Back

Include security information sharing procedures in the internal control framework.


CONTROL ID
06489
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an internal control framework., CC ID: 00820

This Control has the following implementation support Control(s):
  • Share security information with interested personnel and affected parties., CC ID: 11732
  • Evaluate information sharing partners, as necessary., CC ID: 12749


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • To maintain good cyber situational awareness, the FI should establish a process to collect, process and analyse cyber-related information for its relevance and potential impact to the FI's business and IT environment. Cyber-related information would include cyber events, cyber threat intelligence an… (§ 12.1.1, Technology Risk Management Guidelines, January 2021)
  • Security personnel should familiarize themselves with the Information Security services and roles furnished by governmental agencies and bodies. (Control: 0879, Australian Government Information Security Manual: Controls)
  • the identification of measures relating to preparedness, response and recovery, including cooperation between the public and private sectors; (Art. 7.1(c), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
  • a governance framework clarifying the roles and responsibilities of relevant stakeholders at national level, underpinning the cooperation and coordination at the national level between the competent authorities, the single points of contact, and the CSIRTs under this Directive, as well as coordinati… (Article 7 1(c), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • including relevant procedures and appropriate information-sharing tools to support voluntary cybersecurity information sharing between entities in accordance with Union law; (Article 7 2(h), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • aims to prevent, detect, respond to or recover from incidents or to mitigate their impact; (Article 29 1(a), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • Member States shall ensure that essential and important entities notify the competent authorities of their participation in the cybersecurity information-sharing arrangements referred to in paragraph 2, upon entering into such arrangements, or, as applicable, of their withdrawal from such arrangemen… (Article 29 4., DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • aims to enhance the digital operational resilience of financial entities, in particular through raising awareness in relation to cyber threats, limiting or impeding the cyber threats' ability to spread, supporting defence capabilities, threat detection techniques, mitigation strategies or response a… (Art. 45.1.(a), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Information security is a complex issue, so the persons responsible for it must familiarise themselves with it very carefully. There are many sources of information available that can be used in this regard. These include, among other things, existing standards, Internet publications, and other publ… (§ 4.2 Bullet 6 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Select and adapt safeguards by documenting the module to target object assignments ("it-grundschutz model") and the corresponding contact people. (4.4 Bullet 3, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • Are vulnerability testing results and penetration testing results shared with all appropriate security and Network Administrators? (Table Row X.9, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Critical business applications and underlying technical infrastructure should be protected against targeted attacks that may disrupt business processes by reviewing intelligence information (e.g., to help understand key threats and related motivations, types, and methods). (CF.20.03.10a, The Standard of Good Practice for Information Security)
  • The information security function should maintain contact with counterparts in the commercial world. (CF.01.02.08b-1, The Standard of Good Practice for Information Security, 2013)
  • The information security function should maintain contact with security experts in computer / software companies and service providers. (CF.01.02.08b-3, The Standard of Good Practice for Information Security, 2013)
  • The organization should establish and maintain contact with relevant authorities. (§ 5.5 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Public sources (e.g., security researchers); (RS.AN-5.1(1), CRI Profile, v1.2)
  • Vulnerability sharing forums (e.g., FS-ISAC); and (RS.AN-5.1(2), CRI Profile, v1.2)
  • Third-parties (e.g., cloud vendors); (RS.AN-5.1(3), CRI Profile, v1.2)
  • Internal sources (e.g., development teams). (RS.AN-5.1(4), CRI Profile, v1.2)
  • Cyber threat intelligence is received from information sharing forums and sources. (ID.RA-2, CRI Profile, v1.2)
  • The organization has established enterprise processes for receiving and appropriately channeling vulnerability disclosures from: (RS.AN-5.1, CRI Profile, v1.2)
  • The organization has established enterprise processes for receiving and appropriately channeling vulnerability disclosures from: (RS.AN-5.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Public sources (e.g., security researchers); (RS.AN-5.1(1), Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Vulnerability sharing forums (e.g., FS-ISAC); and (RS.AN-5.1(2), Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Third-parties (e.g., cloud vendors); (RS.AN-5.1(3), Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Internal sources (e.g., development teams). (RS.AN-5.1(4), Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). (RA-5e., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). (RA-5e., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). (RA-5e., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). (RA-5e., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Does the information security function contain contacts with Information Security Special Interest Groups? (§ C.1.8, Shared Assessments Standardized Information Gathering Questionnaire - C. Organizational Security, 7.0)
  • Interface with US-CERT to obtain relevant CSP information; ensure cross-sharing of information across all organizations performing BCD/MCD Actions. (Section 6.3 ¶ 1 Bullet 1, sub-bullet 4, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • The federal bureau of investigation criminal justice information services division information security officer shall maintain a security policy resource center on the fbi.gov website and keep the Information Security Officers updated with any pertinent information. (§ 3.2.10(7), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The institution has policies commensurate with its risk and complexity that address the concepts of threat information sharing. (Domain 1: Assessment Factor: Governance, STRATEGY/POLICIES Baseline 2 ¶ 3, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Using a threat intelligence and collaboration process to identify and respond to information on threats and vulnerabilities. (App A Objective 12:8 c., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). (RA-5e. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). (RA-5e. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). (RA-5e. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and (RA-5e., FedRAMP Security Controls High Baseline, Version 5)
  • Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and (RA-5e., FedRAMP Security Controls Low Baseline, Version 5)
  • Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and (RA-5e., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Are industry advisories and vendor advisories monitored on a regular basis and appropriate actions are taken to protect the Credit Union's information assets and member data? (IT - Security Program Q 21, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Organizational practices are in place to enable AI testing, identification of incidents, and information sharing. (GOVERN 4.3, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
  • Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and (RA-5e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and (RA-5e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and (RA-5e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Actively seek to enrich indicators by providing additional context, corrections, or suggested improvements (3.2. ¶ 4 Bullet 6, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Use a formalized information-sharing function to engage with ISACs, the FASC, and other government agencies to enhance the enterprise's supply chain cybersecurity threat and risk insights and help ensure a coordinated and holistic approach to addressing cybersecurity risks throughout the supply chai… (3.4.2. ¶ 1 Bullet 5, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Establish information-sharing goals and objectives that support business processes and security policies (3.2. ¶ 4 Bullet 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and (RA-5e., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and (RA-5e., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • To maintain currency with recommended security and privacy practices, techniques, and technologies; and (PM-15b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence. (PM-16 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and (RA-5e., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • To maintain currency with recommended security and privacy practices, techniques, and technologies; and (PM-15b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence. (PM-16 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and (RA-5e., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Cyber threat intelligence is received from information sharing forums and sources (ID.RA-2, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Cyber threat intelligence is received from information sharing forums and sources (ID.RA-2, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). (RA-5e. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). (RA-5e. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). (RA-5e. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • To maintain currency with recommended security practices, techniques, and technologies; and (PM-15b., Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization implements a threat awareness program that includes a cross-organization information-sharing capability. (PM-16 Control:, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Lead efforts to promote the organization's use of knowledge management and information sharing. (T0339, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop processes with the external audit group on how to share information regarding the continuous monitoring program and its impact on security control assessment. (T0990, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Collaborate with other customer, Intelligence and targeting organizations involved in related cyber areas. (T0599, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Establish liaison with scoring and metrics working group to support continuous monitoring. (T0998, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Work with external affairs to develop relationships with consumer organizations and other NGOs with an interest in privacy and data security issues—and to manage company participation in public events related to privacy and data security (T0883, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization must establish and maintain contact with security groups and associations. (SG.AT-5 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Establish liaison with scoring and metrics working group to support continuous monitoring. (T0998, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop processes with the external audit group on how to share information regarding the continuous monitoring program and its impact on security control assessment. (T0990, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Work with external affairs to develop relationships with consumer organizations and other NGOs with an interest in privacy and data security issues—and to manage company participation in public events related to privacy and data security (T0883, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Collaborate with other customer, Intelligence and targeting organizations involved in related cyber areas. (T0599, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization plans and coordinates security-related activities affecting the information system with {organizationally documented individuals or groups} before conducting such activities in order to reduce the impact on other organizational entities. (PL-2(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization shares information obtained from the vulnerability scanning process and security control assessments with {organizationally documented personnel} to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). (RA-5e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization shares information obtained from the vulnerability scanning process and security control assessments with {organizationally documented roles} to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). (RA-5e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization plans and coordinates security-related activities affecting the information system with {organizationally documented individuals or groups} before conducting such activities in order to reduce the impact on other organizational entities. (PL-2(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization shares information obtained from the vulnerability scanning process and security control assessments with {organizationally documented personnel} to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). (RA-5e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization shares information obtained from the vulnerability scanning process and security control assessments with {organizationally documented roles} to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). (RA-5e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization shares information obtained from the vulnerability scanning process and security control assessments with {organizationally documented roles} to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). (RA-5e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization plans and coordinates security-related activities affecting the information system with {organizationally documented individuals or groups} before conducting such activities in order to reduce the impact on other organizational entities. (PL-2(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization shares information obtained from the vulnerability scanning process and security control assessments with {organizationally documented personnel} to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). (RA-5e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization shares information obtained from the vulnerability scanning process and security control assessments with {organizationally documented roles} to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). (RA-5e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). (RA-5e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). (RA-5e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). (RA-5e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). (RA-5e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • To maintain currency with recommended security practices, techniques, and technologies; and (PM-15b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization implements a threat awareness program that includes a cross-organization information-sharing capability. (PM-16 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and (RA-5e., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • To maintain currency with recommended security and privacy practices, techniques, and technologies; and (PM-15b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence. (PM-16 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and (RA-5e., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • To maintain currency with recommended security and privacy practices, techniques, and technologies; and (PM-15b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence. (PM-16 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization implements a threat awareness program that includes a cross-organization information-sharing capability. (PM-16 Control:, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). (RA-5e., TX-RAMP Security Controls Baseline Level 1)
  • Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). (RA-5e., TX-RAMP Security Controls Baseline Level 2)