Security Experts:

Connect with us

Hi, what are you looking for?


Threat Intelligence

Mapping Threat Intelligence to the NIST Compliance Framework

Enhancing cybersecurity and compliance programs with actionable intelligence that adds insight can easily justify the investment and growth of threat intelligence programs.

Mapping Threat Intelligence to the NIST Compliance Framework

Threat intelligence is critical for compliance personnel to justify budgets for governance, risk and compliance (GRC) 

It is estimated that compliance drives 50% of the spend in the cybersecurity industry. Recently, some of our customer, defender-side colleagues indicated that threat intelligence was not typically  considered within compliance frameworks. The main reason for this was noisy data feeds, a lack of identifiable metrics, and the lack of actionable intelligence related to the customer’s pain points.

Using the NIST Framework, organizations assess their current security posture, agree to organizational goals, understand their gaps and develop plans to optimize their security posture. We used this framework to show how threat intelligence is critical for compliance personnel to justify budgets for governance, risk and compliance (GRC) and how it is also important for CISOs and security practitioners responsible for incident response, security operations, and third-party risk. This column is the first in a two part series and will focus on the NIST frameworks for “identify”.


Asset Management

1) ID.AM-4: External information systems are cataloged. Service providers continuously monitor external digital footprints, identifying new assets and new services. Open RDP ports, shadow IT devices operating outside of firewall policy and unauthorized file shares communicating with your environment are three of the most common use cases for monitoring the perimeter, or external attack surface management.

Risk Assessment

2) ID.RA-1: Asset vulnerabilities are identified and documented. While this sub-category is generally intended for internal assets being monitored for misconfiguration, external assets also need to be continuously monitored and assessed to identify vulnerabilities and determine the probability of an actor exploiting those vulnerabilities.

3) ID.RA-2: Cyber threat intelligence is received from information-sharing forums and sources. Threat intelligence and managed service providers can use access to the dark web and open-source forums, including social media, to collect information about potential threats. This is typically done by crawling the web to identify stolen credentials on the darkweb, find social media impersonations, assess physical threats to personnel or facilities, identify negative brand and reputation sentiment and, if necessary, engage directly with threat actors.

4) ID.RA-3: Threats, both internal and external, are identified and documented. External threats could range from ransomware groups targeting an organization to cyber criminals selling access to an organization’s data. Intelligence providers can assist with potential insider threats by monitoring externally for malicious activity (e.g. employees selling access or data on criminal forums) and unauthorized file sharing.

5) ID.RA-4: Potential business impacts and likelihoods are identified. Intelligence can identify the likelihood of external threat activity and provide context. For example, context can be provided around specific ransomware families and determine if detection tools can identify their payloads short of encrypting files. This context can be considered in the overall business impact analysis.

6) ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk. Threats, vulnerabilities, and likelihood of threats can be included in threat landscape assessments to help determine the overall risk to businesses. For example, a threat landscape should cover global geopolitical activity focused on an enterprise’s business locations. Of particular interest is activity involving cyber, physical, insider, crypto/digital and supply chain threats related to critical vendors. The intelligence goal is to identify current and escalating threats so leaders can adapt as threats change.

Supply Chain Management

7) ID.SC-2: Suppliers and third-party partners are identified, prioritized, and assessed using a cyber supply chain risk assessment process. Threat intelligence providers monitor the internet using attack surface and reputation monitoring tools for critical suppliers. After ranking suppliers high, medium and low, an enterprise should conduct threat intelligence monitoring and RFI responses for critical suppliers where data and services reside outside of an enterprise’s perimeter (ex. MSPs) and could present a higher probability of compromise.

8) ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluation to confirm they are meeting their contractual obligations. Ideally, threat intelligence providers and managed service providers would continuously monitor the internet to ensure that audits, test results and questionnaires are valid. Vendor questionnaires should be considered a starting point in third party risk assessment for legal and compliance purposes. However, these questionnaires should be validated and contextualized with threat intelligence, particularly for high risk vendors.

As discussed, enhancing cybersecurity and compliance programs with actionable intelligence that complements and adds insight can easily justify the investment and growth of threat intelligence programs. It is a valuable approach that should be employed by more enterprise organizations.

The next article in this series will focus on how to mold threat intelligence to conform with the NIST cybersecurity framework sub-categories “Protect”, “Detect”, and “Respond”.

Written By

Landon Winkelvoss is Co-founder and VP of Security Strategy at Nisos.

Click to comment

Expert Insights

Related Content


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.

Threat Intelligence

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.

Management & Strategy

The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) have released...

Data Protection

Artificial intelligence is more artificial than intelligent.


Deepfakes, left unchecked, are set to become the cybercriminals’ next big weapon


We’ve all marveled at the latest innovations from Tesla, the skill of Google’s self-driving cars, or, at the very least, enjoyed playing a podcast...

Management & Strategy

With financial pressure falling on business leaders, cutting costs can be necessary for survival. Being understaffed and ignoring critical business operations is not an...