This Spring, the National Institute of Standards and Technology (NIST) is set to release the first major update to its Framework for Improving Critical Infrastructure Cybersecurity. While the title suggests this framework is focused on critical infrastructure, the fact is organizations of all sizes and across all industries look to the NIST Framework to guide their cybersecurity efforts.

In this blog we will look at how threat intelligence is becoming a more critical component of the Framework. In a follow up blog, we will look at how the use of a Threat Intelligence Gateway (TIG) can help organizations of all sizes better align to the NIST Cybersecurity Framework.

Use of Threat Intelligence Becoming More Critical Throughout the Framework

As we look at the proposed updates and the future roadmap for the NIST Cybersecurity Framework, it’s clear that the use of threat intelligence is becoming a more critical component throughout the Framework - including Core, Implementation Tiers, and the Roadmap.

Let’s look at each of these components.

Cyber Intelligence Now Used in Risk Assessment Category of Framework Core

In the Identify function of the Framework Core, cyber threat intelligence is now specifically identified under the Risk Assessment category. NIST defines the Risk Assessment category as an “organization understanding the cybersecurity risk to its operations, assets, and individuals.”

The Risk Assessment subcategory states that “cyber threat intelligence is received from information sharing forums and sources.” The term cyber threat intelligence replaced the previous use of threat and vulnerability information. While a subtle change, we think it’s important because it emphasizes the need for not just information but intelligent information. Information that is relevant and actionable for the organization that is consuming it.

Progressive Use of and Sharing of Threat Intelligence Key to Progressing through Framework Implementation Tiers

Threat intelligence and information sharing is also becoming a more important element of the NIST Framework Implementation Tiers. In short, there are four tiers that describe to what degree an organization’s cyber security efforts exhibit the characteristics defined in the Framework. The Tiers range from Partial (Tier 1) to Adaptive (Tier 4).

External Participation is one of the three key practice components of the tiers. At Tier 1, its indicated that the “organization does not collaborate or receive information including threat intelligence from other entities such as Information Sharing & Analysis Organizations (ISAOs), governments, etc.” To achieve Tier 4, an organization must “receive, generate, and review prioritized information that informs continuous analysis of its risks as the threat and technology landscape evolves.”

Risk Management Process is another key practice component and it’s seems implied that increasing use of threat intelligence is necessary to progress through the tiers. For example, at Tier 4, as an element of the Risk Management Process it indicates “Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices the organization actively adapts to a changing threat and technology landscapes and responds in a timely and effective manner to evolving sophisticated threats.” Clearly, this would be challenging to attain without the use of threat intelligence.

Cyber-Attack Lifecycle Roadmap Includes Heavy Dose of Threat Intelligence & Information Sharing

One of the key future roadmap items is Cyber-Attack Lifecycle. NIST indicates this new title reflects the “importance of a holistic, approach that maximizes the value of threat intelligence and discerns threat events from the large volumes of available data” among other things. It’s also indicated that to improve risk management capabilities, it is important that cyber threat information be readily available to support decision-making and that timely communication and actionable information are critical to counter threat and address vulnerability. NIST specifically points to this including “a near-real time exchange of automated threat and vulnerability indicators between organizations and information sharing communities such as Information Sharing and Analysis Centers (ISACs), Information Sharing and Analysis Organizations (ISAOs), industry peers, and supply chain partners and exchanges with security service providers.”


The importance of threat intelligence continues to increase and the increasing focus on this in the NIST Cybersecurity Framework is a validation of the importance of using threat intelligence to improve an organization’s cyber security and risk management posture.

Historically, the use of threat intelligence has been relegated to large, sophisticated enterprises that have had the resources to consume and use threat intelligence. However, we all know that cyber attackers do not discriminate based on company size meaning small and mid-sized companies face the same challenges as large enterprises.

The good news for small and mid-sized companies is that the emergence of Threat Intelligence Gateways (TIGs) is making it possible for companies of all sizes to leverage threat intelligence in their security efforts. In fact, TIGs are good news for companies of all sizes because large enterprises can leverage TIGs to operationalize their TI efforts.

TIGs are emerging as an important new category of security infrastructure as evidenced by leading market research firm Gartner recently defining this as a category in its report “Emerging Technology Analysis: Threat Intelligence Gateways.”