ID.RA-02 Threat Intelligence - NIST CSF 2.0 Checklist

ID.RA-02 requires organizations to cyber threat intelligence is received from information sharing forums and sources. This NIST CSF 2.0 control falls under the Identify (ID) function and the Risk Assessment category. Use this checklist to verify implementation and prepare evidence for auditors.

Control Details

Control ID: ID.RA-02
Title: Threat Intelligence
Function: Identify (ID)
Category: Risk Assessment
Framework: NIST CSF 2.0

Cyber threat intelligence is received from information sharing forums and sources.

Cyber threat intelligence is received from information sharing forums and sources. The organization uses threat intelligence to understand the tactics and techniques used by adversaries targeting its industry and technology stack.

Why This Matters

Reactive security that ignores threat intelligence leaves organizations surprised by attacks that were foreseeable. Threat intelligence enables proactive defense and informed risk prioritization.

Implementation Checklist

Use this checklist to verify your organization meets the requirements of ID.RA-02.

Subscribe to industry-specific threat intelligence feeds
Participate in information sharing organizations such as ISACs
Integrate threat intelligence into vulnerability prioritization workflows
Brief leadership on emerging threats relevant to the organization quarterly
Correlate threat intelligence with internal telemetry and log data

Evidence an Auditor Expects

Prepare the following documentation and artifacts to demonstrate compliance with ID.RA-02 during an audit.

Threat intelligence feed subscription documentation
ISAC membership records or participation logs
Threat briefing presentations and meeting minutes
Examples of threat intelligence integrated into detection rules or vulnerability priorities

Common Gaps We Find

Based on our penetration testing and risk assessment engagements, these are the gaps organizations most frequently have with ID.RA-02.

Threat intelligence is consumed but never operationalized into detection or prevention
No participation in industry information sharing groups
Threat briefings to leadership do not occur on a regular schedule

FAQ

What does ID.RA-02 require?

ID.RA-02 (Threat Intelligence) requires that cyber threat intelligence is received from information sharing forums and sources. The organization uses threat intelligence to understand the tactics and techniques used by adversaries targeting its industry and technology stack. This control is part of the NIST CSF 2.0 Identify function under the Risk Assessment category.

How do I prove compliance with ID.RA-02?

To demonstrate compliance with ID.RA-02, prepare the following evidence: Threat intelligence feed subscription documentation; ISAC membership records or participation logs; Threat briefing presentations and meeting minutes. Auditors will verify that these artifacts exist and reflect current operational practices.

Need Help Meeting NIST CSF 2.0 Requirements?

Our penetration testing and risk assessments map directly to NIST CSF 2.0 controls. Sherlock Forensics identifies gaps in your compliance posture and provides actionable remediation guidance.

Get a Compliance Assessment