Risk Assessment (RA)

RA.L3-3.11.1E – THREAT-INFORMED RISK ASSESSMENT

Employ threat intelligence, at a minimum from open or commercial sources, and any DoD-provided sources, as part of a risk assessment to guide and inform the development of organizational systems, security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:

[ODP1] Sources of threat intelligence are defined;

[a] A risk assessment methodology is identified;

[b] Threat intelligence, at a minimum from open or commercial sources, and any DoD-provided sources, are employed as part of a risk assessment to guide and inform thedevelopment of organizational systems and security architectures;

[c] Threat intelligence, at a minimum from open or commercial sources, and any DoD-provided sources, are employed as part of a risk assessment to guide and inform the selection of security solutions;

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine

[SELECT FROM: Personnel security policy; system and services acquisition policy; procedures addressing personnel screening; records of screened personnel; enterprise architecture documentation; system design documentation; system architecture and configuration documentation; security plan; list of individuals who have been identified as posing an increased level of risk; list of appropriate access authorizations required for system personnel; personnel screening criteria and associated documentation; other relevant documents or records].

Interview

[SELECT FROM: Organizational personnel responsible for personnel security; organizational personnel responsible for information security; organizational personnel responsible for system and services acquisition; organizational personnel responsible for personnel screening].

Test

[SELECT FROM: Organizational processes for personnel screening; mechanisms supporting personnel screening].

DISCUSSION [NIST SP 800-172]

If adverse information develops or is obtained about an individual with access to CUI which calls into question whether the individual should have continued access to systems containing CUI, actions are taken (e.g., preclude or limit further access by the individual, audit actions taken by the individual) to protect the CUI while the adverse information is resolved.

FURTHER DISCUSSION

According to Defense Counterintelligence and Security Agency, or DCSA (Industrial Security Letter ISL 2011-04, revised July 15, 2020), adverse information consists of any information that negatively reflects the integrity or character of an individual. This pertains to an individual’s ability to safeguard sensitive information, such as CUI. Adverse information may simply be a report showing someone has sent sensitive information outside the organization or used unapproved software, against company policy. An organization may receive adverse information about an individual through police reports, reported violations of company policies (including social media posts that directly violate company policies), and revocation or suspension of DoD clearance.

When adverse information is identified about a given individual, the organization should take action to validate that information resources accessible by the individual have been identified and appropriate protection mechanisms are in place to safeguard information and system configurations. Based on organizational policy, an individual’s access to resources may be more closely monitored or restricted until further review. Logs should be examined to identify any attempt to perform unauthorized actions.

Example

You learn that one of your employees has been convicted on shoplifting charges. Based on organizational policy, you report this information to human resources (HR), which verifies the information with a criminal background check [a,b,c]. Per policy, you increase the monitoring of the employee’s access to ensure that the employee does not exhibit patterns of behavior consistent with an insider threat [d]. You maintain contact with HR as they investigate the adverse information so that you can take stronger actions if required, such as removing access to organizational systems.

Potential Assessment Considerations

Does the organization define the protection mechanisms for organizational systems if adverse information develops or is obtained about an individual with access to CUI [d]?

KEY REFERENCES

NIST SP 800-172 3.9.2e

Frameworks & Controls

CMMC Level 1
NIST SP 800-171
- CMMC Level 2 - NIST SP 800-171 r2
CMMC Level 3
- Access Control (AC)
  - AC.L3-3.1.2E – ORGANIZATIONALLY CONTROLLED ASSETS
  - AC.L3-3.1.3E – SECURED INFORMATION TRANSFER
- Awareness and Training (AT)
  - AT.L3-3.2.1E – ADVANCED THREAT AWARENESS
  - AT.L3-3.2.2E – PRACTICAL TRAINING EXERCISES
- Configuration Management (CM)
- Identification and Authentication (IA)
  - IA.L3-3.5.1E – BIDIRECTIONAL AUTHENTICATION
  - IA.L3-3.5.3E – BLOCK UNTRUSTED ASSETS
- Incident Response (IR)
  - IR.L3-3.6.1E – SECURITY OPERATIONS CENTER
  - IR.L3-3.6.2E – CYBER INCIDENT RESPONSE TEAM
- Personnel Security (PS)
  - PS.L3-3.9.2E – ADVERSE INFORMATION
- Risk Assessment (RA)
- Security Assessment (CA)
  - CA.L3-3.12.1E – PENETRATION TESTING
- System and Communications Protection (SC)
  - SC.L3-3.13.4E – ISOLATION
- System and Information Integrity (SI)