NIST 800-53 REV 5 • PROGRAM MANAGEMENT

PM-16(1)Automated Means for Sharing Threat Intelligence

Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

To maximize the effectiveness of monitoring, it is important to know what threat observables and indicators the sensors need to be searching for. By using well-established frameworks, services, and automated tools, organizations improve their ability to rapidly share and feed the relevant threat detection signatures into monitoring tools.

Practitioner Notes

This enhancement requires using automated tools to share and consume threat intelligence rather than relying solely on manual processes like email alerts or PDF reports.

Example 1: Implement STIX/TAXII feeds in your SIEM so threat indicators (malicious IPs, domains, file hashes) are automatically ingested and correlated against your network traffic and endpoint telemetry without human intervention.

Example 2: In Microsoft Sentinel, go to Threat Intelligence → Data Connectors and enable the TAXII or Microsoft Defender Threat Intelligence connector. This automatically pulls in threat indicators and creates detection rules that fire when those indicators are seen in your environment.

More Program Management Controls

PM-1 Information Security Program Plan PM-2 Information Security Program Leadership Role PM-3 Information Security and Privacy Resources PM-4 Plan of Action and Milestones Process