GRCWatch
Sign inStart free trial

NIST Cybersecurity Framework ID.RA-2: Threat Intelligence Sharing

Threat intelligence sharing is a critical pillar of modern cybersecurity risk management. ID.RA-2 requires your organization to systematically receive and integrate cyber threat intelligence from trusted information sharing forums and external sources. This control ensures your risk identification stays current with real-world threat landscapes.

What this means

ID.RA-2 mandates that your organization establish mechanisms to receive cyber threat intelligence from external sources including information sharing forums, industry-specific threat feeds, government cybersecurity agencies, and trusted partners. This intelligence should inform your risk assessment processes, threat modeling, and security posture decisions. The control emphasizes the importance of staying informed about emerging threats that could impact your organization.

How to comply

  1. 1.Identify and subscribe to relevant threat intelligence sources appropriate for your industry (e.g., ISACs, government alerts, vendor feeds)
  2. 2.Establish formal processes for receiving, validating, and assessing incoming threat intelligence
  3. 3.Integrate threat intelligence findings into your risk assessment and identification workflows
  4. 4.Create a communication channel to disseminate relevant threat intelligence to appropriate teams
  5. 5.Document which sources you subscribe to and how frequently intelligence is reviewed
  6. 6.Maintain records of threat intelligence acted upon and decisions made as a result
  7. 7.Periodically review the relevance and effectiveness of your intelligence sources

Evidence auditors look for

  • Documented list of threat intelligence sources and subscriptions with justification
  • Formal procedure document for threat intelligence intake and evaluation
  • Records showing threat intelligence alerts received and corresponding risk assessments
  • Email distributions or security advisories issued based on threat intelligence
  • Meeting minutes from security team reviews of threat intelligence findings
  • Evidence of updates to threat models or risk registers based on new intelligence
  • Logs showing access to threat intelligence platforms and forums

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch centralizes threat intelligence intake and automatically maps findings to relevant controls, eliminating manual tracking and ensuring threat insights directly inform your risk assessments.

See how GRCWatch handles this control automatically

Start free trial

Related controls

ID.RA-1 — Asset Inventory and ValuationID.RA-3 — Risk Assessment and AnalysisID.RA-4 — Risk PrioritizationID.AM-1 — Physical and Cyber Assets