In the Identify function of the Framework Core, cyber threat intelligence is now specifically identified under the Risk Assessment category. NIST defines the Risk Assessment category as an “organization understanding the cybersecurity risk to its operations, assets, and individuals.”

The Risk Assessment subcategory states that “cyber threat intelligence is received from information sharing forums and sources.” The term cyber threat intelligence replaced the previous use of threat and vulnerability information. While a subtle change, we think it’s important because it emphasizes the need for not just information but intelligent information. Information that is relevant and actionable for the organization that is consuming it.

Progressive Use of and Sharing of Threat Intelligence Key to Progressing through Framework Implementation Tiers

Threat intelligence and information sharing is also becoming a more important element of the NIST Framework Implementation Tiers. In short, there are four tiers that describe to what degree an organization’s cyber security efforts exhibit the characteristics defined in the Framework. The Tiers range from Partial (Tier 1) to Adaptive (Tier 4).

External Participation is one of the three key practice components of the tiers. At Tier 1, its indicated that the “organization does not collaborate or receive information including threat intelligence from other entities such as Information Sharing & Analysis Organizations (ISAOs), governments, etc.” To achieve Tier 4, an organization must “receive, generate, and review prioritized information that informs continuous analysis of its risks as the threat and technology landscape evolves.”

Risk Management Process is another key practice component and it’s seems implied that increasing use of threat intelligence is necessary to progress through the tiers. For example, at Tier 4, as an element of the Risk Management Process it indicates “Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices the organization actively adapts to a changing threat and technology landscapes and responds in a timely and effective manner to evolving sophisticated threats.” Clearly, this would be challenging to attain without the use of threat intelligence.

Cyber-Attack Lifecycle Roadmap Includes Heavy Dose of Threat Intelligence & Information Sharing

One of the key future roadmap items is Cyber-Attack Lifecycle. NIST indicates this new title reflects the “importance of a holistic, approach that maximizes the value of threat intelligence and discerns threat events from the large volumes of available data” among other things. It’s also indicated that to improve risk management capabilities, it is important that cyber threat information be readily available to support decision-making and that timely communication and actionable information are critical to counter threat and address vulnerability. NIST specifically points to this including “a near-real time exchange of automated threat and vulnerability indicators between organizations and information sharing communities such as Information Sharing and Analysis Centers (ISACs), Information Sharing and Analysis Organizations (ISAOs), industry peers, and supply chain partners and exchanges with security service providers.”


The importance of threat intelligence continues to increase and the increasing focus on this in the NIST Cybersecurity Framework is a validation of the importance of using threat intelligence to improve an organization’s cyber security and risk management posture.

Historically, the use of threat intelligence has been relegated to large, sophisticated enterprises that have had the resources to consume and use threat intelligence. However, we all know that cyber attackers do not discriminate based on company size meaning small and mid-sized companies face the same challenges as large enterprises.

The good news for small and mid-sized companies is that the emergence of Threat Intelligence Gateways (TIGs) is making it possible for companies of all sizes to leverage threat intelligence in their security efforts. In fact, TIGs are good news for companies of all sizes because large enterprises can leverage TIGs to operationalize their TI efforts.

TIGs are emerging as an important new category of security infrastructure as evidenced by leading market research firm Gartner recently defining this as a category in its report “Emerging Technology Analysis: Threat Intelligence Gateways.