includes verifying configuration settings are configured as desired by the organization and have not been changed over time.

Threat information can be thought of as raw data that may be limited in terms of evaluating the effectiveness of controls across the enterprise. For example, knowledge of a threat that has not been correlated with other threats may result in evaluation of an implementation that only provides partial protection for one set of systems when, in fact, the emerging threat is applicable to the entire enterprise. Large organizations may also have the resources to aggregate, transform, analyze, correlate, interpret, and enrich information to support decision-making about adequacy of existing security mechanisms and methods.

Example

You are responsible for information security in your organization, which holds and processes CUI. The organization subscribes to multiple threat intelligence sources [b]. In order to assess the effectiveness of current security solutions, the security team analyzes any new incidents reported in the threat feed. They identify weaknesses that were leveraged by malicious actors and subsequently look for similar weaknesses in their own security architecture[a,c]. This analysis is passed to the architecture team for engineering change recommendations, including system patching guidance, new sensors, and associated alerts that should be generated, and to identify ways to mitigate, transfer, or accept the risk necessary to respond to events if they occur within their own organization [d].

Potential Assessment Considerations

  • Does the organization make adjustments during an incident or operational improvements after an incident has occurred [d]?
  • Has the organization implemented an analytical process to assess the effectiveness of security solutions against new or compiled threat intelligence [b,c,d]?
  • Has the organization implemented a process to identify if an operational security solution fails to contribute to the protections needed against specific adversarial actions based on new threat intelligence [a,b,c,d]?

KEY REFERENCES

  • NIST SP 800-172 3.11.5e
Retrieved from "https://cmmcwiki.org/index.php?title=Practice_RA.L3-3.11.5e_Details&oldid=1240"