NIST 800-53 REV 5 • PROGRAM MANAGEMENT
PM-16 — Threat Awareness Program
Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence.
Supplemental Guidance
Because of the constantly changing and increasing sophistication of adversaries, especially the advanced persistent threat (APT), it may be more likely that adversaries can successfully breach or compromise organizational systems. One of the best techniques to address this concern is for organizations to share threat information, including threat events (i.e., tactics, techniques, and procedures) that organizations have experienced, mitigations that organizations have found are effective against certain types of threats, and threat intelligence (i.e., indications and warnings about threats). Threat information sharing may be bilateral or multilateral. Bilateral threat sharing includes government-to-commercial and government-to-government cooperatives. Multilateral threat sharing includes organizations taking part in threat-sharing consortia. Threat information may require special agreements and protection, or it may be freely shared.
Practitioner Notes
A threat awareness program keeps your organization informed about current threats targeting your sector, your technology stack, or organizations like yours. This goes beyond generic awareness training — it is about operational threat intelligence.
Example 1: Subscribe to threat intelligence feeds like CISA's Automated Indicator Sharing (AIS), AlienVault OTX, or a commercial feed. Designate someone to review weekly threat briefings and distribute relevant alerts to system administrators and security staff.
Example 2: Configure Microsoft Sentinel to ingest threat intelligence indicators and automatically correlate them against your log data. When a known malicious IP or domain appears in your logs, Sentinel generates an alert. Brief leadership quarterly on the threat landscape and any incidents detected.