NIST 800-53 REV 5 • RISK ASSESSMENT
RA-3(2) — Use of All-source Intelligence
Use all-source intelligence to assist in the analysis of risk.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
No related controls listed
Supplemental Guidance
Organizations employ all-source intelligence to inform engineering, acquisition, and risk management decisions. All-source intelligence consists of information derived from all available sources, including publicly available or open-source information, measurement and signature intelligence, human intelligence, signals intelligence, and imagery intelligence. All-source intelligence is used to analyze the risk of vulnerabilities (both intentional and unintentional) from development, manufacturing, and delivery processes, people, and the environment. The risk analysis may be performed on suppliers at multiple tiers in the supply chain sufficient to manage risks. Organizations may develop agreements to share all-source intelligence information or resulting decisions with other organizations, as appropriate.
Practitioner Notes
This enhancement leverages all-source intelligence — open-source, commercial, and government intelligence feeds — to inform your risk assessments with real-world threat data rather than relying solely on theoretical risk scenarios.
Example 1: Subscribe to CISA advisories, sector-specific ISACs, and commercial threat intelligence feeds. Before conducting a risk assessment, review current threat reports relevant to your industry and technology stack to ensure your threat scenarios reflect actual adversary behavior.
Example 2: Integrate threat intelligence into your risk assessment methodology by mapping known threat actor TTPs (from MITRE ATT&CK) to your systems' vulnerabilities. This gives you a more realistic picture of which threats are most likely and helps prioritize your mitigations.