Skip to main content

THR-03: Threat Intelligence Feeds

THR 8 — High Identify

Mechanisms exist to maintain situational awareness of vulnerabilities and evolving threats by leveraging the knowledge of attacker tactics, techniques and procedures to facilitate the implementation of preventative and compensating controls.

Control Question: Does the organization maintain situational awareness of vulnerabilities and evolving threats by leveraging the knowledge of attacker tactics, techniques and procedures to facilitate the implementation of preventative and compensating controls?

General (49)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC3.2-POF6 CC3.2-POF7 CC9.2-POF13
CSA IoT SCF 2 MON-11
GovRAMP Low SI-05
GovRAMP Low+ SI-05
GovRAMP Moderate SI-05
GovRAMP High SI-05 SI-05(01)
IMO Maritime Cyber Risk Management 3.5.4.1
ISO/SAE 21434 2021 RQ-08-01 RQ-08-02
ISO 27001 2022 (source) 7.4 7.4(a) 7.4(b) 7.4(c) 7.4(d)
ISO 27002 2022 5.7
MITRE ATT&CK 10 T1068, T1210, T1211, T1212
MPA Content Security Program 5.1 TS-4.2
NIST 800-53 R4 SI-5 SI-5(1)
NIST 800-53 R4 (low) SI-5
NIST 800-53 R4 (moderate) SI-5
NIST 800-53 R4 (high) SI-5 SI-5(1)
NIST 800-53 R5 (source) PM-16(1) SI-5 SI-5(1)
NIST 800-53B R5 (low) (source) SI-5
NIST 800-53B R5 (moderate) (source) SI-5
NIST 800-53B R5 (high) (source) SI-5 SI-5(1)
NIST 800-53 R5 (NOC) (source) PM-16(1)
NIST 800-82 R3 LOW OT Overlay SI-5
NIST 800-82 R3 MODERATE OT Overlay SI-5
NIST 800-82 R3 HIGH OT Overlay SI-5 SI-5(1)
NIST 800-161 R1 AT-3(8) SI-5
NIST 800-161 R1 C-SCRM Baseline SI-5
NIST 800-161 R1 Flow Down SI-5
NIST 800-161 R1 Level 1 SI-5
NIST 800-161 R1 Level 2 SI-5
NIST 800-161 R1 Level 3 SI-5
NIST 800-171 R2 (source) 3.12.3 3.14.3
NIST 800-171 R3 (source) 03.02.01.a.02 03.02.01.a.03 03.02.01.b 03.02.02.b 03.11.02.a 03.14.03.a
NIST 800-171A R3 (source) A.03.14.03.a
NIST 800-172 3.11.1e 3.14.6e
NIST 800-207 NIST Tenet 7
NIST CSF 2.0 (source) DE DE.AE-07 ID.RA-02 ID.RA-03 ID.RA-08
PCI DSS 4.0.1 (source) 6.3.1
PCI DSS 4.0.1 SAQ A (source) 6.3.1
PCI DSS 4.0.1 SAQ A-EP (source) 6.3.1
PCI DSS 4.0.1 SAQ B-IP (source) 6.3.1
PCI DSS 4.0.1 SAQ C (source) 6.3.1
PCI DSS 4.0.1 SAQ C-VT (source) 6.3.1
PCI DSS 4.0.1 SAQ D Merchant (source) 6.3.1
PCI DSS 4.0.1 SAQ D Service Provider (source) 6.3.1
TISAX ISA 6 5.2.5
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) THR-03
SCF CORE ESP Level 1 Foundational THR-03
SCF CORE ESP Level 2 Critical Infrastructure THR-03
SCF CORE ESP Level 3 Advanced Threats THR-03
US (31)
Framework Mapping Values
US C2M2 2.1 THREAT-1.A.MIL1 THREAT-1.L.MIL3 THREAT-1.M.MIL3 THREAT-2.K.MIL3 RISK-2.J.MIL3
US CERT RMM 1.2 COMM:SG2.SP1 COMM:SG2.SP2
US CISA CPG 2022 3.A
US CJIS Security Policy 5.9.3 (source) SI-5
US CMMC 2.0 Level 2 (source) CA.L2-3.12.3 SI.L2-3.14.3
US CMMC 2.0 Level 3 (source) RA.L3-3.11.1E SI.L2-3.14.3 SI.L3-3.14.6E
US CMS MARS-E 2.0 SI-5
US DoD Zero Trust Execution Roadmap 3.3.3 6.7.3
US DHS CISA TIC 3.0 3.UNI.VMANG 3.UNI.ETINT
US DHS ZTCF SEC-05 TRF-01
US FedRAMP R4 SI-5
US FedRAMP R4 (low) SI-5
US FedRAMP R4 (moderate) SI-5
US FedRAMP R4 (high) SI-5
US FedRAMP R4 (LI-SaaS) SI-5
US FedRAMP R5 (source) SI-5
US FedRAMP R5 (low) (source) SI-5
US FedRAMP R5 (moderate) (source) SI-5
US FedRAMP R5 (high) (source) SI-5
US FedRAMP R5 (LI-SaaS) (source) SI-5
US FFIEC D2.TI.Ti.B.1
US HIPAA HICP Small Practice 8.S.B 8.M.C
US HIPAA HICP Large Practice 7.L.A 8.L.B 9.L.D
US IRS 1075 SI-5
US NISPOM 2020 8-103
US NNPI (unclass) 17.3
US - NY DFS 23 NYCRR500 2023 Amd 2 500.9(b)(1)
US - OR 646A 622(2)(d)(B)(iii)
US - TX DIR Control Standards 2.0 SI-5
US - TX TX-RAMP Level 1 SI-5
US - TX TX-RAMP Level 2 SI-5
EMEA (9)
Framework Mapping Values
EMEA EU EBA GL/2019/04 3.3.3(21)
EMEA EU DORA 13.1
EMEA EU NIS2 Annex 6.10.2(a)
EMEA Germany Banking Supervisory Requirements for IT (BAIT) 5.3
EMEA Israel CDMO 1.0 23.2
EMEA Saudi Arabia IoT CGIoT-1 2024 2-12-4
EMEA Saudi Arabia ECC-1 2018 2-10-3-5 2-13-3-5
EMEA Saudi Arabia OTCC-1 2022 1-8-3 2-12-2-8
EMEA UK DEFSTAN 05-138 1204 3110
APAC (2)
Framework Mapping Values
APAC India SEBI CSCRF EV.ST.S1 EV.ST.S4 ID.RA.S3 RS.AN.S1
APAC Singapore MAS TRM 2021 12.1.1 12.1.2 12.1.3
Americas (3)
Framework Mapping Values
Americas Canada CSAG 3.7
Americas Canada OSFI B-13 3.0 3.1 3.1.1 3.1.5
Americas Canada ITSP-10-171 03.02.01.A.02 03.02.01.A.03 03.02.01.B 03.02.02.B 03.11.02.A 03.14.03.A

