CMMC Practice RM.5.155
Analyze the effectiveness of security solutions at least annually to address anticipated risk to the system and the organization based on current and accumulated threat intelligence.
Bold Coast Security Guidance
For Level 5 compliance, an organization's risk management program must be well-integrated into the business strategy, and it's components working to inform a comprehensive understanding of risk from strategic and tactical perspectives.
DRAFT NIST SP 800-171B
Since sophisticated threats such as the APT are constantly changing, the threat awareness and risk assessment of the organization is dynamic, continuous and informs the actual system operations, the security requirements for the system, and the security solutions employed to meet those requirements. Threat intelligence (i.e., threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision- making processes) is infused into risk assessment processes and information security operations of the organization to identify any changes required to address the dynamic threat environment.
NIST SP 800-30 provides guidance on risk assessments.