Level 5 CMMC - CMMC Practices


Reference: CMMC 1.02

Family: RM

Level Introduced: 5

Analyze the effectiveness of security solutions at least annually to address anticipated risk to the system and the organization based on current and accumulated threat intelligence.

CMMC Clarification:
Organizations should perform regular assessments of their cybersecurity capability to include the effectiveness of the security controls in light of current threat intelligence. These assessments go beyond identifying misconfigurations and vulnerabilities to assessing the intended capability against newly acquired threat intelligence to determine if the expected effectiveness against the threat is still being achieved. Such an assessment could identify shortcomings in the intended cybersecurity capability that the adversary could take advantage of resulting in risks to the organization These assessments of the security solutions will help identify necessary changes in the design, architecture, and configuration of the solutions. These changes should be rolled into standard operating procedure timeframes and based on criticality of the findings.

Example 1
Your organization built a new service this year that will prevent users from browsing the internet directly. The new solution allows users to have indirect internet and allows downloaded content after a scrubbing and analysis process. During an assessment it was identified that this solution is working properly, except that all PDF files can be downloaded without being scrubbed and sent directly to the users’ machines. This finding leads the team to look at the configuration of the solution and identify that a misconfiguration has been put in place. The team makes this finding a high priority and immediately put in a change request to the team that manages the solution. The assessment team works with the configuration team and verifies the change is put in place and PDFs are no longer downloaded without being analyzed.

Example 2
Your organization has end point protection on each enterprise user system. This solution helps monitor for malicious commands being run on the solution. During an assessment it is found that if a user attempts to run a music application that is already whitelisted, the end point monitoring solution fails. This causes an endpoint to lack the extra protection and monitoring desired by the organization. Upon further analysis, it is identified the endpoints failing required a driver update to fix the problem. This problem was fixed and the endpoints no longer suffer from this issue.


Assess the effectiveness of security solutions [Assignment: organization-defined frequency] to address anticipated risk to organizational systems and the organization based on current and accumulated threat intelligence.

Threat awareness and risk assessment of the organization is dynamic, continuous, and informs the system operations, the security requirements for the system, and the security solutions employed to meet those requirements. Threat intelligence (i.e., threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to help provide the necessary context for decision909 making) is infused into the risk assessment processes and information security operations of the organization to identify any changes required to address the dynamic threat environment.

[SP 800-30] provides guidance on risk assessments, threat assessments, and risk analyses.

Source: NIST Special Publication 800-172 (Draft)

Source: CMMC v1.02