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to maintain situational awareness of evolving threats by leveraging the knowledge of attacker tactics, techniques and procedures to facilitate the implementation of preventative and compensating controls.

Level 1 — Performed Informally

Threat Management (THR) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Threat management is decentralized.
  • IT personnel subscribe to threat feeds to maintain situational awareness of emerging threats.
Level 2 — Planned & Tracked

Threat Management (THR) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for threat management. o Subscribe to threat feeds to maintain situational awareness of emerging threats.

  • Threat management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • The HR department, in conjunction with cybersecurity personnel, helps ensure secure practices are implemented in personnel management operations to help manage threats.
  • IT/cybersecurity personnel:
Level 3 — Well Defined

Threat Management (THR) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Subscribes to threat feeds to maintain situational awareness of emerging threats. o Develops Indicators of Exposure (IOE) to better understand potential attack vectors that attackers could use to attack the organization. o Implements a Threat Awareness Program (TAP) that includes a cross-organization information-sharing capability. o Implements a “threat hunting” capability to actively identify internal threats.

  • A Security Operations Center (SOC), or similar function:
  • An Integrated Security Incident Response Team (ISIRT), or similar function, exists to form an on-demand, integrated team of cybersecurity, IT, data privacy and business function representatives that can execute coordinated incident response operations, including a cross-discipline incident handling capability.
  • Cybersecurity personnel enable security awareness training on recognizing and reporting potential indicators of insider threat.
Level 4 — Quantitatively Controlled

Threat Management (THR) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to maintain situational awareness of evolving threats by leveraging the knowledge of attacker tactics, techniques and procedures to facilitate the implementation of preventative and compensating controls.

Assessment Objectives

  1. THR-03_A01 external organizations from whom system security alerts, advisories and directives are to be received on an ongoing basis are defined.
  2. THR-03_A02 personnel or roles to whom security alerts, advisories and directives are to be disseminated is/are defined.
  3. THR-03_A03 elements within the organization to whom security alerts, advisories and directives are to be disseminated are defined.
  4. THR-03_A04 external organizations to whom security alerts, advisories and directives are to be disseminated are defined.
  5. THR-03_A05 system security alerts, advisories, and directives from external organizations are received on an ongoing basis.
  6. THR-03_A06 threat indicator information is identified.
  7. THR-03_A07 effective mitigations are identified.
  8. THR-03_A08 intrusion detection approaches are identified.
  9. THR-03_A09 threat hunting activities are identified.
  10. THR-03_A10 internal security alerts, advisories and directives are generated as deemed necessary.
  11. THR-03_A11 security alerts, advisories and directives are disseminated per organization-defined criteria.
  12. THR-03_A12 security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.
  13. THR-03_A13 external organizations from which to obtain threat indicator information and effective mitigations are defined.
  14. THR-03.1_A03 automated mechanisms used to broadcast security alert and advisory information throughout the organization are defined.
  15. THR-03.1_A04 automated mechanisms are used to broadcast security alerts and advisory information throughout the organization.
  16. THR-03.1_A05 automated mechanisms are employed to maximize the effectiveness of sharing threat intelligence information.

Evidence Requirements

E-THR-03 Threat Intelligence Feeds (TIF)

Documented evidence of threat intelligence feeds.

Threat Management

Technology Recommendations

Micro/Small

  • US-CERT mailing lists & feeds
  • Internal newsletters

Small

  • US-CERT mailing lists & feeds
  • Internal newsletters

Medium

  • US-CERT mailing lists & feeds
  • Internal newsletters
  • InfraGard (https://infragard.org)

Large

  • US-CERT mailing lists & feeds
  • Internal newsletters
  • InfraGard (https://infragard.org)

Enterprise

  • US-CERT mailing lists & feeds
  • Internal newsletters
  • InfraGard (https://infragard.org)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free